Can you create a landing page with an executive summary and pricing button? I cannot show my boss a blog post. Just hit the high points: 12 week course in web security, $1000, increased proficiency in x, y, z, ability to do a, b, c, protection from j, k, l, and security as a key to protecting data -- the core of the product -- the core of business.
Just for more feedback: extremely interested! I'm not able to do it right now, but please consider offering it again in the future. I'd also be interested in working through the material on my own with a limited support or a forum if that would help you with residual income from this :)
I signed up. If for $1,000 you can help me learn how to better secure the web applications I'm building for a living, it will be well worth the cost and time investment. See you in class :-)
We buy that book, along with _The Tangled Web_, for candidates to Matasano. We like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out loud, though).
The other book candidates here tend to get is _The Art Of Software Security Assessment_.
Seconding the recommendation for both of these books. They're both sitting on my desk here and they're both excellent. Tangled Web does a great job of explaining why browser and web app security is in the state that it's in, and each chapter includes a "cheat sheet" at the end of things a developer can do to further secure his web app. Web Application Hacker's Handbook contains exactly what's on the tin: a pretty thorough explanation of how to pull of many of the common exploits, along with the explanation for how/why they work.
While we're talking books and education... tptacek, could you share any resources that you are acquainted with, specifically on the topic of SSL/TLS? I feel a need to really ramp up my knowledge in this space, and would be glad to hear any recommendations you might have.
Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.
If you have some suggestions, they are much appreciated.
There's always value in a guided course, but everything on the outline can be found free online. Unless you need the structure, I'd save your money and use open learning materials.
I'd suggest that if you know where these subjects can be found online, and since there are many who state that they don't have $1000, that you should post the links here. Those of us that wish to take the course by Cody will still do so.
vulnhub.com for vulnerable distributions. They have some distributions setup with WebApps designed for you to practice and learn various attack from.(I.e WebGOAT)
Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.
But there's plenty of "practice targets" out there ;)
Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.
Yes, absolutely. Recorded stream as well as logs of the IRC channel. Missing the live stream isn't a big deal if you keep on top of the course work and ask questions. Participating in the forums will also help you keep on top of things.
No, it's not -- this is a brand new course. However, I personally will put my weight behind anyone who completes this course successfully, as it will put them in a prime position for many positions; I have no doubt that they will be perfect for those jobs.
What about the SANS SEC542 + GWAPT certification? It looks like Cody's course covers a couple areas that don't fall under the SANS one, but the high-level overview appears to be pretty similar.
Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?
We pay absolutely zero attention to certifications. I literally don't know what's in the SANS program.
Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.
If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.
I'm pretty familiar with the attitude among hiring managers that certifications generally don't signal anything useful; my boss and I also hold that position (I hold an MCTS that I was forced to get so my employer could get a better partnership status with Microsoft). So I'm curious why holding Cody's certificate might actually mean something where a more established cert would not.
Just to follow up on this, I'm a little confused by your response. You say you would pay attention to a course "like this" but in other replies say that you pay no attention to certificated courses that are... like this.
So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.
Failing the course would entail not doing scoring well on exams (read: not finding good bugs). You can retake the course in following runs, but I don't have a discount planned at this point. If you keep up with the course work and ask questions if/when you get into the weeds, everyone should be able to keep up with this, even as intensive as it is.
Would you consider doing a reduced price for people who just want access to the videos after the session and logs of irc. This way you won't have to grade their homework, answer their questions, nor give them a certificate. I'd love to learn all that stuff at my own pace, but I don't have 1k to spend on it. On the flip side I don't expect you to do work for free.
It's something I may consider for future runs, but I'm not planning that for the first iteration. I think the real value in this is being able to work through this material and have hands-on instruction when you need it, much as if you were being trained inside a security consultancy.
For those commenting on the price, I'd point out that if you're a consultant or freelance developer you should be able to justify adjusting your rates enough after this to make the $1500 back in a month or so, and if you're a salaried employee with a smart employer, you should be able to negotiate a reasonable raise or get your employer to cover the cost for you.
