Can you create a landing page with an executive summary and pricing button? I cannot show my boss a blog post. Just hit the high points: 12 week course in web security, $1000, increased proficiency in x, y, z, ability to do a, b, c, protection from j, k, l, and security as a key to protecting data -- the core of the product -- the core of business.
Just for more feedback: extremely interested! I'm not able to do it right now, but please consider offering it again in the future. I'd also be interested in working through the material on my own with a limited support or a forum if that would help you with residual income from this :)
They're free, they involve writing actual code to break actual crypto constructions, and they seem to be pretty popular; our standings right now: level 0 (6687), level 1 (490), level 2 (156), level 3 (50), level 4 (36), level 5 (29), level 6 (37).
Let's say my experience with cryptography and web security can be summed up with 'using bcrypt' and 'using ssl.' Would I be able to learn from this or would I need to seek out something more basic first?
You can learn from it, they explain how to go about solving them pretty well. I solved the first set in a few minutes and am trying to find time to do the second one, they are pretty fun.
We buy that book, along with _The Tangled Web_, for candidates to Matasano. We like both books a lot (I wish WAHH had a title I wasn't embarrassed to say out loud, though).
The other book candidates here tend to get is _The Art Of Software Security Assessment_.
Seconding the recommendation for both of these books. They're both sitting on my desk here and they're both excellent. Tangled Web does a great job of explaining why browser and web app security is in the state that it's in, and each chapter includes a "cheat sheet" at the end of things a developer can do to further secure his web app. Web Application Hacker's Handbook contains exactly what's on the tin: a pretty thorough explanation of how to pull of many of the common exploits, along with the explanation for how/why they work.
While we're talking books and education... tptacek, could you share any resources that you are acquainted with, specifically on the topic of SSL/TLS? I feel a need to really ramp up my knowledge in this space, and would be glad to hear any recommendations you might have.
Note that I'm looking at this from a deployment / administration POV, not programming. I don't want to implement TLS from scratch, just understand the various issues and implications involved in rolling out TLS.
If you have some suggestions, they are much appreciated.
For those commenting on the price, I'd point out that if you're a consultant or freelance developer you should be able to justify adjusting your rates enough after this to make the $1500 back in a month or so, and if you're a salaried employee with a smart employer, you should be able to negotiate a reasonable raise or get your employer to cover the cost for you.
I operate on a shoestring budget, I'm just about the most price-sensitive guy on here, and I'm still going to do my best to scrape together the money for this.
I think your price is reasonable for people that will get a good return from this, and not for people that won't.
I'm not going to get a raise from doing the course, and my employer is not going to pay out for it, so I'd like it to be $500. People who are going to make the money back will pay more. If you fill the seats, the price is right.
If you have no way of recouping the cost of the class, the class isn't targeted at you. The most common pricing fallacy on HN (perhaps after cost-plus pricing) is the idea that every product must be targeted at all people to make sense.
Not the target of a teacher that is asking for this price. There are plenty of teachers out there that can, presumably, teach the same material just as well for probably less cost to the student, however it's not the OP's job to find those alternative sources for you.
Consider that for that price, the teacher offers his time to help students.
If the price was lower, it's likely he'd have more students; perhaps a lot more. The more students he has to deal with, the less time the teacher will have to help each one of them. On one side you've got private tutoring, where a teacher can work 100% of his time with one student, and at the other end are free MOOCs with tens of thousands of students, where the students are peer-graded and are unlikely to ever interact directly with the teacher.
While MOOCs are great for what they cost, it's pretty obviously not the same quality of education as private tutoring, or by directly interacting with a teacher. So for this class, the teacher decided the minimal level of interaction he thinks is necessary to make a high quality web security course, and decided the price so that he gets an amount of highly motivated students that he can manage with the time he has.
Counterpoint: completing the course might make you a better candidate for the kind of employer that values their employees enough to pay for training like this. ;-)
Oh I'm not complaining. 2 of my colleagues just went on security training, so I think we have enough 'security experts' right now. I'd be more likely to get an android course.
I know of most of the items listed in the syllabus. I know the basic mitigation strategies. I know the principles behind most of it.
But I've never done it.
