The Security Awareness Training day at Grabyo
Security is central to everything we do at Grabyo, from Engineering and Customer Support to Sales, Marketing, and HR. To protect our data and systems, we hold an annual Security Awareness Training event for our employees.
What is Security Awareness Training Day?
Grabyo’s Security Awareness Training, also known as Security Day, is an annual event filled with talks and workshops on various topics like phishing, social engineering, data protection, incident response, the OWASP Top 10, and specialized sessions for our engineering team. The day includes hands-on exercises to help our engineers identify and fix security vulnerabilities effectively.
Why Security Day Matters?
This event offers everyone a chance to learn and refresh their knowledge of security basics, stay updated on the latest trends, and understand company policies. The goal is to raise awareness of security risks in our work and encourage best practices, fostering a security-conscious culture within Grabyo.
Diving into the Day
Here’s an overview of what happens on Security Day:
A few important things to note:
- Multiple tracks run concurrently, allowing employees to choose sessions relevant to their roles and interests.
- All talks are recorded for later viewing.
- Attendees receive recommendations for must-watch talks based on their roles.
- The CTO’s keynote is scheduled to accommodate different time zones.
- We value feedback and provide forms for each talk and the overall event to gather input for improvement.
The bulk of our presentations are conducted by our in-house experts, making it a cost-efficient means of both acquiring and disseminating knowledge about security vulnerabilities and best practices. Our internal speakers rotate annually, providing everyone with the opportunity to delve into subjects that align closely with their roles and experiences, enabling them to share these insights with their peers.
In addition to our internal sessions, we typically feature an external speaker during the day’s proceedings. We collaborate with seasoned professionals from our network of partners and affiliations, such as AWS and SureCloud, to diversify our knowledge base. These guest speakers deliver talks on a broader spectrum of topics, including security-related products and services, automated security response solutions, and technical deep-dives into various types of application security attacks and their mitigations.
Our CTO delivers the main keynote of the day. Our VP of Engineering delivers the Engineering keynotes of the day. The main focus of these two keynotes is as follows:
|CTO keynote||VP of Engineering keynote|
|• Information Security and how to protect sensitive business information|
• Industry best practices to adopt to minimise security risks
• Grabyo policies, which all employees should understand and adhere to
|• Best practices in our software development lifecycle|
• How to:
• protect our laptops
• write secure code
• build and deploy applications securely
• protect our APIs
• protect our content on cloud storage
Apart from the keynotes, multiple tracks run in parallel to cover topics related to Backend, Frontend, DevSecOps and non-engineering disciplines. A few example topics per category are given below:
|• Microservices security|
• Logging and monitoring
• SSL/TLS and mTLS
• OS command injection defence
|• Web security cheatsheet|
• Client-to-Service Authentication
• HTML5 security
• XSS and CSRF
|• OWASP Top 10 + Cloud-Native App Top 10|
• Operational security and Grabyo in-house tools
• DR runbooks
• IAM, SSO and CI/CD Permissions
|• Top tips for staff and Incident Response|
• Data protection and related protocols
• Social engineering and phishing
We organize two distinct workshops catering to both our engineering and non-engineering teams.
For our engineering team, it’s a thrilling challenge as they attempt to breach the defenses of a highly vulnerable web application known as Juice Shop. Described on its page as “the most modern and sophisticated insecure web application,” Juice Shop serves as an ideal training ground for security exercises, awareness demonstrations, CTFs (Capture The Flag), and a testing ground for security tools. Juice Shop is rife with vulnerabilities drawn from the entire OWASP Top Ten list, as well as other security flaws found in real-world applications.
This hands-on experience unfolds as a “Capture The Flag” (CTF) game, where our engineers are divided into smaller teams, pitting their skills against each other in a series of security-themed challenges. Their aim? To “capture flags” and accumulate points. The competitive spirit is captured in our scoreboard, showcasing team achievements from the previous year.
Meanwhile, our non-engineering departments embark on an engaging “scavenger” hunt and participate in various mini-games, all designed to promote and reinforce security best practices and tips. It’s a fun and interactive way for these teams to embrace and champion security awareness.
Finally, extending beyond the scope of our annual Security Day, Grabyo conducts real-world attack simulations throughout the year. This includes the distribution of convincingly crafted yet benign phishing emails to our internal employees.
These incidents, along with their corresponding responses, resurface prominently during our Security Day proceedings. This practice not only allows us to assess the current level of awareness regarding information security threats but also serves as a valuable cautionary narrative for our entire workforce.
Is it Worth It?
Absolutely, without a doubt. Over the past four years since implementing this new process, we’ve witnessed several direct and tangible benefits:
- Heightened Awareness: Our engineers have significantly elevated their awareness of technology, resulting in more frequent and meaningful discussions about technological aspects. Notably, these conversations now inherently incorporate security considerations right from the outset of any project at Grabyo. This proactive approach aligns seamlessly with our strategy to shift left on security.
- Employee Engagement: The feedback we’ve received from our engineers highlights the company’s unwavering commitment to their professional growth. Providing the entire organization with a dedicated day to delve into technology-related subjects has been met with great appreciation. It demonstrates our dedication to nurturing our team’s skills and knowledge.
- Security Enhancements: Additionally, as our engineers prepare and present topics during these security days, they have astutely identified and addressed certain security vulnerabilities within our platform. This not only showcases the value of these training sessions but also leads to tangible improvements in our overall security framework.
In summary, the investment in these training days has yielded substantial dividends, fostering a culture of heightened awareness, continuous learning, and proactive security measures throughout Grabyo.
We’re looking for talented engineers in all areas to join our team and help us to build the future of broadcast and media production.