We're building a capture-the-flag challenge, which we'll be using as part of our recruitment process. This role is for a contract developer to join the team for four weeks to build the first version of this challenge.
As part of this challenge, we want to present applicants with a realistic set of systems in which to find vulnerabilities, with a specific goal in mind.
We have an high level design for the various components of a system that meets these goals but we are outcome focussed: for the most part, it is not important what specific individual components are used. We're very happy for the person in this role to make decisions about how the challenge should function and be supported by the team to make them, as long as it meets our overall design goals. The challenge must:
- Consist of multiple systems, some independent, some integrated
- Include more than one logical network
- Include vulnerabilities at many levels of complexity, from simple attacks through to bespoke/novel ones
- Contain realistic vulnerabilities, not (exclusively) obvious/confected ones
- Present multiple exploitation paths so that candidates cannot become blocked by being stuck on a single problem
- Consist of a mixture of open source and bespoke services/code
- Include vulnerabilities arising from poor configuration and insecure user behaviour as well as from code
- Log all activity to an external service
- Be flexible in how the user can engage with it, in order for the process to be inclusive to as many developers/testers as possible (eg it can't necessitate out of hours work to complete)
- Be generally shoddily engineered, other than where necessary for the challenge to be functional
- Be automatically deployed and straightforwardly decommissionable so that each person has their own environment to work in
Deployment must be achieved using Docker. We are very likely to use dxw's existing container hosting service built using Amazon ECS and Terraform.
We welcome applications from any candidate who would relish this opportunity to be creative and design a interesting challenge. Please describe how you would approach this work in your covering letter, referencing your experience.
You are likely to:
- Be an experienced developer able to build and deploy web applications without front-end or design support
- Have significant experience configuring and working with open source applications and technologies
- Have enough Docker and Linux administration experience to be able to configure and run containers with the right networks, configuration, logging and dependencies
- Be pragmatic: it is important that this system reliably builds/deploys and that the parts of it critical to the challenge are well engineered. It is equally important that nothing else is!
- Be able to write basic web applications using at least two of:
- These web applications should look pretty, but using bootstrap themes (etc) is absolutely fine
- Web security experience is a bonus, but not required.
Apply online with your CV and a short cover letter on why you’re interested in the role and dxw cyber
Day rate: Up to £500pd
Contract Type: Fixed term / temporary (four weeks)
Location: London, UK
We would like the role to be colocated in our office in Hoxton Square in order that the person doing this role may have the option of sharing ideas, learning and collaborating with the rest of the team.