I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.
I think your price is reasonable for people that will get a good return from this, and not for people that won't.
I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.
If you have no way of recouping the cost of the class, the class isn't targeted at you. The most common pricing fallacy on HN (perhaps after cost-plus pricing) is the idea that every product must be targeted at all people to make sense.
Not the target of a teacher that is asking for this price. There are plenty of teachers out there that can, presumably, teach the same material just as well for probably less cost to the student, however it's not the OP's job to find those alternative sources for you.
Consider that for that price, the teacher offers his time to help students.
If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.
While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.
Counterpoint: completing the course might make you a better candidate for the kind of employer that values their employees enough to pay for training like this. ;-)
Oh I'm not complaining. 2 of my colleagues just went on security training, so I think we have enough 'security experts' right now. I'd be more likely to get an android course.
Do you mean that I should, or are you asking me why I am uncertain? If it's the former, you don't know my rates, maybe they're already too high (they're not) :p
I'd like to raise my rates too. I'm not an expert at security by any stretch but I don't completely fail at it like ~70% of the code I inherit.
But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.
This is IMO one of the strong benefits of daeken's course: he's formalized it to the extent that you should be able to turn it into a selling point if you wish to do so.
I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.
But I've never done it.
That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.
If you haven't actually practiced any of the stuff in the course, it would still be valuable.
What do you mean by "it"? Implement the attacks? No, I haven't, but I don't need to know how to implement the attacks, only the countermeasures. If you mean implement them in apps, then yes, my code had a code review from a security company last week and the most severe item was a password reset form that had autocomplete turned on still.
I'm hoping to do this 2-3 times a year, if I can get enough interest and nail down the material. Mind you, the price will be going up past this "beta" run.
If you follow me on twitter (@daeken) or subscribe to the RSS feed on my blog, you'll get updates as they come out. If this all goes well, there will likely be another run starting in Q1 2014.
It looks like that's the case. I only see 8 sales (out of the 10 total) but I believe that the tickets are being held pending payment. I'll update if I find out otherwise.
Looks like the early bird package is indeed sold out, though two tickets are currently pending payment, so someone might just be sitting on them. I'll update if I find otherwise.
They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).
Let's say my experience with cryptography and web security can be summed up with 'using bcrypt' and 'using ssl.' Would I be able to learn from this or would I need to seek out something more basic first?
You can learn from it, they explain how to go about solving them pretty well. I solved the first set in a few minutes and am trying to find time to do the second one, they are pretty fun.
117 comments
[ 4.8 ms ] story [ 183 ms ] threadEdit: Put up a simple launch page here: http://course.daeken.com/
The other book candidates here tend to get is _The Art Of Software Security Assessment_.
Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.
If you have some suggestions, they are much appreciated.
http://www.imperialviolet.org/
I might start with this post:
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...
http://nostarch.com/tangledweb
OWASP(Open Web Application Security Project)
OWASP Top Ten: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...
OWASP Testing Methodology manual: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table...
OWASP Developer Guide: https://www.owasp.org/index.php/Category:OWASP_Guide_Project
PTES(Penetration Testing Execution Standard): http://www.pentest-standard.org/index.php/Main_Page
CTFs: overthewire.org
Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.
Beyond that, it's all very searchable.
Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.
Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?
Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.
If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.
So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.
http://web-for-pentester.pentesterlab.com/introduction/
I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.
I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.
If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.
While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.
If it's the latter, I have no answer.
But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.
I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.
But I've never done it.
That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.
If you haven't actually practiced any of the stuff in the course, it would still be valuable.
I, and may be some other folks, can not do this now, but would love to some time later.
Unfortunately, or fortunately?, not sure... most of my application security understanding comes from this question on stackoverflow:
http://stackoverflow.com/q/72394/25981
Hope to see you in class!
Congratulations if you are indeed sold out.
https://www.coursera.org/course/crypto
http://www.matasano.com/articles/crypto-challenges/
They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).
> HOW MUCH CRYPTO DO I NEED TO KNOW?
> None. That's the point.