Hacker News new | past | comments | ask | show | jobs | submit login
Breaker 101: An intensive online web security course (daeken.com)
286 points by daeken on June 11, 2013 | hide | past | favorite | 112 comments

Can you create a landing page with an executive summary and pricing button? I cannot show my boss a blog post. Just hit the high points: 12 week course in web security, $1000, increased proficiency in x, y, z, ability to do a, b, c, protection from j, k, l, and security as a key to protecting data -- the core of the product -- the core of business.

Absolutely, good call!

Edit: Put up a simple launch page here: http://course.daeken.com/

Just for more feedback: extremely interested! I'm not able to do it right now, but please consider offering it again in the future. I'd also be interested in working through the material on my own with a limited support or a forum if that would help you with residual income from this :)

I worked with Cody for awhile at Matasano. He's as smart and enthusiastic a teacher as I think you'll find anywhere for this material.

Dan Boneh's crypto course is starting in 5 days on Coursera. Syllabus is not same as the OP's course but is very good and useful nonetheless.


If crypto is your thing, and you want to keep it practical, allow me to plug:


They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).

Let's say my experience with cryptography and web security can be summed up with 'using bcrypt' and 'using ssl.' Would I be able to learn from this or would I need to seek out something more basic first?

From the page tptacek linked to:


> None. That's the point.

You can learn from it, they explain how to go about solving them pretty well. I solved the first set in a few minutes and am trying to find time to do the second one, they are pretty fun.

Curious why there's a delta of level 4 & 5 under 6?

A FAQ. Those are the people currently at that level.

level 7 is hiring? :)

No, level 7 is coming out hopefully next week.

Respond to my email! :p

I don't have a spare $1000. Write an ebook after this and I will buy that.

You might try The Tangled Web. I've only read a few of the early chapters, but those at least seem good.


This book covers a lot of the material: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

We buy that book, along with _The Tangled Web_, for candidates to Matasano. We like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out loud, though).

The other book candidates here tend to get is _The Art Of Software Security Assessment_.

Seconding the recommendation for both of these books. They're both sitting on my desk here and they're both excellent. Tangled Web does a great job of explaining why browser and web app security is in the state that it's in, and each chapter includes a "cheat sheet" at the end of things a developer can do to further secure his web app. Web Application Hacker's Handbook contains exactly what's on the tin: a pretty thorough explanation of how to pull of many of the common exploits, along with the explanation for how/why they work.

While we're talking books and education... tptacek, could you share any resources that you are acquainted with, specifically on the topic of SSL/TLS? I feel a need to really ramp up my knowledge in this space, and would be glad to hear any recommendations you might have.

Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.

If you have some suggestions, they are much appreciated.

Same here.


For those commenting on the price, I'd point out that if you're a consultant or freelance developer you should be able to justify adjusting your rates enough after this to make the $1500 back in a month or so, and if you're a salaried employee with a smart employer, you should be able to negotiate a reasonable raise or get your employer to cover the cost for you.

I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.

I think your price is reasonable for people that will get a good return from this, and not for people that won't.

I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.

If you have no way of recouping the cost of the class, the class isn't targeted at you. The most common pricing fallacy on HN (perhaps after cost-plus pricing) is the idea that every product must be targeted at all people to make sense.

So a person that simply want to learn something for the sake of knowledge is not the target of a teacher?

Not the target of a teacher that is asking for this price. There are plenty of teachers out there that can, presumably, teach the same material just as well for probably less cost to the student, however it's not the OP's job to find those alternative sources for you.

Consider that for that price, the teacher offers his time to help students.

If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.

While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.

Counterpoint: completing the course might make you a better candidate for the kind of employer that values their employees enough to pay for training like this. ;-)

Oh I'm not complaining. 2 of my colleagues just went on security training, so I think we have enough 'security experts' right now. I'd be more likely to get an android course.

Hum, I already know most of this stuff. Maybe I should raise my rates.

Well ... know it, or done it?

I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.

But I've never done it.

That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.

If you haven't actually practiced any of the stuff in the course, it would still be valuable.

What do you mean by "it"? Implement the attacks? No, I haven't, but I don't need to know how to implement the attacks, only the countermeasures. If you mean implement them in apps, then yes, my code had a code review from a security company last week and the most severe item was a password reset form that had autocomplete turned on still.


Do you mean that I should, or are you asking me why I am uncertain? If it's the former, you don't know my rates, maybe they're already too high (they're not) :p

If it's the latter, I have no answer.

I mean you should.

I'd like to raise my rates too. I'm not an expert at security by any stretch but I don't completely fail at it like ~70% of the code I inherit.

But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.

This is IMO one of the strong benefits of daeken's course: he's formalized it to the extent that you should be able to turn it into a selling point if you wish to do so.

Yeah, that's the prevailing viewpoint. I will raise them by quite a bit, thanks.

I just want to echo the sentiment that Cody is a great person to be offering this.

I had the experience of being interviewed by him a while back, and he made what could easily have been a very intimidating (especially as it was a long interview in a series of long interviews) technical interview both immensely enjoyable (by the end it felt like being part of an exciting conversation), and actually went out of his way to explain a bunch of stuff to me.

