February 19, 2016
Teaching security
Recently, Brains & Beards helped organise a webapplication security workshop for aspiring software craftsmen from the Barcelona chapter. And it went great.
I think the reason for the success was what we focus on in the materials we provide. We think the learnings and challenges that we set during such a training should be:
- Fun, because it helps to keep the connection in the mind that learning is fun.
- Fun, because if the attendees like the tasks, they’ll be more focused and this way learn more.
- Fun, because this way they’ll be more inclined to keep practising on their own long after the workshop is finished.
- Also, more curious to explore what might be security vulnerabilities in the apps that they’re working on daily.
- Challenging, because it makes them more fun.
- Real-world oriented, because it builds the suspicious attitude when they look for vulnerabilities in their everyday work. Also, it helps them to see how vulnerabilities sneak into real projects, not just testing challenges.
How do we achieve those goals? Well, the material used was a part of a bigger training we do on webapplication security. We’ve prepared a simple online bookstore written in Ruby on Rails that is riddled with (more and less obvious) security vulnerabilities. First we explain the basic theory behind a particular attack vector, then we let the students loose to find it in the app and exploit it. Afterwards, we have a small discussion how could it happen that such a bug was introduced, how to spot them in the future and, of course, how to fix it.
Overall, it was a great experience to see so many developers with various backgrounds ferociously hacking our poor aplication. What’s most important (and difficult to achieve!) is that nevermind their expertise levels, they all enjoyed it and improved their knowledge. We had attendees who had absolutely no knowledge of what an SQL injection is and seasoned web developers who were able to conduct timing attacks. I’m really happy they all finished the workshop smiling and asking for more!
So, the only question left is: who’s next? ;)
Want more?
If you liked this post, why don't you subscribe for more content? If you're as old-school as we are, you can just grab the RSS feed of this blog. If not, why don't you subscribe to our newsletter to stay in touch (fill in the form just below). We'll let you know from time to time when something interesting comes out.
Alternatively, if audio's more your thing why don't you subscribe to our podcast! We're still figuring out what it's going to be, but already quite a few episodes are waiting for you to check them out.
PS. We're hiring!
If you've read all the way till the end, it's probably a safe bet that you'd enjoy discussing topics like this one on an everyday basis. Why don't you apply to one of our open positions? We'd love to have you on our team!
WRITTEN BY
Clicking "I want to know more" you consent to processing your data by Brains & Beards sp. z o.o. for marketing purposes, including sending emails.
More Brains and Beards stories
If you're a bit of a technical nerd (like us!) you can keep on reading. This site has been built in React, using GatsbyJS. The data layer is managed through GraphQL. The whole thing is hosted using Netlify. All of those products are great and we're so happy to be able to use them 💯❤️🚀