Alpha Bank's Unique Security Bugathon: A New Approach to Digital Safety
IT Security Enhancement: Exploring the Role of Competitions in Safeguarding Alfa-Bank Digital Assets
In 2021, Alpha Bank kicked off its initial bugathon. Fast forward to the third edition, and the event underwent a significant transformation. Instead of focusing on technical bugs, the emphasis shifted to vulnerabilities, with a competitive edge, as DevRel Manager, Maxim Syromyatnikov, explains, "We flipped the bugathon format upside down, making it uniquely security-centric."
The fundamental objective of this revamped competition wasn't merely to eradicate vulnerabilities but to embed a culture of security across the board.
Maria Artemyeva, Senior Expert of the AppSec team, elaborates, "We showed participants the ropes on real-world tasks, emphasizing the critical role of security, demonstrating how to avoid pitfalls and fix them when necessary, all while fostering friendly competition."
By juxtaposing rivalry with learning, this event nonchalantly ingrained digital security into the bank's IT processes.
Game On: The Competition Unfolds
This two-day extravaganza drew 200 participants, divided into 24 teams. The event commenced with a business breakfast, complete with branded swag, coffee drips, and an inspirational speech from the Vice President of IT at Alpha Bank. Once the gong sounded, the competition was afoot.
Tasks were categorized and required diverse approaches. Participants tackled existing vulnerabilities in the codebase, searched for new ones, and worked within a task-solving mechanism mimicking reality.
Over two intense days, teams juggled tasks in both online and offline environments. For office-bound competitors, designated zones were set up, complete with catering and coffee breaks. The competition was a nail-biter, with leading teams separated by just one code delivery. Unsurprisingly, organizers were pleasantly surprised when developers rallied to discover new vulnerabilities.
For transparency, an online platform was developed where participants could form teams, pick tasks, monitor progress, and keep tabs on rankings.
And the Winners Are...
Big cash prizes awaited the winning teams:
- 1st place – 500,000 rubles
- 2nd place – 350,000 rubles
- 3rd place – 250,000 rubles
Moreover, top bug hunters who discovered new vulnerabilities during the competition were honored. Following the formalities, a celebration ensued.
The competition's most significant takeaway was a shift in perspective regarding security. Developers realized that the security of services hinged not just on dedicated security teams but also on them. Several misconceptions were debunked, such as the idea that it's impossible to fix a vulnerability in two days or that identifying a new vulnerability in another functional area is impossible.
Competitions prove to be an effective means of engaging IT specialists in security matters and turning complex technical tasks into an enjoyable experience. "We consistently invest in training our developers, ensuring security remains a top priority for all employees," concludes Maria Artemyeva.
[Bugathon: A type of event where ethical hackers, cybersecurity professionals, or enthusiasts identify and report bugs or vulnerabilities in a controlled environment, often with a focus on cybersecurity. Such events can last from a few days to several weeks, with participants given access to a defined scope and rewards for their findings.]
- Interestingly, the third edition of Alpha Bank's bugathon shifted its focus from technical bugs to vulnerabilities, as DevRel Manager Maxim Syromyatnikov explains, flipping the format to make it uniquely security-centric.
- During the competition, participants were not only tasked with eradicating existing vulnerabilities but also shown the critical role of security and taught how to avoid pitfalls and fix them when necessary, all while fostering friendly competition.
- Organized by Alpha Bank, the bugathon attracted 200 participants who were divided into 24 teams and competed for cash prizes, with the winners taking home up to 500,000 rubles.
- The competition aimed to embed a culture of security across the bank's IT processes, and one of its most significant takeaways was a shift in perspective regarding security; developers realized that the security of services depends not just on dedicated security teams but also on them.
