
Breaker 101: An intensive online web security course - daeken
http://daeken.com/2013-06-11.1_Breaker_101__An_intensive_online_web_security_course.html
======
ambiate
Can you create a landing page with an executive summary and pricing button? I
cannot show my boss a blog post. Just hit the high points: 12 week course in
web security, $1000, increased proficiency in x, y, z, ability to do a, b, c,
protection from j, k, l, and security as a key to protecting data -- the core
of the product -- the core of business.

~~~
daeken
Absolutely, good call!

Edit: Put up a simple launch page here:
[http://course.daeken.com/](http://course.daeken.com/)

~~~
ciclista
Just for more feedback: extremely interested! I'm not able to do it right now,
but please consider offering it again in the future. I'd also be interested in
working through the material on my own with a limited support or a forum if
that would help you with residual income from this :)

------
tptacek
I worked with Cody for awhile at Matasano. He's as smart and enthusiastic a
teacher as I think you'll find anywhere for this material.

------
pyvek
Dan Boneh's crypto course is starting in 5 days on Coursera. Syllabus is not
same as the OP's course but is very good and useful nonetheless.

[https://www.coursera.org/course/crypto](https://www.coursera.org/course/crypto)

~~~
tptacek
If crypto is your thing, and you want to keep it practical, allow me to plug:

[http://www.matasano.com/articles/crypto-
challenges/](http://www.matasano.com/articles/crypto-challenges/)

They're free, they involve writing actual code to break actual crypto
constructions, and they seem to be pretty popular; our standings right now:
level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36),
level 5 (29), level 6 (37).

~~~
krapp
Let's say my experience with cryptography and web security can be summed up
with 'using bcrypt' and 'using ssl.' Would I be able to learn from this or
would I need to seek out something more basic first?

~~~
reledi
From the page tptacek linked to:

> HOW MUCH CRYPTO DO I NEED TO KNOW?

> _None. That 's the point._

------
dickbasedregex
I don't have a spare $1000. Write an ebook after this and I will buy that.

~~~
niekmaas
This book covers a lot of the material: [http://www.amazon.com/The-Web-
Application-Hackers-Handbook/d...](http://www.amazon.com/The-Web-Application-
Hackers-Handbook/dp/1118026470)

~~~
tptacek
We buy that book, along with _The Tangled Web_, for candidates to Matasano. We
like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out
loud, though).

The other book candidates here tend to get is _The Art Of Software Security
Assessment_.

~~~
mindcrime
While we're talking books and education... tptacek, could you share any
resources that you are acquainted with, specifically on the topic of SSL/TLS?
I feel a need to really ramp up my knowledge in this space, and would be glad
to hear any recommendations you might have.

Note that I'm looking at this from a deployment / administration POV, not
programming. I don't want to implement TLS from scratch, just understand the
various issues and implications involved in rolling out TLS.

If you have some suggestions, they are _much_ appreciated.

~~~
tptacek
This is Adam Langley's blog:

[http://www.imperialviolet.org/](http://www.imperialviolet.org/)

I might start with this post:

[http://www.imperialviolet.org/2010/06/25/overclocking-
ssl.ht...](http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)

------
thaumaturgy
For those commenting on the price, I'd point out that if you're a consultant
or freelance developer you should be able to justify adjusting your rates
enough after this to make the $1500 back in a month or so, and if you're a
salaried employee with a smart employer, you should be able to negotiate a
reasonable raise or get your employer to cover the cost for you.

I operate on a shoestring budget, I'm just about the most price-sensitive guy
on here, and I'm still going to do my best to scrape together the money for
this.

~~~
shubb
I think your price is reasonable for people that will get a good return from
this, and not for people that won't.

I'm not going to get a raise from doing the course, and my employer is not
going to pay out for it, so I'd like it to be $500. People who are going to
make the money back will pay more. If you fill the seats, the price is right.

~~~
tptacek
If you have no way of recouping the cost of the class, the class isn't
targeted at you. The most common pricing fallacy on HN (perhaps after cost-
plus pricing) is the idea that every product must be targeted at all people to
make sense.

