Originally written for the Syracuse University College of Engineering blog.

Last weekend, I had the opportunity to compete in the first-ever Collegiate Pentesting Competition along with five other members from the iSchool's Information Security Club. Hosted by RIT, this competition places competing university teams in the role of security consulting companies contracted to assess the strength of a corporate network. This competition stresses technical and soft skills. Competitors must leverage their technical abilities to find vulnerabilities, as well as document and present their findings to the nontechnical executive board of the corporation. I am excited to announce that out of the nine university teams that competed from across the northeast, Syracuse University took third place! The Collegiate Pentesting Competition distinguishes itself from other cybersecurity competitions by placing a heavy emphasis on the business side of running a security company. Traditionally, security competitions fall into two categories: purely defensive or purely offensive. Purely defensive competitions, such as the Collegiate Cyber Defense Competition, restrict competitors to solely defending a network while a professional team of hackers tries to exploit vulnerabilities to gain access. This type of competition forbids any offensive actions on the part of the competing students. Conversely, purely offensive competitions, such as Capture The Flag events, present competitors with tasks that must be completed by breaking into vulnerable computer systems. Since the sole objective of these competitions is to recover the “flags,” competitors are encouraged to use any offensive tactics possible with complete disregard for collateral damage. In these competitions, the systems and networks often get destroyed as teams race to complete the given tasks. The Collegiate Pentesting Competition is a hybrid between offense and defense. Teams still use offensive techniques to detect and exploit vulnerable systems, but they must do so in a way which does not damage the systems or hinder the company's ability to do business. This requires the teams to be surgical in their methodology rather than simply “smashing and grabbing.” Overall, I highly enjoyed this competition. The level of realism and professionalism it entailed made competing a very educational experience. I look forward to seeing the Information Security Club compete next year.

About The Author

Carter Yagemann ’15 is a master’s student studying computer science in Syracuse University’s College of Engineering and Computer Science. A research assistant in Professor Kevin Du‘s Android security lab, his interests include mobile security and security education. He explores problems such as how to ensure security and privacy in Android inter-component communication. Yagemann is a student member of ACM and IEEE and competes in cybersecurity competitions with the Information Security Club in Syracuse University’s School of Information Studies (iSchool).