Capture the Flag (CTF): The game for developers to learn information security

As a developer, you want to make sure that your site doesn’t leave any doors open for uninvited guests, i.e. hackers. Unfortunately, many young developers don’t have much experience or interest in security issues until they start facing incidents. After working through the stress and repercussions of a few patches, security quickly starts to play a much bigger consideration in the seasoned developer’s mind. Luckily, there are easier ways to cut your teeth.

To gain experience in information security without putting your product at risk, we’d like to introduce you to a game called Capture the Flag (CTF). We decided to try it out at our most recent General Meeting, a yearly assemblage of our entire staff at our headquarters in Fukuoka, Japan. It proved to be a great exercise and a fun team bonding activity.

How to play Capture the Flag for developers

CTF is an information security competition with three popular types of challenges: jeopardy, attack-defense, and mixed.


Jeopardy-style CTFs are based on solving a variety of tasks for points. The tasks can come from a range of topics or categories such as web, forensic, crypto, binary, or whatever else. The rules are pretty simple:

  • Team’s gain points for every task solved, with more complicated tasks earning more points.
  • New tasks cannot be opened until the previous task is solved.
  • At the end of the game, the team with the most points wins!

A great example of a Jeopardy-style CTF is the Defcon CTF Qualifier.


Attack-defense-style CTFs are about creating patches for your own services with hacking others. Each team is given their own network or host with built-in vulnerabilities and a pre-determined time limit. Then the rules are:

  • Each team works to protect their own services, earning points for successfully defending it.
  • Each team also works to hack opponents services, earning points for successful attacks.
  • The team with the most points wins!

The DEF CON CTF is a popular example of this.


Mixed competitions vary their format. This might mean having an attack-defense game with task-based elements incorporated. An example would be the UCSB iCTF.

CTF games can touch on many aspects of information security: cryptography, stego, binary analysis, reverse engineering, mobile security, and others. The more well rounded your team is in each area, the better they’ll perform.

Building our own CTF challenge

Together with four other Nulab developers, we designed our own NU CTF 2019. Like other Jeopardy style CTF challenges, ours consisted of a portal web site and some challenges.

We made 3 categories:

  • Reversing
  • Crypto
  • Web

Each category was assigned a point value and the points awarded correspond to the difficulty of the challenge.

Portal site

We used the following software and services to build the portal as well as the challenges.

  • Vue.js
  • Golang
  • Fabric
  • Ansible
  • AWS
  • C
  • Python

It was my task to develop the portal, and I decided to use technologies that I don’t use in my daily work, such as Vue.js and Golang. It was a really good opportunity for me to try new things.

How it went

We had more than 7 contestants join our CTF challenge.

Left: question author Right: a participant


With a little hard work, some of them were able to solve all of the challenges! We didn’t expect anyone to complete every task, and we were happy to be surprised.


Showing how to solve it!

Prizes for the winners!

Doing challenges like Capture the Flag is one of the best ways to make web security more familiar to developers. And its a great way to make learning about security more fun for your team.

Try the NU CTF 2019 yourself

If you’d like to try it, here’s one of the challenges we tried. You will find the text “FLAG{dyi8763R}” when you have solved it.

Good luck!



Gain skills, learn strategies, move projects forward

Collaborate and bring your projects to life with Nulab

Learn more