WEBVTT

00:00.000 --> 00:10.000
Thank you.

00:10.000 --> 00:14.000
Thanks for your warm welcome. Welcome to breaking

00:14.000 --> 00:17.000
barriers. There are three game fights security training.

00:17.000 --> 00:20.000
My name is Joseph. I'll tell you more about me at the end.

00:20.000 --> 00:23.000
But what is more important so far is that I'm the creator and

00:23.000 --> 00:26.000
the maintainer of the secure code game which is an open source

00:26.000 --> 00:29.000
project that we are going to cover today.

00:29.000 --> 00:33.000
I would like to focus on the impact that the free game

00:33.000 --> 00:39.000
hat on a company on a university and how you can use it to

00:39.000 --> 00:43.000
make the most proud of it so that you can make software security training

00:43.000 --> 00:49.000
fun engaging and at the end of the day impactful for your goals.

00:49.000 --> 00:54.000
I would like to start with a question. Who believes in the vision

00:54.000 --> 00:59.000
that software security should start from developers.

00:59.000 --> 01:04.000
So it should start from left and raise your hands.

01:04.000 --> 01:08.000
Okay, that's good. And how satisfied are you with the training

01:08.000 --> 01:13.000
that you know of or you have had in achieving that vision?

01:13.000 --> 01:19.000
If you are very happy like from seven to ten out of ten raise your hands

01:19.000 --> 01:23.000
and if you think something should be improved like one to six

01:23.000 --> 01:27.000
let us know. Perfect. So you are in the right room.

01:27.000 --> 01:32.000
We asked the same question to a lot of developers in our community

01:32.000 --> 01:36.000
and these are the answers we have. Like it's a lesser realistic

01:36.000 --> 01:39.000
when it's happening outside of a dev environment.

01:39.000 --> 01:44.000
When it's a video it's full of theory and they click next next next next.

01:44.000 --> 01:49.000
When they are inside an environment that is similar to who wants to be a millionaire

01:49.000 --> 01:53.000
with a finite amount of options and answers.

01:53.000 --> 01:57.000
It's not like the real world, right? Because in the real world you have no guarantee

01:57.000 --> 02:02.000
that you are going to fix the problem. You might produce new problems.

02:02.000 --> 02:06.000
A lack of personalization. And this is something I'm going to touch more

02:06.000 --> 02:10.000
at the end how you can't focus the project and use it. And finally it's boring.

02:10.000 --> 02:14.000
And when something's boring people just stop engaging, right?

02:14.000 --> 02:20.000
So I'm going to start with showing you a case study with a probability technology

02:20.000 --> 02:25.000
start up before going in a university use case and how you can have the project

02:25.000 --> 02:29.000
in the form of a demo. What the hell is probability technology?

02:29.000 --> 02:33.000
Like most people might ask imagine like a sauce company that is doing

02:33.000 --> 02:38.000
centralized access management with these cards that you use to enter in rooms like this

02:38.000 --> 02:43.000
university. And this company way before the game they just installed

02:43.000 --> 02:47.000
GitHub advanced security which has code trail which is our code scanning

02:47.000 --> 02:53.000
secret scanning and dependency management. And they found out the problematic security

02:53.000 --> 03:00.000
poster they had. So here you can see that they had critical alerts in red, high

03:00.000 --> 03:06.000
orange, medium lows. These are about secret vulnerabilities and dependencies.

03:06.000 --> 03:11.000
And when they had their first scan in December 2022, they realized that they had

03:11.000 --> 03:18.000
a big surface area of red, a load of orange in 180 alerts in total.

03:18.000 --> 03:24.000
So someone can see what happened just after scanning in the beginning and

03:24.000 --> 03:30.000
use some products to reduce the lows and the mediums you can't see the surface

03:30.000 --> 03:34.000
area of the yellow has halft and the surface area of the light blue has halft

03:34.000 --> 03:39.000
as well. But the red and the orange became as big as they were.

