Facebook has today announced that it’s open-sourcing its Capture the Flag (CTF) platform to encourage students and developers to learn about online security and bugs.
Capture the Flag competitions are used in the computer security realm, including at hacker convention Def Con, to highlight attacks and exploits often found in the real world. They are effective ways of teaching amateurs and professionals about common or unfamiliar exploitation techniques.
Facebook itself has run CTF competitions for a number of years and has used its CTF platform at events across the world. Now, the social network giant is opening its in-house platform to the masses by releasing it on GitHub.
Gulshan Singh, a software engineer on Facebook’s threat infrastructure team, said that one of the reasons he was successful in gaining employment in his chosen field was due to his experience competing in CTFs at the University of Michigan. It “exposed me to a fun and practical side of security that I didn’t get in class,” he explained. “I learned about RSA encryption in my computer science courses, but CTFs taught me how to break it when it wasn’t properly implemented, which happens all the time in the real world. It’s a lot of fun to learn this offensive side of security, but at the same time learning about these flaws makes you a better defender, as well.”
Facebook is no stranger to open-sourcing its in-house programs and has more than 200 projects on GitHub alone. Last year it open-sourced Infer, a code-verification tool that squishes bugs in mobile apps. And in 2016, it has continued this trend by open-sourcing a number of additional tools.
So why, exactly, does Facebook choose to make some of its technology available to everyone?
Last year, the company’s head of open source, James Pearce, explained why it seeks to align itself with the developer community through open-sourcing, and it boils down to three things. The first is ideology — Facebook was built by Mark Zuckerberg using open-source tools. Second is innovation — it can help achieve scale much faster when many minds are working on the same problems. And finally, it’s good for business — Facebook can “build better software, write better code, our engineers are able to work with more pride, and we’re able to retain the world’s best engineers because they know they can open-source their work,” said Pearce.
Facebook has another reason for open-sourcing CTF: The cybersecurity industry will reportedly be short by 1.5 million people by 2020, so it’s in the company’s interests to encourage science and technology students to follow a path into this field. By making CTF open-source, anyone from schools to universities to companies can host their own competitions and conferences to help teach computer science and aspects of security, including forensics, reverse-engineering, and cryptography.
“Although news reports about security bugs are now commonplace, it’s not always obvious how people find these flaws and how you can develop the skills needed to find and protect against malicious exploits,” added Singh. “CTFs provide a safe and legal way to try your hand at hacking challenges.”