117 comments

[ 4.8 ms ] story [ 183 ms ] thread
Can you create a landing page with an executive summary and pricing button? I cannot show my boss a blog post. Just hit the high points: 12 week course in web security, $1000, increased proficiency in x, y, z, ability to do a, b, c, protection from j, k, l, and security as a key to protecting data -- the core of the product -- the core of business.
Absolutely, good call!

Edit: Put up a simple launch page here: http://course.daeken.com/

Just for more feedback: extremely interested! I'm not able to do it right now, but please consider offering it again in the future. I'd also be interested in working through the material on my own with a limited support or a forum if that would help you with residual income from this :)
I was incredibly skeptical of this until I looked at your bio. This looks pretty awesome.
I signed up. If for $1,000 you can help me learn how to better secure the web applications I'm building for a living, it will be well worth the cost and time investment. See you in class :-)
I don't have a spare $1000. Write an ebook after this and I will buy that.
Same here.
We buy that book, along with _The Tangled Web_, for candidates to Matasano. We like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out loud, though).

The other book candidates here tend to get is _The Art Of Software Security Assessment_.

Seconding the recommendation for both of these books. They're both sitting on my desk here and they're both excellent. Tangled Web does a great job of explaining why browser and web app security is in the state that it's in, and each chapter includes a "cheat sheet" at the end of things a developer can do to further secure his web app. Web Application Hacker's Handbook contains exactly what's on the tin: a pretty thorough explanation of how to pull of many of the common exploits, along with the explanation for how/why they work.
While we're talking books and education... tptacek, could you share any resources that you are acquainted with, specifically on the topic of SSL/TLS? I feel a need to really ramp up my knowledge in this space, and would be glad to hear any recommendations you might have.

Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.

If you have some suggestions, they are much appreciated.

Course content looks awesome. No way in hell I can afford it though. :(
There's always value in a guided course, but everything on the outline can be found free online. Unless you need the structure, I'd save your money and use open learning materials.
I'd suggest that if you know where these subjects can be found online, and since there are many who state that they don't have $1000, that you should post the links here. Those of us that wish to take the course by Cody will still do so.
vulnhub.com for vulnerable distributions. They have some distributions setup with WebApps designed for you to practice and learn various attack from.(I.e WebGOAT)

OWASP(Open Web Application Security Project)

OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...

OWASP Testing Methodology manual: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...

OWASP Developer Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project

PTES(Penetration Testing Execution Standard): http://www.pentest-standard.org/index.php/Main_Page

CTFs: overthewire.org

Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.

  https://www.owasp.org/index.php/OWASP_Appsec_Tutorial_Series
  http://www.lulu.com/spotlight/owasp
  https://www.owasp.org/index.php/Category:OWASP_Testing_Project
  https://www.owasp.org/index.php/Category:OWASP_LiveCD_Education_Project
There is an enormous difference between reading about software security and actually trying to practice it.
But there's plenty of "practice targets" out there ;)

Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.

I'm going to see if I can get the business to pay for this, would love to take this course.
Well shit, if only I had a $1,000 to drop on this this is definitely an area I'd like to be stronger in.
What if the time you stream doesn't suit me? Can I get access to the recorded session?
Yes, absolutely. Recorded stream as well as logs of the IRC channel. Missing the live stream isn't a big deal if you keep on top of the course work and ask questions. Participating in the forums will also help you keep on top of things.
(comment deleted)
I worked with Cody for awhile at Matasano. He's as smart and enthusiastic a teacher as I think you'll find anywhere for this material.
Got super excited until I saw the 1k price tag.
signed up! definitely +EV ;)
Is the certificate that you get for completing the course an actual acknowledged certificate in the infosec industry?
No, it's not -- this is a brand new course. However, I personally will put my weight behind anyone who completes this course successfully, as it will put them in a prime position for many positions; I have no doubt that they will be perfect for those jobs.
I'm a software security hiring manager and will confirm that going through a course like this would get our attention.
What about the SANS SEC542 + GWAPT certification? It looks like Cody's course covers a couple areas that don't fall under the SANS one, but the high-level overview appears to be pretty similar.

Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?

We pay absolutely zero attention to certifications. I literally don't know what's in the SANS program.

Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.

If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.

I'm pretty familiar with the attitude among hiring managers that certifications generally don't signal anything useful; my boss and I also hold that position (I hold an MCTS that I was forced to get so my employer could get a better partnership status with Microsoft). So I'm curious why holding Cody's certificate might actually mean something where a more established cert would not.
Cody isn't offering a certification. But I know Cody and I know people that take his class are going to be working directly with him.
Just to follow up on this, I'm a little confused by your response. You say you would pay attention to a course "like this" but in other replies say that you pay no attention to certificated courses that are... like this.

So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.