03:39.000 --> 03:45.000
And I'm working you through this because I want you to understand the impact that

03:45.000 --> 03:51.000
security training that was working, having this company. Now we are well before the

03:51.000 --> 03:58.000
game base. While someone might say that this is good, someone can notice that

03:58.000 --> 04:03.000
well, the red and the orange remained as it was. These alerts are straightforward

04:04.000 --> 04:10.000
to resolve. They are using the security team and not devs. And you know, the chief

04:10.000 --> 04:16.000
security officer wasn't happy because the vision was to use the developers of this

04:16.000 --> 04:21.000
company to resolve security alerts in order to be a forced multiplier. If I give you

04:21.000 --> 04:27.000
numbers, they had a hundred software engineers and three security people. And one of them

04:28.000 --> 04:33.000
this person here. So this bad proportions remained, right? Then someone can notice

04:33.000 --> 04:39.000
and again we are before the game base that they reduced this number to 18 in just a few

04:39.000 --> 04:45.000
months. But this is not good and I'll explain why. While they have reduced the

04:45.000 --> 04:51.000
red and the orange because they were detected by secret by by code scanning,

04:51.000 --> 04:56.000
they have this code office hours. And they needed these office hours that we are

04:56.000 --> 05:01.000
the elephant in the room because the nature of these alerts is complex.

05:01.000 --> 05:07.000
They need design meetings. And here, these meetings started 30 minutes, one hour,

05:07.000 --> 05:12.000
one and a half straight away went to two hours plus per week. They were spending

05:12.000 --> 05:17.000
in security for plus hours per week. It made the company unproductive.

05:17.000 --> 05:24.000
They are start up competition, start to be fierce. And you know, it's something unsustainable

05:24.000 --> 05:29.000
and risky for security. Why? Because a company needs to defend all all

05:29.000 --> 05:35.000
fronts when it comes to security. Not be amazing here in code security and

05:35.000 --> 05:41.000
amazing here, for example, when it comes to malware, they have to defend

05:41.000 --> 05:45.000
well enough in all fronts because attackers just need to succeed once. And again,

05:45.000 --> 05:50.000
we are in a start up environment that companies increasing in size, the code lines

05:50.000 --> 05:55.000
increase. Therefore, the attack surface increases as well. They have two options,

05:55.000 --> 06:02.000
right? Keep what they do with the security time taking more time down the

06:02.000 --> 06:09.000
death time. So you have a future that is uncertain. Or the other option is to do

06:09.000 --> 06:15.000
something else. So they start investing in trainings, money, time.

06:16.000 --> 06:22.000
They were not happy about that. They also started to invest in training for people to

06:22.000 --> 06:26.000
become security champions. But what happened was that this security

06:26.000 --> 06:32.000
champions had a lot of pressure on them just to be the people who solved the

06:32.000 --> 06:37.000
problems. The chief security officer, the chief technology officer have put

06:37.000 --> 06:44.000
what is called SLOs, service level objectives. For the amount of security

06:44.000 --> 06:48.000
alerts that will be open and has pushed this down to the head of the

06:48.000 --> 06:52.000
death teams. So they had so much problem because they wouldn't manage to

06:52.000 --> 06:58.000
reduce those. So they used the free open source option. They wound up

06:58.000 --> 07:03.000
full of open source principles, which is the game that we created.

07:03.000 --> 07:08.000
And let me tell you how they used it. They brought together their engineers.

07:08.000 --> 07:13.000
They formed teams of two people and they played the game in a competitive

07:13.000 --> 07:17.000
fashion. But let's speak more and show a demo of this game.

07:17.000 --> 07:22.000
I'm here today to speak about the secure code game, but someone can access

07:22.000 --> 07:27.000
in this URL. It's an initiative of the GitHub security lab, which is the team

07:27.000 --> 07:32.000
that I'm coming from. I'll tell you more at the end. And we provided an

07:32.000 --> 07:37.000
email app learning experience. So the developers are in the code

07:37.000 --> 07:42.000
editor. In order to support problems, fix them around them against

07:42.000 --> 07:48.000
tests and understand their skills. Okay. So I hope you can't see

07:48.000 --> 07:52.000
because of the sun. Then I will go through these with my mouse to

07:52.000 --> 07:57.000
make it easier. So inside here, we are at this

07:57.000 --> 08:02.000
report at the top. It's inside GitHub skills, which is a free organization

08:02.000 --> 08:06.000
with different reports. The secure code game is one of the most popular

08:06.000 --> 08:11.000
reports there. And it's a template report. That someone can

08:11.000 --> 08:16.000
fork, can clone by touching, create new reports there. I will choose

08:16.000 --> 08:20.000
myself to be the owner. I'll give you the name. You can choose

08:20.000 --> 08:24.000
yourself here to be the owner. Give you the name. And you can have it as

08:24.000 --> 08:28.000
public visibility or private visibility. We are going to see the

08:28.000 --> 08:32.000
difference at the end is more than someone can see what I'm doing.

