Web Application Security Masterclass: “Hack Yourself First”
- Your instructor
- Scott Helme
-
Workshop includes:
- Working examples to take away
- Interactive sessions
- Workshop recordings
- Dedicated Q&A time
- Smashing Certificate
Unfortunately, this workshop is fully sold out! But you can join the waiting list in case a ticket becomes available:
Workshop, 4×4h + Q&A • Thu & Fri, August 6–14 2020
09:00 AM — 1:00 PM PDT (Pacific Daylight Time)
“Hack Yourself First” is all about building up defensive skills for software developers. We’ll explore common risks and attacks in the browser, SQL injection, XSS, CSRF, HTTPS, password cracking, Content Security Policy, Session Hijacking, Subresource Integrity, Brute Force Attacks and Automating Attacks. You’ll leave with practical techniques to better understand security and protect your apps.
It looks at security from the attacker’s perspective and takes you through the steps necessary to exploit vulnerable software on the web, so that you can experience hacking first hand.
You must complete specific goals that involve probing for risks and exploiting discrete vulnerabilities in an application. The workshop’s interactive nature means that multiple attack vectors are usually identified across the spectrum of participants, and each person contributes their unique perspective on how specific risks are exploited.
What You Will Learn:
- Mechanics of specific security risks and defensive patterns.
- How to tackle security risks in depth via multiple defences.
- How to choose appropriate controls based on the specific risk of the feature.
- How to argue about what makes sense in different circumstances.
- How to assess the situation and prioritize sufficiently between security, usability, costs, and other things for best interests of the product being built.
This workshop helps those who attend have the right discussions about when and where to invest in security.
The Format
Each module of the workshop goes through a three stage cycle:
Overview
What the risk is, how exploits are executed and why it’s important to understand.
Exercise
Attendees are set an objective where they must exploit the risk to achieve a goal.
Retrospective
Collectively discuss how the challenge was solved and what was learned.
Modules average out at about 45 to 50 minutes each and are divided down approximately equally between each of the three stages above. It always adapts to the classroom; some organisations have a greater need to focus on a specific area of security or drill deeper in one of the cycles so the workshop responds appropriately and becomes tailored to the audience.
It’s security, but it’s for developers
This workshop is platform agnostic; whether you’re working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.
Frequently, attendees find serious risks in their own applications during the course of the workshop. Sometimes, they find serious risks in other people’s which leads to firsthand exposure to the ethics of security.
Who Is This For?
This workshop is for software developers, security professionals, testers and technology management. There’s always a breadth of competency and experience so Scott will tailor the pace and depth accordingly. Often this means a combination of one-on-one time with some participants whilst setting stretch goals for others.
Ultimately, everyone gets the opportunity to be challenged whilst not being overwhelmed.
About Scott Helme
Hacker, researcher, builder of things. Pluralsight author, BBC hacker in residence, award winning entrepreneur. He is the creator of report-uri.com and securityheaders.com, free online tools to help sites deploy better security. His goal is to make the Web a safer place.
Time & Schedule
This masterclass takes place over four days in four hour sessions with time for questions and discussion about your work and how to apply what you’ve learned. Our virtual doors open at 8:45, we start at 9 AM PDT.
Please mark your calendars:
- Thu, August 6, 09:00 – 1:00 PM PDT
- Fri, August 7, 09:00 – 1:00 PM PDT
- Thu, August 13, 09:00 – 1:00 PM PDT
- Fri, August 14, 09:00 – 1:00 PM PDT
Day 1
8:45 AM PDT
Virtual doors open and registration.
9:00 AM – 9:30 AM
Introduction.
9:30 AM – 10:30 AM
Discovering Risks via the Browser
10:30 AM – 10:45 AM
Break
10:45 AM – 11:15 AM
Using an HTTP proxy
11:15 AM – 12:10 PM
XSS
12:10 AM – 1:00 PM
Q&A with Scott on the day’s material. Networking!
Day 2
8:45 AM PDT
Virtual doors open and registration.
9:00 AM – 9:55 AM
SQL Injection
9:55 AM – 10:45 AM
CSRF
10:45 AM – 11:00 AM
Break
11:00 AM – 12:10 PM
HTTPS
12:10 PM – 12:40 PM
Framework Disclosure
12:40 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!
Day 3
8:45 AM PDT
Virtual doors open and registration.
9:00 AM – 10:00 AM
Password Cracking – 60 mins
10:00 AM – 10:30 AM
Account Enumeration
10:30 AM – 10:45 AM
Break
10:45 AM – 11:20 AM
FiddlerScript
11:20 AM – 12:30 PM
Content Security Policy
12:30 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!
Day 4
8:45 AM PDT
Virtual doors open and registration.
9:00 AM – 9:35 AM
Session Hijacking
9:35 AM – 10:25 AM
Subresource Integrity
10:25 AM – 10:40 AM
Break
10:40 AM – 11:10 AM
Brute Force Attacks
11:10 AM – 12:05 PM
Automating Attacks and Review
12:05 PM – 1:00 PM
Q&A with Scott on the day’s material. Networking!
Unfortunately, this workshop is fully sold out! But you can join the waiting list in case a ticket becomes available: