Lessons from our Pod Game Challenge Session in the AppSec Village at RSA
This year was a remarkable experience for us at Appsec Village, and one that we learned a lot: from the level of knowledge of our participants, about how our game ran, and how to make it more efficient for next time. “The Ultimate Appsec Challenge’’ was a fun and interactive way to test your Appsec knowledge while racing against the clock.
Participants had to answer as many questions as possible in two minutes and the person with the most correct answers was declared the ultimate winner and got to take home a very shiny new pair of Probely branded AirPods.
Many people suggested that we make the cards available so they can print them to their team, which we have taken into consideration and made the game available for everyone to play here. We also received the suggestion to make the tangible game cards available to take home as a prize as well.
From the familiar faces we saw and the new friends we’ve made at the game table, we’re filled with pride to hear that we had positive feedback! On the same note, we also learned a lot from our audience as far as Appsec knowledge is concerned.
Our questions were divided into “Easy”, “Medium”, and “Difficult” levels for our participants. They had the opportunity to choose the level of difficulty they wanted to play and change around the cards at first before playing if they couldn’t answer them at all. We did find a few changes in our questions that we would either change, or omit completely for the next time.
Correct Answers Based on Difficulty
For the amount of correct answers, we concluded the following percentages based on a rough estimate of the participants that answered each level correctly:
Easy questions answered correctly | 60% |
---|---|
Medium questions answered correctly | 30% |
Hard questions answered correctly | 10% |
Interesting Takeaways
A curious fact is that almost everyone knew what OWASP Top 10 was, but people struggled to identify more than 2 or 3 Top 10 entries.. Since the Top 10 is updated every few years, people tend to get confused on new changes. For instance, Injection used to be #1 risk and now is #3.
It was also interesting to see that major vulnerabilities that were widely spoken in the news, such as Heartbleed, were easily identified, potentially because they had a catchy name, logo, and huge impact. Another interesting fact was that our players had different answers to certain questions based on where they are from. For example, in relation to the CIA question, those based in the U.S. would always answer with a 3 letter agency, while the EU would normally think about the expected answer.
Play the online version of our game, here.