08:32.000 --> 08:37.000
So you are going to generate a new report. Here I'm in my profile.

08:37.000 --> 08:41.000
You see a fresh installation. And you just need to open this in

08:41.000 --> 08:45.000
code spaces. And after two minutes, you are going to have

08:45.000 --> 08:49.000
you ready. So code spaces for those that don't know come the access

08:49.000 --> 08:54.000
by clicking on the code here. And then just clicking this button is

08:54.000 --> 08:59.000
a virtual machine inside your browser. And we are doing so so that

08:59.000 --> 09:04.000
you are not going to need to install anything on your local

09:04.000 --> 09:09.000
machine. After two minutes, by the way, you have 60 hours of free

09:09.000 --> 09:12.000
code space usage every month, which is more than enough to play the game.

09:12.000 --> 09:17.000
You can play a go through in 50 or 20 hours. Unless you are really good,

09:17.000 --> 09:24.000
maybe you need 10 hours, 8 hours. Okay. So we have this file structure

09:24.000 --> 09:30.000
here. We have two seasons, season one and season two. Each season has five

09:30.000 --> 09:34.000
levels, level one to five. The first season has four levels in

09:34.000 --> 09:39.000
Python and one level in C. The reason is because I created

09:39.000 --> 09:43.000
the first season and my skills are mainly in those languages. While the

09:43.000 --> 09:47.000
second season that was community contribute that entirely has

09:47.000 --> 09:53.000
JavaScript, GitHub actions, grow, and one more level in Python.

09:53.000 --> 09:57.000
Okay. Every level has the exact same five structure. You get a code

09:57.000 --> 10:02.000
file, a hack file, a hint, a model solution, and tests.

10:02.000 --> 10:07.000
Let's click through. The code file includes functional

10:07.000 --> 10:12.000
code that happens to be vulnerable. The tests are

10:12.000 --> 10:17.000
unit tests that initially they pass. And then you get the

10:17.000 --> 10:21.000
hack file that is exploiting the vulnerabilities in the code file,

10:21.000 --> 10:26.000
which initially fails to show you that you fail to pass the level.

10:26.000 --> 10:30.000
You can go to the next step when both the hack and the test pass.

10:30.000 --> 10:34.000
You are given a hint and a model solution. Of course,

10:34.000 --> 10:40.000
there are more than one solutions. Level one in season one is easy

10:40.000 --> 10:44.000
and then the difficulty resets. Season two level one is as easy as

10:44.000 --> 10:48.000
is a previous season. And here you also get a contribution guide for

10:48.000 --> 10:52.000
those who want to start contributing on our third season.

10:52.000 --> 10:57.000
We spoke before about the private versus public. If you

10:57.000 --> 11:01.000
chose to have a public visibility project, you have an

11:01.000 --> 11:04.000
resource project. And when you have our open source projects,

11:04.000 --> 11:08.000
you get to have advanced security for free, cold pilot for free,

11:08.000 --> 11:12.000
cold pilot, open for free, so that you can play around.

11:12.000 --> 11:15.000
And we'll get to have advanced security for those that may need

11:15.000 --> 11:18.000
a bit more hints. They can see some code scanning

11:18.000 --> 11:22.000
alerts in later levels of the game so that they can play those

11:22.000 --> 11:27.000
as well. Let's go back to this company. What happened?

11:27.000 --> 11:31.000
First of all, the engineers had fun and they noticed an increased

11:31.000 --> 11:35.000
sense of ownership among them with a willingness to learn.