I wish there were more things like this.

Did you get the job? (for the sake of full disclosure)

I did not; which I actually think is even more of a testament to how positive the experience (and interviewing with Cody in particular) was.

Definitely. If you had been a former or current employee I was going to say that colors your recommendation a bit.

Would you consider doing a reduced price for people who just want access to the videos after the session and logs of irc. This way you won't have to grade their homework, answer their questions, nor give them a certificate. I'd love to learn all that stuff at my own pace, but I don't have 1k to spend on it. On the flip side I don't expect you to do work for free.

It's something I may consider for future runs, but I'm not planning that for the first iteration. I think the real value in this is being able to work through this material and have hands-on instruction when you need it, much as if you were being trained inside a security consultancy.

I signed up. If for $1,000 you can help me learn how to better secure the web applications I'm building for a living, it will be well worth the cost and time investment. See you in class :-)

There's always value in a guided course, but everything on the outline can be found free online. Unless you need the structure, I'd save your money and use open learning materials.

There is an enormous difference between reading about software security and actually trying to practice it.

But there's plenty of "practice targets" out there ;)

Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.

I'd suggest that if you know where these subjects can be found online, and since there are many who state that they don't have $1000, that you should post the links here. Those of us that wish to take the course by Cody will still do so.

vulnhub.com for vulnerable distributions. They have some distributions setup with WebApps designed for you to practice and learn various attack from.(I.e WebGOAT)

OWASP(Open Web Application Security Project)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

OWASP Testing Methodology manual: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...

OWASP Developer Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project

PTES(Penetration Testing Execution Standard): http://www.pentest-standard.org/index.php/Main_Page

CTFs: overthewire.org

Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.


These guys are right about OWASP - great resource. A great high value tutorial for password storage can be found here: http://crackstation.net/hashing-security.htm

Beyond that, it's all very searchable.

It appears to have sold out.

Is there an equivalent to sitting in the back of the lecture hall / access to an online forum of similar folks following along?

I ask because as a developer I make stuff but rarely know which mistakes I am making in the break stuff department.

And of course how do I book the next run?

It's not quite sold out, but EventBee seems to be having some issues on the last few tickets for some reason. If you can't get in, refresh until the dropdown actually has tickets and you should be good to go. Sorry for the annoyance!

Got to say I'm also somewhat underwhelmed by the EventBee experience. No 'sold out' notice, but the only currently available quantity is consistently zero.

Yeah, bit disappointing. What's actually happening is that the tickets are reserved, but I have no way of releasing them or any of that. There are still 6 tickets here -- if anyone wants one, shoot me an email. First come, first serve.

Definitely switching to my own little service for this next run.

Edit: The remaining tickets are now all taken. Thank you all so very much, and see you in class!

Seems sold out now. Hopefully you will run this again, or setup some sort of waiting list.... :)

for me, the dropdown has tickets but trying to buy one gives an error message saying the available quantity is 0. This is especially frustrating given that I spent a good amount of time trying to buy a ticket while they were still in stock.

edit: and failing, naturally :(

I was incredibly skeptical of this until I looked at your bio. This looks pretty awesome.

I'm curious how much value there is in knowing the infrastructure side of security as well as appsec, vs. being a really good developer and knowing appsec. The overall quality of appsec expertise seems highest from people with stronger dev backgrounds, at least from the ones I've met, in practice. Infrastructure and appsec (and compliance/policy, and theoretical math/cs/cryptology) seem like quite different worlds.

Is the certificate that you get for completing the course an actual acknowledged certificate in the infosec industry?

No, it's not -- this is a brand new course. However, I personally will put my weight behind anyone who completes this course successfully, as it will put them in a prime position for many positions; I have no doubt that they will be perfect for those jobs.

I'm a software security hiring manager and will confirm that going through a course like this would get our attention.

Just to follow up on this, I'm a little confused by your response. You say you would pay attention to a course "like this" but in other replies say that you pay no attention to certificated courses that are... like this.

So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.

What about the SANS SEC542 + GWAPT certification? It looks like Cody's course covers a couple areas that don't fall under the SANS one, but the high-level overview appears to be pretty similar.

Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?

We pay absolutely zero attention to certifications. I literally don't know what's in the SANS program.

Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.

If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.

I'm pretty familiar with the attitude among hiring managers that certifications generally don't signal anything useful; my boss and I also hold that position (I hold an MCTS that I was forced to get so my employer could get a better partnership status with Microsoft). So I'm curious why holding Cody's certificate might actually mean something where a more established cert would not.

Cody isn't offering a certification. But I know Cody and I know people that take his class are going to be working directly with him.

Okay cool. What would it mean for someone to fail the course and would there be any way to retake the course (possibly for a reduced price)?

Failing the course would entail not doing scoring well on exams (read: not finding good bugs). You can retake the course in following runs, but I don't have a discount planned at this point. If you keep up with the course work and ask questions if/when you get into the weeds, everyone should be able to keep up with this, even as intensive as it is.

