Ideas for a report writing competition
Mon 28th Jan 12
Lots of security conferences run capture the flag events which allow people to show off their technical ability but I've had an idea for a new style of security competition, one based on report writing.
A scenario will be created with a dummy company and the results of a pen-test/vulnerability scan. A number of issues, probably around 5-6 I think would work, would be given as the outcome of the test and the entrants would have to write up the report as they would for a normal test. So it didn't take up to much time on the day of the conference most of the information would be released a short while before the event, possibly a week or so, however a couple of issues would be kept back and released on the day of the event. The idea behind this would be to allow the contestants to write the bulk of the report at their leisure and get it QA'd by others as (hopefully) they normally would. Unfortunately this would also be open to abuse where the report could be team written by a group of people which wouldn't really be fair. This is where the issues released on the day come in. This would help show the real writing skills of the person who submits the report and would also show how well they work under pressure as, lets face it, we rarely do get to write reports at out leisure.
The reports would have to be submitted by a deadline and would then be judged by a panel of judges. Ideally the panel would be made up of a minimum of three people, a non-technical manager (board member type person), one technical manager (IT department boss) and one admin/developer (the guy who has to implement fixes). This breakdown would cover the three areas which should be covered by a good report.
All reports submitted will be released after the competition with judges notes, this would help build up a repository of reports and comments which I think would be a really useful resource.
People would be allowed to use whatever template they want as long as they have permission, i.e. they could use their company's template but only if the company says they can. Because of branding it would be hard to completely anonymise some reports but some effort should be made to keep the judging fair.
This could be extended to add a short presentation of the findings to the panel or to have a viva style assessment.
I think this would be a nice addition to the standard technical challenges held at conferences but, as most people don't like writing reports, I wouldn't expect the uptake to be huge. It think those who did enter would be quite passionate about report writing so we could have some good entries. The general discussion that this would generate I think would also do the industry good.
Please send feedback.