11:35.000 --> 11:40.000
The four plus hours per week have become less than 15 by

11:40.000 --> 11:44.000
weekly. So the season believes that the vision is achieved.

11:44.000 --> 11:48.000
This game is the ongoing training that every newcomer

11:48.000 --> 11:52.000
does in the industry. They gave us some levels for season two

11:52.000 --> 11:57.000
as well. And they have reduced the alerts from 188 to 7

11:57.000 --> 12:01.000
today. And then the time needed from 4 hours to 15

12:01.000 --> 12:06.000
by weekly. For me, this is the most nice start to see.

12:06.000 --> 12:10.000
Back to the service level objectives. The developers feel that

12:10.000 --> 12:13.000
they cannot achieve the objectives they have. They can feel that

12:13.000 --> 12:17.000
they contribute to their team, not just code, but they

12:17.000 --> 12:21.000
deserve the alert they create. And the company is starting to grow

12:21.000 --> 12:25.000
more and more, going through different rounds of funding.

12:25.000 --> 12:28.000
Let's now talk about the universities that play our game.

12:28.000 --> 12:32.000
We have the university of Novisa in Serbia. Where the

12:32.000 --> 12:36.000
associated professor, Erwin Varga, has pleaded the students in

12:36.000 --> 12:41.000
teams of five before the computer science, security and

12:41.000 --> 12:45.000
distributed systems. Lectures start. So that these students

12:45.000 --> 12:48.000
try to solve the problem. They realize that they might know how

12:48.000 --> 12:52.000
all the skills needed. And they fail by trial and error. And then

12:52.000 --> 12:56.000
they are getting to the concepts. So they are learning that

12:56.000 --> 13:00.000
security should be important from the beginning and not

13:00.000 --> 13:04.000
come late at the very end, like on after thoughts.

13:04.000 --> 13:08.000
I would like to touch on this final minutes on why

13:08.000 --> 13:11.000
gamification works. And on the front that is everywhere around

13:11.000 --> 13:14.000
us to motivate you even more to use gamification through this game,

13:14.000 --> 13:18.000
or another one that you build by yourself. The gamification

13:18.000 --> 13:21.000
market has more than three volts from the last five years.

13:21.000 --> 13:25.000
And it's everywhere around us. You get stamps when you buy

13:25.000 --> 13:30.000
some coffee. You get the likes after you post. You get points

13:30.000 --> 13:34.000
after you spend. You get high in the little board after

13:34.000 --> 13:39.000
you run or cycle. And you get like a language or cyber

13:39.000 --> 13:42.000
security or something that is big and feels like an ocean.

13:42.000 --> 13:47.000
And it's daunting to learn. Split it down into more

13:47.000 --> 13:50.000
manageable sections and you get the reward for those. Okay,

13:50.000 --> 13:54.000
but why does it work? It works because as students

13:54.000 --> 13:57.000
we want to feel happy, intrigued, and excited through

13:57.000 --> 14:00.000
the coming. So we want to feel in control.

14:00.000 --> 14:03.000
Like, oh, I have control in this game. Like me, I like

14:03.000 --> 14:06.000
GTA, ground theft. That number six is coming out.

14:06.000 --> 14:09.000
I get a car. I'm in this map and I drive around and I feel

14:09.000 --> 14:13.000
free. But in reality, I'm just in a finite map that

14:13.000 --> 14:17.000
the Rockstar company gave, right? So as humans, we would like

14:17.000 --> 14:21.000
to feel like that. We have a reward. A good behavior that

14:21.000 --> 14:25.000
is very forth when we do things. And let's go here at

14:25.000 --> 14:29.000
the end. I'm trying to show you why gamification works and why

14:29.000 --> 14:33.000
in my view you can start experimenting with it. In our game,

14:33.000 --> 14:37.000
there's a QR code game. We have deployed open source

14:37.000 --> 14:41.000
principles. Like the game is open source. It's driven by

14:41.000 --> 14:45.000
a community of people. It's developed first because it's in

14:45.000 --> 14:49.000
your code editor, not in videos, not in who wants to be a

14:49.000 --> 14:53.000
millionaire and so on. You're ready to synchronize with

14:53.000 --> 14:57.000
code spaces. You can have your top spaces and whatever

14:57.000 --> 15:01.000
you want to have. It's customizable because you can't

15:01.000 --> 15:03.000
forget the project. You can't change the name. You cannot

15:03.000 --> 15:07.000
do whatever you like. It's hands on and the end of it.

