Edit: Put up a simple launch page here: http://course.daeken.com/
They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).
> HOW MUCH CRYPTO DO I NEED TO KNOW?
> None. That's the point.
The other book candidates here tend to get is _The Art Of Software Security Assessment_.
Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.
If you have some suggestions, they are much appreciated.
I might start with this post:
I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.
I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.
If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.
While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.
I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.
But I've never done it.
That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.
If you haven't actually practiced any of the stuff in the course, it would still be valuable.
If it's the latter, I have no answer.
But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.
I had the experience of being interviewed by him a while back, and he made what could easily have been a very intimidating (especially as it was a long interview in a series of long interviews) technical interview both immensely enjoyable (by the end it felt like being part of an exciting conversation), and actually went out of his way to explain a bunch of stuff to me.
I wish there were more things like this.
Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.
OWASP(Open Web Application Security Project)
OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...
OWASP Testing Methodology manual: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...
OWASP Developer Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project
PTES(Penetration Testing Execution Standard): http://www.pentest-standard.org/index.php/Main_Page
Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.
Beyond that, it's all very searchable.
Is there an equivalent to sitting in the back of the lecture hall / access to an online forum of similar folks following along?
I ask because as a developer I make stuff but rarely know which mistakes I am making in the break stuff department.
And of course how do I book the next run?
Definitely switching to my own little service for this next run.
Edit: The remaining tickets are now all taken. Thank you all so very much, and see you in class!
edit: and failing, naturally :(
So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.
Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?
Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.
If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.
Unfortunately, or fortunately?, not sure... most of my application security understanding comes from this question on stackoverflow:
Congratulations if you are indeed sold out.
I, and may be some other folks, can not do this now, but would love to some time later.
EDIT: A coworker is suggesting that Eventbee's payment system is down and not letting him accept a newly-available ticket.
Edit: Several tickets have opened up -- they're gonna go quick.
Hope to see you in class!