It’s the “Hack Yourself First” trilogy: Watch the talk, take the Pluralsight course and now you can spend a couple of days with me in Amsterdam next month on June 22 and 23 doing the workshop. I’ve teamed up with Xebia who does a bunch of tech training and we’ve put together a course that anyone can come along to: Hack Yourself First, how to go on the cyber-offence.
The event is being held in Hilversum just outside Amsterdam at the Hotel Lapershoek:
Because it’s always nicer to hack some picturesque! It’ll go for two days and it’s for developers who want to get a better understanding of how to secure their web things. All my various Hack Yourself First efforts are technology agnostic – it doesn’t matter if you live in ASP.NET or PHP or whatever your favourite web stack is, if you’re pumping out angle brackets then it’s equally relevant. Or if you’re pumping out curly braces in JSON. Or anything over the web!
My premise has always been that there’s nothing quite like getting developers engaged in the process of learning how flaws in web software are actually exploited to get them to buy into why security is so important. The vast majority of software developers have never executed a SQL injection attack, for example, yet somehow they’re expected to write defensive software. IMHO, that goes some way to explaining why we still see a risk like this at the top of the OWASP Top 10 and indeed why even now in 2015, we still see people not only building new software with injection risks, but teaching others how to do it as well.
But of course it’s not all just about injection, the list of topics includes:
- SQL injection
- Cross site scripting
- Cross site request forgery
- Session hijacking
- Account enumeration
- Transport layer security
- API security
- Mobile services integration
- Brute force attacks
- Passwords cracking
- Parameter tampering
- Attack automation
- Dynamic analysis
It’s all hands on and it all happens with the tools that developers use every day. The idea is to take the things they’re already familiar with and use in them in the context of security training so there’s no mucking around with trying to understand foreign tools and we can get straight into the business of learning how application security works on the web. I did a condensed version of this training yesterday in Stockholm after the DevSum conference and again the week before for a client in Amsterdam and it’s always a heap of fun not just for those attending, but for myself as well. There’s a bunch of challenges set throughout the workshop and I’m always amazed at the different ways developers find to circumvent security when they put their minds to it, it’s just a matter of getting them to think about security the right way.
At present we still have spots available but I’m conscious it’s only three and a half weeks away. I don’t have any further European trips planned at this point so if you want to get involved and Amsterdam is accessible, that’s your best bet. You can register on the Xebia website and flick them (or me if you like) any questions.
Just as an aside, I absolutely loved being back in Amsterdam last week. I spent a couple of years living in the Netherlands when I was in high school and it’s such a great place to come back to, have a nice ride around and catch some cold beers. Looking forward to next month!