~~~
riquito
So a person that simply want to learn something for the sake of knowledge is
not the target of a teacher?

~~~
Pwnguinz
Not the target of a teacher that is asking for _this_ price. There are plenty
of teachers out there that can, presumably, teach the same material just as
well for probably less cost to the student, however it's not the OP's job to
find those alternative sources for you.

------
m0nastic
I just want to echo the sentiment that Cody is a great person to be offering
this.

I had the experience of being interviewed by him a while back, and he made
what could easily have been a very intimidating (especially as it was a long
interview in a series of long interviews) technical interview both immensely
enjoyable (by the end it felt like being part of an exciting conversation),
and actually went out of his way to explain a bunch of stuff to me.

I wish there were more things like this.

~~~
hackinthebochs
Did you get the job? (for the sake of full disclosure)

~~~
m0nastic
I did not; which I actually think is even more of a testament to how positive
the experience (and interviewing with Cody in particular) was.

~~~
hackinthebochs
Definitely. If you had been a former or current employee I was going to say
that colors your recommendation a bit.

------
try-finally
Would you consider doing a reduced price for people who just want access to
the videos after the session and logs of irc. This way you won't have to grade
their homework, answer their questions, nor give them a certificate. I'd love
to learn all that stuff at my own pace, but I don't have 1k to spend on it. On
the flip side I don't expect you to do work for free.

~~~
daeken
It's something I may consider for future runs, but I'm not planning that for
the first iteration. I think the real value in this is being able to work
through this material and have hands-on instruction when you need it, much as
if you were being trained inside a security consultancy.

------
silverlight
I signed up. If for $1,000 you can help me learn how to better secure the web
applications I'm building for a living, it will be well worth the cost and
time investment. See you in class :-)

------
anExcitedBeast
There's always value in a guided course, but everything on the outline can be
found free online. Unless you need the structure, I'd save your money and use
open learning materials.

~~~
trebor
I'd suggest that if you know where these subjects can be found online, and
since there are many who state that they don't have $1000, that you should
post the links here. Those of us that wish to take the course by Cody will
still do so.

~~~
rmusser
vulnhub.com for vulnerable distributions. They have some distributions setup
with WebApps designed for you to practice and learn various attack from.(I.e
WebGOAT)

OWASP(Open Web Application Security Project)

OWASP Top Ten:
[https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)

OWASP Testing Methodology manual:
[https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents)

OWASP Developer Guide:
[https://www.owasp.org/index.php/Category:OWASP_Guide_Project](https://www.owasp.org/index.php/Category:OWASP_Guide_Project)

PTES(Penetration Testing Execution Standard): [http://www.pentest-
standard.org/index.php/Main_Page](http://www.pentest-
standard.org/index.php/Main_Page)

CTFs: overthewire.org

Self-Promo: rmusser.net/infosec site full of information on various infosec
topics. Going through right now and updating/increasing the quality of
information.

------
lifeisstillgood
It appears to have sold out.

Is there an equivalent to sitting in the back of the lecture hall / access to
an online forum of similar folks following along?

I ask because as a developer I make stuff but rarely know which mistakes I am
making in the break stuff department.

And of course how do I book the next run?

~~~
daeken
It's not quite sold out, but EventBee seems to be having some issues on the
last few tickets for some reason. If you can't get in, refresh until the
dropdown actually has tickets and you should be good to go. Sorry for the
annoyance!

~~~
gyardley
Got to say I'm also somewhat underwhelmed by the EventBee experience. No 'sold
out' notice, but the only currently available quantity is consistently zero.

~~~
daeken
Yeah, bit disappointing. What's actually happening is that the tickets are
reserved, but I have no way of releasing them or any of that. There are still
6 tickets here -- if anyone wants one, shoot me an email. First come, first
serve.

Definitely switching to my own little service for this next run.

Edit: The remaining tickets are now all taken. Thank you all so very much, and
see you in class!

------
pc86
I was incredibly skeptical of this until I looked at your bio. This looks
pretty awesome.

