WORKSHOP

Hack Yourself First

by Troy Hunt

6 and 7 July 2017
Costs 1250 euro excl VAT
Ordina HQ, Nieuwegein

Ordina Software Development proudly presents the workshop Hack yourself first at Ordina HQ on the 6 and 7th of July 2017.

Online attacks have become a reality of running software on the web today. We find ourselves under a constant barrage of malicious activity from hacktivists, online criminals and increasingly, nation states. Successful attacks from these adversaries are predominantly via flaws in the software products they target – flaws that could have been prevented by developers understanding how online attackers work and what the appropriate defensive measures are.

 
 

Workshop: Hack Yourself First


"Hack Yourself First" is all about buil ding up defensive skills in software developers. It looks at security from the attacker's perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand. Workshop participants are set specific goals they must complete that involve probing for risks and then exploiting discrete vulnerabilities in a specially built vulnerable application. The interactive nature of the workshop means that multiple attack vectors are usually identified across the spectrum of participants and each person contributes their own unique perspective as to how specific risks are exploited.

The objective of the workshop is that each person walks away with demonstrated experience across a broad spectrum of specific risks. They not only learn about but also demonstrate practical experience across a range of different vulnerabilities targeted to the specific needs of the group.

 
 

Program day 1

The first day build fundamental security skills that all technology professionals delivering applications on the web should posses:

Module Time
Introduction – 30 mins 09:00
Discovering risks via the browser – 30 mins 09:30
Using an HTTP proxy – 30 mins 10:00
Break – 15 mins 10:30
XSS – 50 mins 10:45
SQL injection part 1 – 55 mins 11:35
Lunch – 1 hour 12:30
Mobile APIs – 60 mins 13:30
CSRF – 50 mins 14:30
Break – 15 mins 15:20
Framework disclosure – 30 mins 15:35
Session hijacking – 35 mins 16:05
Wrap up – 20 mins 16:40
Close 17:00

Program day 2

The second day delves deeper into online risks, covering more advanced topics in greater depth:

Module Time
Password cracking – 50 mins 09:00
Account Enumeration – 40 mins 09:50
Break – 15 mins 10:30
FiddlerScript – 50 mins 10:45
HTTPS – 55 mins 11:35
Lunch – 1 hour 12:30
Content Security Policy – 60 mins 13:30
SQL injection part 2 – 50 mins 14:30
Break – 15 mins 15:20
Brute force attacks – 30 mins 15:35
Automating attacks and review – 35 mins 16:05
Wrap up – 20 mins 16:40
Close 17:00
 

What attendees learn

Obviously they'll get taught the mechanics of each of these risks and of course the defensive patterns required to defend against them. But more than that, they get exposed to how to think about security; how to apply it in depth via multiple defences, how to choose appropriate controls based on the specific risk of the feature and how to have the discussion about what makes sense in different circumstances.

Above all though, security is just one factor in delivering working software and it has to be applied appropriately. Sometimes it comes with a trade-off against usability or cost and decisions have to be made about not what's just most secure, but what's in the overall best interests of the product being built. This workshop helps those who attend have the right discussions about when and where to invest in security.

Modules average out at about 45 to 50 minutes each and are divided down approximately equally between each of the three stages above. It always adapts to the classroom; some organisations have a greater need to focus on a specific area of security or drill deeper in one of the cycles so the workshop responds appropriately and becomes tailored to the audience.

 

It's security, but it's for developers

Security training is frequently targeted at security professionals; it uses their language, their practices and their tools. My workshops are developer-centric and they focus on presenting security in a way that resonates with this audience. We primarily use tools developers are already familiar with such as the browser dev tools and HTTP proxies like Fiddler and Charles.

The training is platform agnostic; whether you're working in ASP.NET, PHP, Node or anything else sending angle brackets over HTTP, the workshop modules are equally relevant. Where an organisation specialises in the Microsoft stack we have the option to go deeper and look at discrete defences within technologies such as ASP.NET and SQL Server.

Frequently, attendees find serious risks in their own applications during the course of the workshop. Sometimes, they find serious risks in other people's which leads to firsthand exposure to the ethics of security. This workshop has resulted in disclosures such as missing transport layer in the realestate.com.au app and perhaps most notably, the complete lack of authorisation in Nissan's app controlling the LEAF electric vehicle. Serious security risks such as Nissan's are often only a couple of hours of training away from being discovered in many of today's online assets.

 
 

Registration:

Please fill in the form below to register for the workshop.



 

Date and time

Datum: 6/7 juli 2017
Tijd: 09:00 tot 17:00

Location

Ordina HQ
Ordina Ringwade 1
3430LM Nieuwegein

Fees

€ 1250,- excl VAT
Inc. lunch & Drinks
Free parking

 

For questions please contact Marieke Jacobs on email hackyourself@OSDEvents.nl