Scott Helme: Hack Yourself First
"Hack Yourself First" is all about building up defensive skills in software developers. It looks at security from the attacker's perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand. Workshop participants are set specific goals they must complete that involve probing for risks and then exploiting discrete vulnerabilities in a specially built vulnerable application. The interactive nature of the workshop means that multiple attack vectors are usually identified across the spectrum of participants and each person contributes their own unique perspective as to how specific risks are exploited.
The objective of the Masterclass is that each person walks away with demonstrated experience across a broad spectrum of specific risks. They not only learn about but also demonstrate practical experience across a range of different vulnerabilities targeted to the specific needs of the group.
What will attendees learn?
The attendees will get taught the mechanics of each of these risks and of course the defensive patterns required to defend against them. But more than that, they get exposed to how to think about security; how to apply it in depth via multiple defenses, how to choose appropriate controls based on the specific risk of the feature and how to have the discussion about what makes sense in different circumstances.
Above all though, security is just one factor in delivering working software and it has to be applied appropriately. Sometimes it comes with a trade-off against usability or cost and decisions have to be made about not what's just most secure, but what's in the overall best interests of the product being built. This workshop helps those who attend have the right discussions about when and where to invest in security.
It's security, but it's for developers
Security training is frequently targeted at security professionals; it uses their language, their practices and their tools. My workshops are developer-centric and they focus on presenting security in a way that resonates with this audience. We primarily use tools developers are already familiar with such as the browser dev tools and HTTP proxies like Fiddler and Charles.
The training is platform agnostic; whether you're working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.
Frequently, attendees find serious risks in their own applications during the course of the Masterclass. Sometimes, they find serious risks in other people's which leads to firsthand exposure to the ethics of security. This class has resulted in disclosures such as missing transport layer in the realestate.com.au app and perhaps most notably, the complete lack of authorisation in Nissan's app controlling the LEAF electric vehicle. Serious security risks such as Nissan's are often only a couple of hours of training away from being discovered in many of today's online assets.
Agenda: Day 1
- Build fundamental security skills
- Discovering risks via the browser
- Using an HTTP proxy
- SQL injection
- Mobile APIs
- Framework disclosure
- Session hijacking
Agenda: Day 2
- Delves deeper into online risks
- Password cracking
- Account Enumeration
- Content Security Policy
- Subresource integrity
- Brute force attacks
- Automating attacks and review