------
rdl
I'm curious how much value there is in knowing the infrastructure side of
security as well as appsec, vs. being a really good developer and knowing
appsec. The overall quality of appsec expertise seems highest from people with
stronger dev backgrounds, at least from the ones I've met, in practice.
Infrastructure and appsec (and compliance/policy, and theoretical
math/cs/cryptology) seem like quite different worlds.

------
jorejudos
Is the certificate that you get for completing the course an actual
acknowledged certificate in the infosec industry?

~~~
daeken
No, it's not -- this is a brand new course. However, I personally will put my
weight behind anyone who completes this course successfully, as it will put
them in a prime position for many positions; I have no doubt that they will be
perfect for those jobs.

~~~
tptacek
I'm a software security hiring manager and will confirm that going through a
course like this would get our attention.

~~~
saturdayplace
What about the SANS SEC542 + GWAPT certification? It looks like Cody's course
covers a couple areas that don't fall under the SANS one, but the high-level
overview appears to be pretty similar.

Or, would you be willing to speak more generally about certifications, and
which, if any actually DO get attention from hiring managers in the security
field?

~~~
tptacek
We pay absolutely zero attention to certifications. I literally don't know
what's in the SANS program.

 _Not_ taking Cody's classes wouldn't harm you here, or at any other high-end
firm that I'm aware of. But actually taking it would signal a particular
interest and engagement with appsec, which is something I would pay attention
to.

If there is some other forcing function you have to get you to actually
practice software security and find vulnerabilities, that too would be
valuable.

~~~
saturdayplace
I'm pretty familiar with the attitude among hiring managers that
certifications generally don't signal anything useful; my boss and I also hold
that position (I hold an MCTS that I was forced to get so my employer could
get a better partnership status with Microsoft). So I'm curious why holding
Cody's certificate might actually mean _something_ where a more established
cert would not.

~~~
tptacek
Cody isn't offering a certification. But I know Cody and I know people that
take his class are going to be working directly with him.

------
Ixiaus
I'm going to see if I can get the business to pay for this, would love to take
this course.

------
cybernoodles
Got super excited until I saw the 1k price tag.

------
ssafejava
For those of us not in the US, I wish you had opened this up at a different
time of day. I would have loved to join but this went up and sold out while I
was asleep. Best of luck and please contact me if a spot opens up.

------
mipapage
I missed this opportunity, and have followed you on twitter with the hope of
not missing the next one. I'd feel better if you had a mailing list to
announce the next one though; much more reliable than twitter!

------
thaumasiotes
I'm really trying to sign up for this course. Every time I try to pay for a
ticket, Paypal tells me they're experiencing difficulties and I need to try
again later. Is there a way I can sign up?

~~~
thaumasiotes
well, having let some time pass, I now fill out the payment information and
click "review and continue", and a thinking animation displays, and then the
exact same info panel slides out from the left, with all the stuff I typed in
still in. I can click "review and continue" any number of times to no avail.
How do I actually complete the transaction?

~~~
daeken
That's really quite odd -- I wonder what's going on. Have you tried another
browser? I'm still seeing payments coming in, so everything should be fine.

~~~
thaumasiotes
yes, this occurs in firefox and safari.

~~~
daeken
Sorry to hear you're having so many troubles. Is this happening on the Paypal
side or the EventBee side? Also, if you email me at cody.brocious@gmail.com we
can discuss other possibilities for payment or troubleshooting.

~~~
thaumasiotes
As far as I can tell, the problem was with the paypal side. I emailed you
(once before posting this original complaint, and once recently); I'd be happy
to discuss other possibilities. Eventbee seems to have difficulty deciding
whether there are 5 or 0 tickets left, but it's definitely not even letting me
attempt to purchase one anymore.

------
inaccessible
Is this for someone who finished the Stripe ctf last year? I think it is
pretty much covered all the stuff what is offered in this course. By the way,
in Hungary $1500 is about two months of payment, if you are a simple dev (in
most places), so I don't know if it is really worth it, if you don't want to
move to another country to work later. So I guess this is not for everyone.

------
vjk2005
As essential as this is for me, $1000 is a lot of money for an Indian
freelancer. Seconding the request for a PDF download.

