Every July, FINRA Technology hosts the Security Hackathon, and this year marked the seventh anniversary of the event.
“This year was the best one yet,” said Ranadheer Errabelly, Director of Application Security Engineering and Cyber and Information Security, who has been on the organizing committee since 2018. “We had more than 200 registrations and nearly as many people showed up on the event day, which is the highest attendance so far.”
The hackathon is designed to provide technology staff with foundational security knowledge as well as the opportunity to practice mitigating security risks like broken access control, cross-site scripting, security misconfigurations, injection attacks and more. The planning team works with a vendor to create three cyber ranges to practice security hacking at beginner, intermediate and advanced levels.
Cyber and Information Security
Legal and Enterprise Services
Engineering and Cyber and Information Security
Cyber and Information Security
“This is an educational opportunity for people to see how a real application security engineering teams work,” said Ranadheer. “[Participants can] understand the attacker's perspective and then build the application securely once they [understand that] side.”
The hackathon is a tech-centric event specifically targeting the participation of software engineers at FINRA.
“We target development teams, software assurance teams and operations — whoever is writing code” Ranadheer said. “Everyone has something they can learn, even if they are not getting into the details. It’s an opportunity to learn about security vulnerabilities, and it's a great opportunity to network and bond with other teams.”
Beginner and intermediate teams are formed by the organizing committee, while advanced participants can form their own teams if they want to compete.
Shubham Agrawal, Lead Security Engineer for Cyber and Information Security, participated on the winning team in the advanced cyber range.
“[It] was the toughest of the three challenges,” Shubham said. “According to the vendor, this was also one of the toughest cyber ranges they have. This range was [mostly] based on web application security and had challenges on binary exploitation and cryptography, too. The range had numerous challenges to offer and would have certainly taken more time than allotted to complete all of them. Still, we were able to solve [adequately enough] to secure the first position at the end. My overall experience in the hackathon was great; I have been participating in the security hackathon for three to four years, and this was the best one.”
Elena Shuvalov, Director of Technology for Cyber and Information Security, was on the winning team in the beginner cyber range focused on broken access controls and injection attacks.
“It was an interesting experience to put ourselves in the shoes of a ‘hacker’ and try to manipulate the application and code to exploit vulnerabilities,” Elena said. “I must admit that it was frustrating when we could not find the entire list of issues, although it was enough to claim first place in our group.”
Brian Goldstein, Director of Technology for Business, Legal and Enterprise Services, was a member of the winning team competing at the intermediate level, which focused on broken controls for access and authentication.
“The range my team worked on involved finding vulnerabilities like XSS, and SQL injection in a web storefront,” said Brian. “Overall, it was a great experience getting to work together with colleagues to try and solve some interesting puzzles and think about things differently than I do with my normal job responsibilities.
“Finally, discovering the solution to one of the more difficult challenges was the highlight of my experience,” Brian added. “It involved exploiting multiple different vulnerabilities and reverse engineering a Ruby text encoder script. Solving this puzzle was what pushed us over the edge into first place.It was also great to see a lot of colleagues in person that I don’t normally get to see during a collaboratively fun event as opposed to regular work.”
Since the pandemic, FINRA has embraced a hybrid work environment, allowing staff to work remotely from home while prioritizing attendance at Presence with Purpose events like hackathons, team gatherings, strategic planning sessions and more.
“When the hackathon invites were out initially, I wasn’t planning to attend in-person,” said Shubham. “Later, I changed my participation to in-person, and to my surprise, there was outstanding work done to organize the event... great [effort was] made to allocate teams to different cubicle spaces, to give space between each team and give each other some privacy. There was more thrill that way... sitting together with your teammates, solving the challenges, and seeing your team position move up or down the leaderboard. To the people who joined [virtually], I would strongly encourage them to come in-person next time.”
For Ranadheer, that’s exactly the kind of feedback he hopes for.
“I would be happy if more and more people showed up in person,” said Ranadheer. “We work in a mostly remote environment now, so I would like to encourage more people to show up in person to have a fun and competitive learning experience.”