15:07.000 --> 15:11.000
Back to this initial problem. We believe that we

15:11.000 --> 15:17.000
targeted every single statement here. But this is my view.

15:17.000 --> 15:19.000
You can, of course, play and you can, of course,

15:19.000 --> 15:23.000
contribute. So don't miss that chance to try these

15:23.000 --> 15:29.000
out because first of all, spotting a problem is not enough.

15:29.000 --> 15:33.000
Fixing a cyber security issue is very often.

15:33.000 --> 15:37.000
Because many people think that they fix something but they introduce

15:37.000 --> 15:41.000
more problems after fixing it. And I see some notes there. Yes,

15:41.000 --> 15:45.000
we've been there. You can try code scanning when you go for a

15:45.000 --> 15:49.000
public visibility through code trail, which is our industry

15:49.000 --> 15:53.000
leading semantic coding engine, but you can try other stuff as well.

15:53.000 --> 15:57.000
That doesn't belong to GitHub. You can try code pilot. For

15:57.000 --> 16:01.000
you can try to have code explains. I just then fixed for you.

16:01.000 --> 16:05.000
And all these through code spaces, so that you can be in the browser.

16:05.000 --> 16:09.000
You can't store resume the machine and so on without installing anything.

16:09.000 --> 16:13.000
Finally, we welcome your contributions.

16:13.000 --> 16:19.000
Then is from hash code now. Has contributed in the game

16:19.000 --> 16:25.000
because he feels that it's his way to show to develop

16:25.000 --> 16:29.000
around the world. What problems he was seeing as security engineer

16:29.000 --> 16:33.000
in hash code and in general, when he was contributing,

16:33.000 --> 16:37.000
so that he's the letters that he gave to us

16:37.000 --> 16:41.000
where inspired by real life scenarios.

16:41.000 --> 16:45.000
This was me, my name is Joseph. I'm a developer advocate for the GitHub

16:45.000 --> 16:49.000
security lab. I do research on the intersection of software

16:49.000 --> 16:53.000
security and AI now. And in my free time, I am speaking

16:53.000 --> 16:57.000
in conferences and creating content for developers. I like to speak

16:57.000 --> 17:01.000
in a developer friendly language, which is not like, oh, this is

17:01.000 --> 17:05.000
how bad what you do was. I like to speak as a developer

17:05.000 --> 17:09.000
because I was a developer. And we have the GitHub security lab,

17:09.000 --> 17:13.000
a team of security experts with the mission to inspire and secure the

17:13.000 --> 17:17.000
open source software that we all depend on. In the last four years that we exist,

17:17.000 --> 17:21.000
we found more than a thousand security issues, 600

17:21.000 --> 17:25.000
plus of which have been given CDs. In open source projects that

17:25.000 --> 17:28.200
you know and you use, some of you here in the wider

17:28.200 --> 17:33.000
conferences might work with us to secure their projects. So, thank you for

17:33.000 --> 17:37.000
your time. We have five more minutes or more for questions.

17:37.000 --> 17:41.000
And of course, you can't find me around in the conference, online,

17:41.000 --> 17:49.000
and so on. Thanks for your time. And I'll be out for your questions.

17:49.000 --> 17:59.000
Any questions? Did you understand all? I know the previous

17:59.000 --> 18:03.000
talk with these guys that I was like more technical, more into those things,

18:03.000 --> 18:09.000
but again, feel free to ask. And to find questions and

18:09.000 --> 18:13.000
understand these concepts, you have to play with these concepts,

18:13.000 --> 18:17.000
right? Security is something that is practical. Yes?

18:17.000 --> 18:21.000
Can you play to share basically translate the

18:21.000 --> 18:29.000
seasons to another language? Okay. Good question. I repeat for the

18:29.000 --> 18:33.000
stream. The question was, how hard is to take the current

18:33.000 --> 18:37.000
levels that exist in Python and translate them into another language?

