Security workshop: Hack Yourself First

By rickvdbosch

- 3 minutes read - 560 words

My employer Betabit hosted a Hack Yourself First workshop by Troy Hunt on Monday 5th and Tuesday 6th of June. Because we are always looking to improve, this was a great opportunity to tune up our security skills. We had a great time, got terrified and most of all: we learned a lot.

First contact: a Twitter DM to Troy Hunt

First contact: a Twitter DM to Troy Hunt

You think you know security

We’ve seen a lot of different subjects during the workshop. Lots of them sounded familiar. Some of them even were acted upon already by some of the attendees. After two days of Troy showing us what’s actually out there the general feeling is there’s room for improvement :).

The build-up in the workshop was great: Troy first showed us how to hack sites manually. Because we have experience in software development it was relatively easy for the attendees. It gave us an overall idea of what we needed to do. Then the scary part came: the tools. There are so many hacking tools available that almost completely remove the need for software development experience. Those tools enable anyone with an interest or time on their hands to start hacking. All the more reason to see security as an important aspect of your system.

Adding security

When a project nears the end of its development, security is often seen as something that needs to be ‘added’. Needless to say: if you start thinking about such an important aspect at the end of the project life-cycle you’ll be late to the party. It needs to get attention from the start. Security is not something you add, it needs to be an integral part of the development process.

When a system has been designed from the ground up to be secure its called security by design. A secure design should distrust many things, especially user input. That can also mean you have to distrust what comes from within the system since this might be put there by a user too.

They shared everything real openly. Betabit wants to let everyone know what they are doing. I guess they like to stand up there and go ‘hey, we are taking this security-thing very seriously’. So that was really cool!
— Troy Hunt – Weekly update 38 (Trondheim edition)

Experience

We had two awesome days in this workshop. Troy is a great speaker who is easy to listen to and whose dynamic fit that of the group perfectly. He built up the workshop making stuff fall into place during those two days. I had the privilege to spend some more time with him at dinner and he’s also an all around nice guy. Oh, and he liked the custom made hoodies we made for the workshop 🙂

This workshop gave us some new insights and renewed focus on ones we already had. You could feel the energy in the group. The urge to start working on the stuff we worked with during the workshop. Some of us were already putting the things we learned in practice that same week. Others made sure it made it to the backlog. We’ve added a lot of (security) tools to our developer toolbox that we take with us when we go out and do our job. And that’s a good thing.

A big thank you to my employer Betabit for making this possible!