A while back I wrote about a well written web-application security course developed and hosted by Google, called Gruyere. Since then, I’ve been wanting to learn more about system security and classic exploits like buffer-overflows or malicious shellcode. Though I’ve done wargames in the past, I’ve recently rediscovered the fun of breaking into systems that have clear-cut exploits to take advantage of. If you don’t know, a “wargame” (not simply “just” hacking), is a challenge related to computer and to exploit a given vulnerability. Generally wargames are deployed on systems specifically built within sandboxes for each user with multiple levels. The goal is to eventually reach the last level, accessing a file, text, or whatever it is to prove your skills and share your success. What’s particularly nice about the game is how educationally powerful it is. The games run in simple environments, without much changes over time, and disallow other hackers playing the game from tripping you up by manipulating your own progress.

    

I’m a big believer in “learning through doing” (don’t theory is critically important!), and wargames fit that philosophy very well. The two wargames I played recently were the Stripe CTF Wargame and the Smash The Stack games. The first is much more formal and direct, but overall as challenging as the later. If you truly want to learn how to “hack”, but more correctly how to write more secure code, go through the first game. The second is great, but less “user friendly” for you to progress through.

Overall, even if you are a young developer new to the field, you should really sit down and take a day to try and go through a couple of levels. The amount you learn and the scope of the challenges are critical to a solid background in software development security. Learning about buffer-overflows by name and definition alone are not enough; one really has to go above and beyond to master such a complex subject.