I'm going to see if I can get the business to pay for this, would love to take this course.

Got super excited until I saw the 1k price tag.

For those of us not in the US, I wish you had opened this up at a different time of day. I would have loved to join but this went up and sold out while I was asleep. Best of luck and please contact me if a spot opens up.

I missed this opportunity, and have followed you on twitter with the hope of not missing the next one. I'd feel better if you had a mailing list to announce the next one though; much more reliable than twitter!

I'm really trying to sign up for this course. Every time I try to pay for a ticket, Paypal tells me they're experiencing difficulties and I need to try again later. Is there a way I can sign up?

well, having let some time pass, I now fill out the payment information and click "review and continue", and a thinking animation displays, and then the exact same info panel slides out from the left, with all the stuff I typed in still in. I can click "review and continue" any number of times to no avail. How do I actually complete the transaction?

That's really quite odd -- I wonder what's going on. Have you tried another browser? I'm still seeing payments coming in, so everything should be fine.

yes, this occurs in firefox and safari.

Sorry to hear you're having so many troubles. Is this happening on the Paypal side or the EventBee side? Also, if you email me at cody.brocious@gmail.com we can discuss other possibilities for payment or troubleshooting.

As far as I can tell, the problem was with the paypal side. I emailed you (once before posting this original complaint, and once recently); I'd be happy to discuss other possibilities. Eventbee seems to have difficulty deciding whether there are 5 or 0 tickets left, but it's definitely not even letting me attempt to purchase one anymore.

Is this for someone who finished the Stripe ctf last year? I think it is pretty much covered all the stuff what is offered in this course. By the way, in Hungary $1500 is about two months of payment, if you are a simple dev (in most places), so I don't know if it is really worth it, if you don't want to move to another country to work later. So I guess this is not for everyone.

As essential as this is for me, $1000 is a lot of money for an Indian freelancer. Seconding the request for a PDF download.

Before the Breaker 101 course starts, I invite you to take a quick (15 questions) quiz about web application security practices and quirks: http://timoh6.github.io/WebAppSecQuiz/index.html

Well shit, if only I had a $1,000 to drop on this this is definitely an area I'd like to be stronger in.

This seems like an awesome idea.

Unfortunately, or fortunately?, not sure... most of my application security understanding comes from this question on stackoverflow:


Signed up! This'll be more useful than what I'm learning in university right now.

What if the time you stream doesn't suit me? Can I get access to the recorded session?

Yes, absolutely. Recorded stream as well as logs of the IRC channel. Missing the live stream isn't a big deal if you keep on top of the course work and ask questions. Participating in the forums will also help you keep on top of things.

I really do hope that you package this as a video series. Then sell it to people/teams who are not able to attend a live class. I'd gladly pay the price of the live class for the video series.

Course content looks awesome. No way in hell I can afford it though. :(

Wow, looks like it might be sold out. When I selected the early bird package( $1000) it wouldn't let me enroll for the course anymore.

Congratulations if you are indeed sold out.

Looks like the early bird package is indeed sold out, though two tickets are currently pending payment, so someone might just be sitting on them. I'll update if I find otherwise.

If successful, do you plan to continue holding this course? If yes, how many times a year?

I, and may be some other folks, can not do this now, but would love to some time later.

I'm hoping to do this 2-3 times a year, if I can get enough interest and nail down the material. Mind you, the price will be going up past this "beta" run.


If you follow me on twitter (@daeken) or subscribe to the RSS feed on my blog, you'll get updates as they come out. If this all goes well, there will likely be another run starting in Q1 2014.

Will the videos be recorded and published? I am currently employed full-time and I will find it very difficult to be online for a live video...

The videos will be recorded and made available to students. If you can't make the classes, you can always watch them after the fact. So long as you keep up with the course work, you should be just fine.

Now if anyone would kindly drop me a thousand bucks..

Is there any limit on the number of regular seats available? Trying to help my boss decide how many devs to subsidize...

There is, yes -- 40 seats. Currently ~25 seats left.

Are there still seats left? I can select positive quantities on eventbee, but I can't for the life of me get it to accept payment.

At 15:15 Pacific time, no regular seats seem to be remaining -- no quantity other than zero can be selected, though not marked as Sold Out.

EDIT: A coworker is suggesting that Eventbee's payment system is down and not letting him accept a newly-available ticket.

There are 7 seats currently reserved but unpaid. I think they'll clear out in something like 15 minutes if they aren't paid within that window. Otherwise, it's all sold out at this point.

Edit: Several tickets have opened up -- they're gonna go quick.

Is the "Early Bird" price sold out? The only available quantity in the menu is '0'.

It looks like that's the case. I only see 8 sales (out of the 10 total) but I believe that the tickets are being held pending payment. I'll update if I find out otherwise.

Hope to see you in class!

Awesome curriculum. Now if only the price was awesome...

signed up! definitely +EV ;)

Student discount?

Given that this is the discounted price (for the first run), I'm not planning a student discount for this iteration. Future runs may have one though.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact