I run security workshops that teach technology professionals how to break into their own applications – before someone else does
Online attacks have become a reality of running software on the web today. We find ourselves under a constant barrage of malicious activity from hacktivists, online criminals and increasingly, nation states. Successful attacks from these adversaries are predominantly via flaws in the software products they target – flaws that could have been prevented by developers understanding how online attackers work and what the appropriate defensive measures are.
Let me introduce the workshop then I'll go into the details below the video:
Hack Yourself First
"Hack Yourself First" is all about building up defensive skills in software developers. It looks at security from the attacker's perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand. Workshop participants are set specific goals they must complete that involve probing for risks and then exploiting discrete vulnerabilities in a specially built vulnerable application. The interactive nature of the workshop means that multiple attack vectors are usually identified across the spectrum of participants and each person contributes their own unique perspective as to how specific risks are exploited.
The objective of the workshop is that each person walks away with demonstrated experience across a broad spectrum of specific risks. They not only learn about but also demonstrate practical experience across a range of different vulnerabilities targeted to the specific needs of the group.
Courses run for two days on the following schedule:
The first day build fundamental security skills that all technology professionals delivering applications on the web should posses:
|Introduction – 30 mins||09:00|
|Discovering risks via the browser – 40 mins||09:30|
|Using an HTTP proxy – 20 mins||10:00|
|Break – 15 mins||10:30|
|XSS – 50 mins||10:45|
|SQL injection – 55 mins||11:35|
|Lunch – 1 hour||12:30|
|Mobile APIs – 60 mins||13:30|
|CSRF – 50 mins||14:30|
|Break – 15 mins||15:20|
|Framework disclosure – 30 mins||15:35|
|Session hijacking – 35 mins||16:05|
|Wrap up – 20 mins||16:40|
The second day delves deeper into online risks, covering more advanced topics in greater depth:
|Password cracking – 50 mins||09:00|
|Account Enumeration – 30 mins||09:50|
|Break – 15 mins||10:30|
|FiddlerScript – 35 mins||10:45|
|HTTPS – 70 mins||11:35|
|Lunch – 1 hour||12:30|
|Content Security Policy – 70 mins||13:30|
|Subresource integrity – 40 mins||14:30|
|Break – 15 mins||15:20|
|Brute force attacks – 30 mins||15:35|
|Automating attacks and review – 35 mins||16:05|
|Wrap up – 20 mins||16:40|
What attendees learn
Obviously they'll get taught the mechanics of each of these risks and of course the defensive patterns required to defend against them. But more than that, they get exposed to how to think about security; how to apply it in depth via multiple defences, how to choose appropriate controls based on the specific risk of the feature and how to have the discussion about what makes sense in different circumstances.
Above all though, security is just one factor in delivering working software and it has to be applied appropriately. Sometimes it comes with a trade-off against usability or cost and decisions have to be made about not what's just most secure, but what's in the overall best interests of the product being built. This workshop helps those who attend have the right discussions about when and where to invest in security.
Each module of the workshop goes through a three stage cycle:
What the risk is, how exploits are executed and why it's important to understand
ExerciseAttendees are set an objective where they must exploit the risk to achieve a goal
Collectively discuss how the challenge was solved and what was learned
Modules average out at about 45 to 50 minutes each and are divided down approximately equally between each of the three stages above. It always adapts to the classroom; some organisations have a greater need to focus on a specific area of security or drill deeper in one of the cycles so the workshop responds appropriately and becomes tailored to the audience.
It's security, but it's for developers
Security training is frequently targeted at security professionals; it uses their language, their practices and their tools. My workshops are developer-centric and they focus on presenting security in a way that resonates with this audience. We primarily use tools developers are already familiar with such as the browser dev tools and HTTP proxies like Fiddler and Charles.
The training is platform agnostic; whether you're working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.
Frequently, attendees find serious risks in their own applications during the course of the workshop. Sometimes, they find serious risks in other people's which leads to firsthand exposure to the ethics of security. This workshop has resulted in disclosures such as missing transport layer in the realestate.com.au app and perhaps most notably, the complete lack of authorisation in Nissan's app controlling the LEAF electric vehicle. Serious security risks such as Nissan's are often only a couple of hours of training away from being discovered in many of today's online assets.
