Bringing Secure Coding Practices to Life at MasterCard

DISRUPT

Security Challenge

The NeedSoftware Defect Vulnerabilities Tend To Be In 2 Categories Vendor Provided Software -> You will hopefully get a patch from the

vendor

Custom Application Code -> Developers are traditionally not good at writing secure code!

Prior to 2011 . . .MasterCard University’s Secure Code Course – online, self-paced and needed to be more interactive

If the priority is to protect MasterCard’s assets, we need a more impactful approach!

The Solution

DISRUPT: Born 2012

Created by Corporate Security and MasterCard Labs

Innovative and impactful approach to training

o 2-Day Challenge/Contest approach

o Highly interactive

The Solution

2-day “Capture the Flag “ contest

Training on types of code security vulnerabilities

Simulated MasterCard environment containing 2 contest applications

Participants compete to find application vulnerabilities to hack

Automated scoring system

The Solution

Trivia and door prizes

Wrap-upo Location of vulnerabilities

o How to fix vulnerabilities

Top 3 Winners named

Participants received cool event SWAG and information security education credits

The Solution2 Vulnerable Web Applications

o Insecure Walleto Hackbook

Types of Challengeso SQL Injectiono Cross-Site Scripting (XSS)o Cross-Site Request Forgery (CSRF)o Direct Object Referenceo Session Hijackingo Default username/password

The BenefitsImpact Training for our Developers

Engaging

Perspective

Prevention

Gaming

The BenefitsFor Corporate Security….

Outreach Opportunity

Showcase Security Careers

Talent Search

What’s Next?

Rebranding DISRUPT to MCDX

Potential External Events

Pune Tech Hub Employee Event