Hack Yourself First
Course material, a light lunch and refreshments are included in the course fee.
Online attacks have become a reality of running software on the web today. We find ourselves under a constant barrage of malicious activity from hacktivists, online criminals and increasingly, nation states. Successful attacks from these adversaries are predominantly via flaws in the software products they target – flaws that could have been prevented by developers understanding how online attackers work and what the appropriate defensive measures are.
"Hack Yourself First" is all about building up defensive skills in software developers. It looks at security from the attacker's perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand. Workshop participants are set specific goals they must complete that involve probing for risks and then exploiting discrete vulnerabilities in a specially built vulnerable application. The interactive nature of the workshop means that multiple attack vectors are usually identified across the spectrum of participants and each person contributes their own unique perspective as to how specific risks are exploited.
The objective of the workshop is that each person walks away with demonstrated experience across a broad spectrum of specific risks. They not only learn about but also demonstrate practical experience across a range of different vulnerabilities targeted to the specific needs of the group.
The workshop is the creation of Troy Hunt, an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. Recently he teamed up with Scott Helme,a Security Researcher and international speaker, who is running Hack Yourself First in Europe - Read more about it here.
What attendees learn:
Obviously they'll get taught the mechanics of each of these risks and of course the defensive patterns required to defend against them. But more than that, they get exposed to how to think about security; how to apply it in depth via multiple defences, how to choose appropriate controls based on the specific risk of the feature and how to have the discussion about what makes sense in different circumstances.
Above all though, security is just one factor in delivering working software and it has to be applied appropriately. Sometimes it comes with a trade-off against usability or cost and decisions have to be made about not what's just most secure, but what's in the overall best interests of the product being built. This workshop helps those who attend have the right discussions about when and where to invest in security.
Each module of the workshop goes through a three stage cycle:
• What the risk is, how exploits are executed and why it's important to understand.
• Attendees are set an objective where they must exploit the risk to achieve a goal.
• Collectively discuss how the challenge was solved and what was learned.
Modules average out at about 45 to 50 minutes each and are divided down approximately equally between each of the three stages above. It always adapts to the classroom; some organisations have a greater need to focus on a specific area of security or drill deeper in one of the cycles so the workshop responds appropriately and becomes tailored to the audience.
It's security, but it's for developers:
Security training is frequently targeted at security professionals; it uses their language, their practices and their tools. My workshops are developer-centric and they focus on presenting security in a way that resonates with this audience. We primarily use tools developers are already familiar with such as the browser dev tools and HTTP proxies like Fiddler and Charles.
The training is platform agnostic; whether you're working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.
Frequently, attendees find serious risks in their own applications during the course of the workshop. Sometimes, they find serious risks in other people's which leads to firsthand exposure to the ethics of security.
More detailed course outline here.
Who should enroll:
I've usually got a mixture of software developers, security professionals, testers and technology management. There's always a breadth of competency and experience so I tailor the pace and depth accordingly. Often this means a combination of one-on-one time with some participants whilst setting stretch goals for others. Ultimately, everyone gets the opportunity to be challenged whilst not being overwhelmed.
Scott Helme, a Security Researcher, international speaker and founder of the popular securityheaders.com and report-uri.com, free tools to help you deploy better security.
Read more about Scott on his blog.