Workshop audience and size
I've usually got a mixture of software developers, security professionals, testers and technology management. There's always a breadth of competency and experience so I tailor the pace and depth accordingly. Often this means a combination of one-on-one time with some participants whilst setting stretch goals for others. Ultimately, everyone gets the opportunity to be challenged whilst not being overwhelmed.
I try to aim for between 15 and 30 participants in a workshop. This keeps the numbers high enough to get robust group discussion going and low enough to ensure I can provide individual support as required. Whilst I've run with both smaller and larger groups, this is the "sweet spot".
As well as workshops run face-to-face in person, remote workshops are now also available. They work great for distributed teams or where the logistics of me attending in person simply don't work out. It's the same syllabus with the same content albeit spread over a 4 day period and delivered via the organisation's choice of online conferencing tool.
Hack Yourself First Workshops by Scott Helme
To help me scale the workshops further, I've teamed up with Scott Helme to deliver more training at more events. As I explain in that link, Scott is an exemplary speaker with a proven track record and assists me in delivering the same quality events in locations across the globe.
Along with private workshops delivered to one specific organisation, Scott and I both deliver training at public events across the globe. Following is a list of where you can find us delivering public Hack Yourself First workshops during 2019:
- NDC Security: 29 Apr to 1 May, Gold Coast (Australia)
- NDC Minnesota: 6 to 9 May, Saint Paul (USA)
- NDC Security: 13 to 14 May, New York (USA)
- NDC Oslo: 17 to 21 Jun, Oslo (Norway)
- NDC Sydney: 14 to 18 Oct, Sydney (Australia)
Tickets are available on the respective conference websites.
Price is POA and it can be affected by availability, coordination with existing travel commitments and alignment to the syllabus outlined above for the "Hack Yourself First" workshop. Price is always a per-day rate rather than per-head and generally works out less than sending the team to a decent conference. All materials used in the workshop are handed over upon completion and organisations are welcome to repeat the exercises internally.
What others are saying
I run these workshops around the world and as much as I love doing them, I love seeing people enjoy them even more. I usually ask for a bit of feedback afterwards, here's what others are saying about the two day "Hack Yourself First" workshop:
The format of mini presentation, followed by hands-on exercises, followed by discussion for each topic, was leagues ahead of the security presentations I've previously experienced. Throughout the 2 days Troy was engaging, funny and above all knowledgeable on both the workshop content and surrounding topics. He effortlessly adapted both the presentation and hands-on aspects to the abilities of everyone in the room. – Dan Rowlands, Just Eat
Troy was a knowledgeable and entertaining speaker, and there were plenty of practical exercises throughout the workshop. By keeping slides to a minimum, encouraging participation and including lots of real life examples, the content was easy to digest and has greatly improved the security knowledge within our development teams. Further knowledge-sharing sessions have since been organised across the company to reinforce the importance of security and help ensure it is included earlier in the development lifecycle. – Steve Harwood, RBI
Troy’s hand-on workshops with our team, really boosted the security awareness for all who participated. We found immediate benefits just from developers applying the knowledge learnt and discovering gaps in our existing systems. A lasting benefit was also seen, with security now a permanent and understood item of discussion in technical reviews. – Glen Foley, Liberty Financial
Troy’s “Hack Yourself First” is a great way to scratch beneath the surface of “received wisdom” on security and understand the true background, nature and depth of vulnerabilities in modern applications. Troy delivers this with an engaging style and mixes a deep understanding of the theory with relevant hands-on learning exercises, and peppers his sessions throughout with interesting and scary real-world examples. – Tomos Evans, Capita
Two days with Troy has shown us just how shockingly easy some vulnerabilities are to exploit, but we now feel a lot more prepared and equipped to defend ourselves.
He has put us in the mind set of thinking about security with every line of code we write, shown us how to attack our own code in a way it likely be attacked in the wild, and taught us how to avoid the common mistakes developers usually make. And all in a really engaging & interactive style. Money well spent. I couldn’t recommend it enough. – David Cook, Compare the Market
Occasionally I also run bespoke workshops based on specific organisational requirements, most frequently around ASP.NET security and building applications in Microsoft's Azure cloud.
Get in touch via the contact page if you'd like further information.