Okay cool. What would it mean for someone to fail the course and would there be any way to retake the course (possibly for a reduced price)?
Failing the course would entail not doing scoring well on exams (read: not finding good bugs). You can retake the course in following runs, but I don't have a discount planned at this point. If you keep up with the course work and ask questions if/when you get into the weeds, everyone should be able to keep up with this, even as intensive as it is.
(comment deleted)
Would you consider doing a reduced price for people who just want access to the videos after the session and logs of irc. This way you won't have to grade their homework, answer their questions, nor give them a certificate. I'd love to learn all that stuff at my own pace, but I don't have 1k to spend on it. On the flip side I don't expect you to do work for free.
It's something I may consider for future runs, but I'm not planning that for the first iteration. I think the real value in this is being able to work through this material and have hands-on instruction when you need it, much as if you were being trained inside a security consultancy.
Now if anyone would kindly drop me a thousand bucks..
For those commenting on the price, I'd point out that if you're a consultant or freelance developer you should be able to justify adjusting your rates enough after this to make the $1500 back in a month or so, and if you're a salaried employee with a smart employer, you should be able to negotiate a reasonable raise or get your employer to cover the cost for you.

I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.

I think your price is reasonable for people that will get a good return from this, and not for people that won't.

I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.

If you have no way of recouping the cost of the class, the class isn't targeted at you. The most common pricing fallacy on HN (perhaps after cost-plus pricing) is the idea that every product must be targeted at all people to make sense.
So a person that simply want to learn something for the sake of knowledge is not the target of a teacher?
Not the target of a teacher that is asking for this price. There are plenty of teachers out there that can, presumably, teach the same material just as well for probably less cost to the student, however it's not the OP's job to find those alternative sources for you.
Consider that for that price, the teacher offers his time to help students.

If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.

While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.

Counterpoint: completing the course might make you a better candidate for the kind of employer that values their employees enough to pay for training like this. ;-)
Oh I'm not complaining. 2 of my colleagues just went on security training, so I think we have enough 'security experts' right now. I'd be more likely to get an android course.
Hum, I already know most of this stuff. Maybe I should raise my rates.
Maybe?
Do you mean that I should, or are you asking me why I am uncertain? If it's the former, you don't know my rates, maybe they're already too high (they're not) :p

If it's the latter, I have no answer.

I mean you should.
Yeah, that's the prevailing viewpoint. I will raise them by quite a bit, thanks.
I'd like to raise my rates too. I'm not an expert at security by any stretch but I don't completely fail at it like ~70% of the code I inherit.

But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.

This is IMO one of the strong benefits of daeken's course: he's formalized it to the extent that you should be able to turn it into a selling point if you wish to do so.
Well ... know it, or done it?

I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.

But I've never done it.

That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.

If you haven't actually practiced any of the stuff in the course, it would still be valuable.

What do you mean by "it"? Implement the attacks? No, I haven't, but I don't need to know how to implement the attacks, only the countermeasures. If you mean implement them in apps, then yes, my code had a code review from a security company last week and the most severe item was a password reset form that had autocomplete turned on still.
If successful, do you plan to continue holding this course? If yes, how many times a year?

I, and may be some other folks, can not do this now, but would love to some time later.

I'm hoping to do this 2-3 times a year, if I can get enough interest and nail down the material. Mind you, the price will be going up past this "beta" run.
(comment deleted)
If you follow me on twitter (@daeken) or subscribe to the RSS feed on my blog, you'll get updates as they come out. If this all goes well, there will likely be another run starting in Q1 2014.
Is the "Early Bird" price sold out? The only available quantity in the menu is '0'.
It looks like that's the case. I only see 8 sales (out of the 10 total) but I believe that the tickets are being held pending payment. I'll update if I find out otherwise.

Hope to see you in class!

Wow, looks like it might be sold out. When I selected the early bird package( $1000) it wouldn't let me enroll for the course anymore.

Congratulations if you are indeed sold out.

Looks like the early bird package is indeed sold out, though two tickets are currently pending payment, so someone might just be sitting on them. I'll update if I find otherwise.
Student discount?
Given that this is the discounted price (for the first run), I'm not planning a student discount for this iteration. Future runs may have one though.
Dan Boneh's crypto course is starting in 5 days on Coursera. Syllabus is not same as the OP's course but is very good and useful nonetheless.

https://www.coursera.org/course/crypto

If crypto is your thing, and you want to keep it practical, allow me to plug:

http://www.matasano.com/articles/crypto-challenges/

They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).

Curious why there's a delta of level 4 & 5 under 6?
A FAQ. Those are the people currently at that level.
level 7 is hiring? :)
No, level 7 is coming out hopefully next week.
Let's say my experience with cryptography and web security can be summed up with 'using bcrypt' and 'using ssl.' Would I be able to learn from this or would I need to seek out something more basic first?
You can learn from it, they explain how to go about solving them pretty well. I solved the first set in a few minutes and am trying to find time to do the second one, they are pretty fun.
From the page tptacek linked to:

> HOW MUCH CRYPTO DO I NEED TO KNOW?

> None. That's the point.

Respond to my email! :p