
Apply HN: Hacksplaining – what every web developer needs to know about security - malcolmhere
Beta online now: https:&#x2F;&#x2F;www.hacksplaining.com<p>There&#x27;s a gap in the market for online security training aimed at developers. Most training companies focus on security awareness for regular employees (making sure your receptionist doesn&#x27;t click on phishing emails) or infosec training for security professionals (learning how to perform penetration tests). Developers have to make do with books, blog posts, and online videos.<p>We&#x27;ve taken the most common security vulnerabilities and put together a series of interactive exercises that ask a developer to put themselves in the shoes of a hacker. Next, we show how to protect against these vulnerabilities with real code samples. Finally, we test developers on what they&#x27;ve learnt.<p>The beta launched a few weeks ago and the feedback has been amazing. We hit the front page of reddit (300,000+ page views in one day) and have more than 13,000 sign-ups so far. Our users are consistently telling us the same thing: they have always worried there is a gap in their security knowledge but have generally been too embarrassed to bring it up to their boss.<p>Getting into YC will help us grow the site into a real product. We have a couple of big security firms interested in working with us and a lot of enquiries about the premium version (which will allow employers to invite and track their employees&#x27; progress through the course). There&#x27;s clearly an appetite for the product, and we want to build a business out of it!<p>If you have any questions or feedback, we&#x27;d love to hear from you. :-)
======
tptacek
This sounds similar to Safelight (now, I guess, "Security Innovations"):

[https://www.securityinnovation.com/](https://www.securityinnovation.com/)

They were quite successful with online security training, and companies will
pay for it.

So my questions, I guess, are:

* How do you stack up content-wise against something like Safelight?

* Who are you, and what's your pedigree? To a big extent, companies buying security CBT are buying a sort of stamp of approval for their process; how does your brand do that for them?

* Why do security firms want online training? That seems like a really tough vertical to sell this kind of training for (big security firms tend to sell training courses like these themselves, except on-site, at nosebleed prices).

~~~
malcolmhere
\- We don't have the breadth of Safelight's material (early days I guess), but
the areas we cover, we do a much better job. It was our frustration with this
kind of training material that inspired us to make Hacksplaining in the first
place:

[https://www.youtube.com/watch?v=jkQgVO993W8](https://www.youtube.com/watch?v=jkQgVO993W8)

Our exercises are interactive, rather than passive, and focus on specific ways
to fix code, rather abstract concepts. Compare with what we have on SQL
injection:

[https://www.hacksplaining.com/exercises/sql-
injection](https://www.hacksplaining.com/exercises/sql-injection)

We started with the question "what are the essential things we would want our
development team to know?" and then figured out the most compelling way to
teach about them.

\- We are talking to a couple of firms that we could partner with to help
establish credibility. It's a bit of Catch-22 selling this kind of training
material - people buy your product on the basis of who your existing customers
are, to some extent. Finding an established player to work with would really
give us a leg up.

\- Most companies reluctantly pay for security training, precisely because so
much of it is onsite and expensive. Making security training mandatory for
developers is a good policy for a CTO of a large company (particularly if they
have been hacked recently), but it's generally impractical to send to send
everyone out for a 5-day course. We hope engaging, online material can fill
that niche.

~~~
amckenna
Hey I just worked on the SQL injection course and I wouldn't use the Chase's
logo for your fake banking application, or any major companies logo for your
insecure sites.

------
bestattack
Wow, I like this quite a bit. Your tutorials are very informative without
making me feel talked-down to.

How will you get users? I can imagine doing distribution via company training
programs or via people telling their coworkers/friends about it (or maybe
something else?). One of these vectors is going to be better than the others.
Given your success on Reddit it's possibly a viral product, but if so, you
need to worry about retention - it'll be interesting to see if users keep
coming back to learn more.

------
ryporter
This seems like a useful service that could get traction, but I think you'll
need to find other ways to monetize it than charging companies to track their
employees' progress. There are a lot of companies that sadly don't care enough
about security to consider paying for a service like this. I would explore
other avenues, such as certification (targeted at developers entering the
field), referrals to security firms (e.g., consultants or pen testers), and
job boards/placement.

------
JohnSmith78098
Please give the link to the Reddit comments.

~~~
malcolmhere
This was the post that got to the front page:

[https://www.reddit.com/r/InternetIsBeautiful/comments/4a4ol6...](https://www.reddit.com/r/InternetIsBeautiful/comments/4a4ol6/learn_to_hack_learn_to_protect_yourself_learn/)

The warmest feedback tended to come through PMs and email.

~~~
JohnSmith78098
Thank you

