Have you Run an Elevation of Privilege Tournament?
I got an email recently me asking if I had experience running an Elevation of Privilege tournament. I haven’t, and wanted to ask if anyone out there has done so, please share your experiences and suggestions
One element that I thought about is a scoring system to help with the tournament’s goals. For examples, you might want good coverage and also innovative threats, so perhaps each sample system should have a list of threats you expect anyone to find — points for each of those, and points subtracted for missing them. You could also have a set of things awarded by the judges, for example, ‘most insidious’, ‘hardest to address’, or ‘best movie plot.’
But again, please make suggestions, and I’ll let you know how it goes.
If you’re going to spend a whole day or series of days Threat-modeling, then you might as well spend half that time threat-modeling and the rest of the half of the time doing a Bug Hunt Tournie.
Personally, I would find the Bug Hunt Tournie a bit more fun, and believe me, I don’t even like CTFs.
Minnesota ISSA and Minneapolis OWASP had a successful event last night with 4 simultaneous games of EoP. Pretty much everyone was new to the game so it wasn’t competitive. It also served as a great opportunity to talk about threat modeling in general and various experiences folks had with it in their organizations. EoP is a great teaching tool; I hope to put it to use again soon!