That's what's worth the money, to me: I'll be forced to sit down and dedicate some time to actually doing it, with guidance from a professional. I could easily spend more time figuring it all out on my own -- and even at my meager rates, that would add up quickly cost-wise -- and I still might end up missing something, because it's likely that there are gaps in my knowledge that I'm unaware of.
If you haven't actually practiced any of the stuff in the course, it would still be valuable.
What do you mean by "it"? Implement the attacks? No, I haven't, but I don't need to know how to implement the attacks, only the countermeasures. If you mean implement them in apps, then yes, my code had a code review from a security company last week and the most severe item was a password reset form that had autocomplete turned on still.
Do you mean that I should, or are you asking me why I am uncertain? If it's the former, you don't know my rates, maybe they're already too high (they're not) :p
I'd like to raise my rates too. I'm not an expert at security by any stretch but I don't completely fail at it like ~70% of the code I inherit.
But it is difficult to figure out how to sell that. Most clients don't seem give a shit about security until they've actually lost money due to it. It's also hard to prove that my code will be any more secure than the next guy.
This is IMO one of the strong benefits of daeken's course: he's formalized it to the extent that you should be able to turn it into a selling point if you wish to do so.
I just want to echo the sentiment that Cody is a great person to be offering this.
I had the experience of being interviewed by him a while back, and he made what could easily have been a very intimidating (especially as it was a long interview in a series of long interviews) technical interview both immensely enjoyable (by the end it felt like being part of an exciting conversation), and actually went out of his way to explain a bunch of stuff to me.
Would you consider doing a reduced price for people who just want access to the videos after the session and logs of irc. This way you won't have to grade their homework, answer their questions, nor give them a certificate. I'd love to learn all that stuff at my own pace, but I don't have 1k to spend on it. On the flip side I don't expect you to do work for free.
It's something I may consider for future runs, but I'm not planning that for the first iteration. I think the real value in this is being able to work through this material and have hands-on instruction when you need it, much as if you were being trained inside a security consultancy.
I signed up. If for $1,000 you can help me learn how to better secure the web applications I'm building for a living, it will be well worth the cost and time investment. See you in class :-)
There's always value in a guided course, but everything on the outline can be found free online. Unless you need the structure, I'd save your money and use open learning materials.
But there's plenty of "practice targets" out there ;)
Jokes aside, I'm sure there's still lots of wargame websites; there used to be some pretty good ones with a healthy mix of web/crackme/network challenges.
I'd suggest that if you know where these subjects can be found online, and since there are many who state that they don't have $1000, that you should post the links here. Those of us that wish to take the course by Cody will still do so.
vulnhub.com for vulnerable distributions. They have some distributions setup with WebApps designed for you to practice and learn various attack from.(I.e WebGOAT)
Self-Promo: rmusser.net/infosec site full of information on various infosec topics. Going through right now and updating/increasing the quality of information.
It's not quite sold out, but EventBee seems to be having some issues on the last few tickets for some reason. If you can't get in, refresh until the dropdown actually has tickets and you should be good to go. Sorry for the annoyance!
Got to say I'm also somewhat underwhelmed by the EventBee experience. No 'sold out' notice, but the only currently available quantity is consistently zero.
Yeah, bit disappointing. What's actually happening is that the tickets are reserved, but I have no way of releasing them or any of that. There are still 6 tickets here -- if anyone wants one, shoot me an email. First come, first serve.
Definitely switching to my own little service for this next run.
Edit: The remaining tickets are now all taken. Thank you all so very much, and see you in class!
for me, the dropdown has tickets but trying to buy one gives an error message saying the available quantity is 0. This is especially frustrating given that I spent a good amount of time trying to buy a ticket while they were still in stock.
I'm curious how much value there is in knowing the infrastructure side of security as well as appsec, vs. being a really good developer and knowing appsec. The overall quality of appsec expertise seems highest from people with stronger dev backgrounds, at least from the ones I've met, in practice. Infrastructure and appsec (and compliance/policy, and theoretical math/cs/cryptology) seem like quite different worlds.
No, it's not -- this is a brand new course. However, I personally will put my weight behind anyone who completes this course successfully, as it will put them in a prime position for many positions; I have no doubt that they will be perfect for those jobs.
Just to follow up on this, I'm a little confused by your response. You say you would pay attention to a course "like this" but in other replies say that you pay no attention to certificated courses that are... like this.