18:37.000 --> 18:41.000
Due to the fact that there are no Python developers, right?

18:41.000 --> 18:45.000
In my view, it will be easy because on purpose,

18:45.000 --> 18:51.000
the problems that we chose for Python are not Python specific.

18:51.000 --> 18:55.000
Think about those problems that also exist in other languages.

18:55.000 --> 18:59.000
So, in my view, you can take the spirit of the level,

18:59.000 --> 19:05.000
the problem there, and translate it into another language that suffers from that.

19:05.000 --> 19:13.000
Without really telling you more, some languages might not suffer from that.

19:13.000 --> 19:17.000
That's for Python. We have some levels in JavaScript that are

19:17.000 --> 19:21.000
JavaScript-focused, like imagine prototyping

19:21.000 --> 19:25.000
injections and poisonings and stuff like that. In latest levels,

19:25.000 --> 19:29.000
I don't think you can take those ones, but the Python ones, for sure,

19:29.000 --> 19:33.000
thanks for the question, great on. Any other question?

19:33.000 --> 19:39.000
Yes? How would you organize the training for like

19:39.000 --> 19:41.000
100 developers? What are you doing?

19:41.000 --> 19:43.000
Amazing.

19:43.000 --> 19:47.000
Have a nice day for all of them.

19:47.000 --> 19:51.000
Would you target some of that for you?

19:51.000 --> 19:55.000
Let me put again for the stream. The question is, how would you go

19:55.000 --> 20:01.000
by organizing a training based on the secure code game for 200 people?

20:01.000 --> 20:05.000
Do you wonder in the same room? How do you imagine that?

20:05.000 --> 20:09.000
Let's do different options.

20:09.000 --> 20:13.000
Let's say, all of you here are going to open your laptop.

20:13.000 --> 20:17.000
We have 100 people here, but you can have 500, it's not important.

20:17.000 --> 20:21.000
The infrastructure is supposed to buy us from GitHub.

20:21.000 --> 20:27.000
The only thing you will do is just open your laptop, go to skills.github.com,

20:27.000 --> 20:33.000
or the URLs we see here, and you can't play. That's pretty much it.

20:33.000 --> 20:37.000
You can go more extreme in the infrastructure as a company,

20:37.000 --> 20:41.000
by different options. You can't afford this game.

20:41.000 --> 20:45.000
You can say, welcome in this company, Hackathon, and so on.

20:45.000 --> 20:51.000
You can have a main repo. That is your template repo.

20:51.000 --> 20:57.000
You do all the changes there. You put all the production rules there.

20:57.000 --> 21:01.000
You can create a YAML file where you take the Hack file

21:01.000 --> 21:07.000
and test file that we have. You make auto grading approach,

21:07.000 --> 21:11.000
so that every time that your developers push, these runs behind the scenes

21:11.000 --> 21:15.000
and grades, they are set up.

21:15.000 --> 21:19.000
I have a YAML file ready by the way, so you don't need to do anything.

21:19.000 --> 21:25.000
I can give you 200 lines of code for that, so just let me know.

21:25.000 --> 21:29.000
Then this developers, in this room, in that room,

21:29.000 --> 21:31.000
they can be from their home, it doesn't matter.

21:31.000 --> 21:35.000
They are going to go to your main repo. That is in your ABC company.

21:35.000 --> 21:39.000
They are going to fork the template. They are going to play.

21:39.000 --> 21:45.000
They might not have the test and the Hack file in order for them to be really challenged.

21:45.000 --> 21:49.000
You can't even remove the hint. They will commit the code.

21:49.000 --> 21:55.000
And when they commit the code, the YAML file that I'm going to give you for instance

21:55.000 --> 21:59.000
is going around behind the scenes and it's going to give them feedback.

21:59.000 --> 22:05.000
Like, if it's passing or not passing, maybe you don't want to show them anything

22:05.000 --> 22:09.000
and you can have the results in a CSV file.

22:09.000 --> 22:15.000
Another approach will be to give them everything.

22:15.000 --> 22:19.000
And code space is free for public reports, so you don't need to pay anything.