~~~
duaj
You can try this. For $0

[http://web-for-pentester.pentesterlab.com/introduction/](http://web-for-
pentester.pentesterlab.com/introduction/)

------
timo_h
Before the Breaker 101 course starts, I invite you to take a quick (15
questions) quiz about web application security practices and quirks:
[http://timoh6.github.io/WebAppSecQuiz/index.html](http://timoh6.github.io/WebAppSecQuiz/index.html)

------
TheSwordsman
Well shit, if only I had a $1,000 to drop on this this is definitely an area
I'd like to be stronger in.

------
chollida1
This seems like an awesome idea.

Unfortunately, or fortunately?, not sure... most of my application security
understanding comes from this question on stackoverflow:

[http://stackoverflow.com/q/72394/25981](http://stackoverflow.com/q/72394/25981)

------
axyjo
Signed up! This'll be more useful than what I'm learning in university right
now.

------
kashif
What if the time you stream doesn't suit me? Can I get access to the recorded
session?

~~~
daeken
Yes, absolutely. Recorded stream as well as logs of the IRC channel. Missing
the live stream isn't a big deal if you keep on top of the course work and ask
questions. Participating in the forums will also help you keep on top of
things.

------
orangethirty
I really do hope that you package this as a video series. Then sell it to
people/teams who are not able to attend a live class. I'd gladly pay the price
of the live class for the video series.

------
manish_gill
Course content looks awesome. No way in hell I can afford it though. :(

------
chollida1
Wow, looks like it might be sold out. When I selected the early bird package(
$1000) it wouldn't let me enroll for the course anymore.

Congratulations if you are indeed sold out.

~~~
daeken
Looks like the early bird package is indeed sold out, though two tickets are
currently pending payment, so someone might just be sitting on them. I'll
update if I find otherwise.

------
daemon13
If successful, do you plan to continue holding this course? If yes, how many
times a year?

I, and may be some other folks, can not do this now, but would love to some
time later.

~~~
daeken
I'm hoping to do this 2-3 times a year, if I can get enough interest and nail
down the material. Mind you, the price will be going up past this "beta" run.

------
umsm
Will the videos be recorded and published? I am currently employed full-time
and I will find it very difficult to be online for a live video...

~~~
daeken
The videos will be recorded and made available to students. If you can't make
the classes, you can always watch them after the fact. So long as you keep up
with the course work, you should be just fine.

------
ekm2
Now if anyone would kindly drop me a thousand bucks..

------
Cyranix
Is there any limit on the number of regular seats available? Trying to help my
boss decide how many devs to subsidize...

~~~
daeken
There is, yes -- 40 seats. Currently ~25 seats left.

~~~
thaumasiotes
Are there still seats left? I can select positive quantities on eventbee, but
I can't for the life of me get it to accept payment.

~~~
Cyranix
At 15:15 Pacific time, no regular seats seem to be remaining -- no quantity
other than zero can be selected, though not marked as Sold Out.

EDIT: A coworker is suggesting that Eventbee's payment system is down and not
letting him accept a newly-available ticket.

~~~
daeken
There are 7 seats currently reserved but unpaid. I think they'll clear out in
something like 15 minutes if they aren't paid within that window. Otherwise,
it's all sold out at this point.

Edit: Several tickets have opened up -- they're gonna go quick.

------
tszczarkowski
Is the "Early Bird" price sold out? The only available quantity in the menu is
'0'.

~~~
daeken
It looks like that's the case. I only see 8 sales (out of the 10 total) but I
believe that the tickets are being held pending payment. I'll update if I find
out otherwise.

Hope to see you in class!

------
fixxer
Awesome curriculum. Now if only the price was awesome...

------
patatino
signed up! definitely +EV ;)

------
m_ke
Student discount?

~~~
daeken
Given that this is the discounted price (for the first run), I'm not planning
a student discount for this iteration. Future runs may have one though.