So do courses like this catch your attention, or are you exclusively interested in the takers of this particular course that happens to be offered by someone you personally know? I'd appreciate the clarification.
What about the SANS SEC542 + GWAPT certification? It looks like Cody's course covers a couple areas that don't fall under the SANS one, but the high-level overview appears to be pretty similar.
Or, would you be willing to speak more generally about certifications, and which, if any actually DO get attention from hiring managers in the security field?
We pay absolutely zero attention to certifications. I literally don't know what's in the SANS program.
Not taking Cody's classes wouldn't harm you here, or at any other high-end firm that I'm aware of. But actually taking it would signal a particular interest and engagement with appsec, which is something I would pay attention to.
If there is some other forcing function you have to get you to actually practice software security and find vulnerabilities, that too would be valuable.
I'm pretty familiar with the attitude among hiring managers that certifications generally don't signal anything useful; my boss and I also hold that position (I hold an MCTS that I was forced to get so my employer could get a better partnership status with Microsoft). So I'm curious why holding Cody's certificate might actually mean something where a more established cert would not.
Failing the course would entail not doing scoring well on exams (read: not finding good bugs). You can retake the course in following runs, but I don't have a discount planned at this point. If you keep up with the course work and ask questions if/when you get into the weeds, everyone should be able to keep up with this, even as intensive as it is.
For those of us not in the US, I wish you had opened this up at a different time of day. I would have loved to join but this went up and sold out while I was asleep. Best of luck and please contact me if a spot opens up.
I missed this opportunity, and have followed you on twitter with the hope of not missing the next one. I'd feel better if you had a mailing list to announce the next one though; much more reliable than twitter!
I'm really trying to sign up for this course. Every time I try to pay for a ticket, Paypal tells me they're experiencing difficulties and I need to try again later. Is there a way I can sign up?
well, having let some time pass, I now fill out the payment information and click "review and continue", and a thinking animation displays, and then the exact same info panel slides out from the left, with all the stuff I typed in still in. I can click "review and continue" any number of times to no avail. How do I actually complete the transaction?
That's really quite odd -- I wonder what's going on. Have you tried another browser? I'm still seeing payments coming in, so everything should be fine.
Sorry to hear you're having so many troubles. Is this happening on the Paypal side or the EventBee side? Also, if you email me at cody.brocious@gmail.com we can discuss other possibilities for payment or troubleshooting.
As far as I can tell, the problem was with the paypal side. I emailed you (once before posting this original complaint, and once recently); I'd be happy to discuss other possibilities. Eventbee seems to have difficulty deciding whether there are 5 or 0 tickets left, but it's definitely not even letting me attempt to purchase one anymore.
Is this for someone who finished the Stripe ctf last year? I think it is pretty much covered all the stuff what is offered in this course.
By the way, in Hungary $1500 is about two months of payment, if you are a simple dev (in most places), so I don't know if it is really worth it, if you don't want to move to another country to work later. So I guess this is not for everyone.
Yes, absolutely. Recorded stream as well as logs of the IRC channel. Missing the live stream isn't a big deal if you keep on top of the course work and ask questions. Participating in the forums will also help you keep on top of things.
I really do hope that you package this as a video series. Then sell it to people/teams who are not able to attend a live class. I'd gladly pay the price of the live class for the video series.
Looks like the early bird package is indeed sold out, though two tickets are currently pending payment, so someone might just be sitting on them. I'll update if I find otherwise.
I'm hoping to do this 2-3 times a year, if I can get enough interest and nail down the material. Mind you, the price will be going up past this "beta" run.
If you follow me on twitter (@daeken) or subscribe to the RSS feed on my blog, you'll get updates as they come out. If this all goes well, there will likely be another run starting in Q1 2014.
The videos will be recorded and made available to students. If you can't make the classes, you can always watch them after the fact. So long as you keep up with the course work, you should be just fine.
There are 7 seats currently reserved but unpaid. I think they'll clear out in something like 15 minutes if they aren't paid within that window. Otherwise, it's all sold out at this point.
Edit: Several tickets have opened up -- they're gonna go quick.
It looks like that's the case. I only see 8 sales (out of the 10 total) but I believe that the tickets are being held pending payment. I'll update if I find out otherwise.