22:19.000 --> 22:23.000
If you want to go like private projects,

22:23.000 --> 22:27.000
you can find the local installation guide in this repo here as well.

22:27.000 --> 22:31.000
Could be paste that, just test it first.

22:31.000 --> 22:35.000
And they can play in their local machines and everything is going to be private.

22:35.000 --> 22:43.000
It's really easy and I'm very happy to help with the infrastructure side of the things.

22:43.000 --> 22:45.000
Thanks for the question.

22:45.000 --> 22:47.000
This is more of a suggestion than I said.

22:47.000 --> 22:49.000
Sure.

23:05.000 --> 23:09.000
Absolutely. Thanks for that question. I'd be pleased for the stream.

23:09.000 --> 23:11.000
My understanding is that the question is,

23:11.000 --> 23:15.000
did you think about basically hosting on a more attacking defensive CTF?

23:15.000 --> 23:19.000
Like the simulations that you play online?

23:19.000 --> 23:21.000
Yes, we did.

23:21.000 --> 23:25.000
I think that we are intentionally going to have it inside the code editor

23:25.000 --> 23:29.000
because the CTF is that I know of at least.

23:29.000 --> 23:33.000
I'm giving like a website and I have to hack the website.

23:33.000 --> 23:37.000
We intentionally want to have the code.

23:37.000 --> 23:39.000
We don't want to have like an end product that they hack.

23:39.000 --> 23:45.000
We are a plenty of those and we try to actively say that you can have a vast juice show.

23:45.000 --> 23:47.000
And so on.

23:47.000 --> 23:51.000
We want to have communities in the long term like the ones in first them.

23:51.000 --> 23:55.000
For instance, saying, you know what? In our community,

23:55.000 --> 23:59.000
this is the number one thing that people get wrong.

23:59.000 --> 24:05.000
So we want this community to create a level here, put some code,

24:05.000 --> 24:07.000
and tell to their developers.

24:07.000 --> 24:11.000
This is the theory, but here's the practice.

24:11.000 --> 24:13.000
So you can go in this level.

24:13.000 --> 24:17.000
You can open a code space. You can have code there that they are a pattern

24:17.000 --> 24:20.000
that people have it as vulnerable and you can't play.

24:20.000 --> 24:24.000
And you can't secure it and you can understand what is wrong with that.

24:24.000 --> 24:28.000
So we might really go into a front end in the future.

24:28.000 --> 24:33.000
But for now, we believe that we want to be where developers are, which is the editor.

24:33.000 --> 24:35.000
Thanks for that question.

24:35.000 --> 24:37.000
So I think we have time for the last question.

24:37.000 --> 24:39.000
Last question.

24:41.000 --> 24:43.000
It doesn't seem to be, oh yes.

24:43.000 --> 24:47.000
How would you come here that they have something like continuous learning?

24:47.000 --> 24:49.000
So how do you explain the paper?

24:49.000 --> 24:51.000
They've written for the levels.

24:51.000 --> 24:52.000
What are you now?

24:52.000 --> 24:54.000
Yeah, that's an amazing question, man.

24:54.000 --> 24:57.000
So look, cyber security is a big thing, right?

24:57.000 --> 25:01.000
You may have like forensics, penetration testing,

25:01.000 --> 25:03.000
testing, risk, it's endless.

25:03.000 --> 25:09.000
Personally, when it comes to software security,

25:09.000 --> 25:15.000
my recommendation is to go and read open source code.

25:15.000 --> 25:17.000
Try to spot problems there.

25:17.000 --> 25:19.000
Bring your skills in the real world.

25:19.000 --> 25:22.000
Try to see bugs that other other people found.

25:22.000 --> 25:24.000
You can't go in a hacker wound to buck out.

25:24.000 --> 25:29.000
So that you can't keep working with this muscle of spotting problems.

25:29.000 --> 25:35.000
If you spend too much time in learning to find software problems,

25:35.000 --> 25:40.000
you might not really bring your skills early in the real world.

25:40.000 --> 25:45.000
In the race cases, and in those small details that make the difference.

25:45.000 --> 25:49.000
So I will say, going the real world as much as they're last possible.

25:51.000 --> 25:53.000
Okay, thank you.