Hack Yourself First: Security workshop by Troy Hunt
As a security enthusiast, I was thrilled to hear that Troy Hunt was providing a workshop organized by our colleagues from ZIONSECURITY. He is a real influencer when it comes to security awareness. He actively develops online security courses on PluralSight and even received the Microsoft Most Valuable Professional award for his contributions.
Have I been pwned? is one of his biggest projects and my personal favorite. This platform is a central location for reporting breaches and searching existing ones, for your personal (or work!) email addresses. I suggest everyone to use this platform to check whether they have been breached and to sign up to receive notifications in case your email address shows up in future breaches.
Working code does not equal a secure code
Now, back to the workshop. It is initially aimed at app/website developers who, of course, write code. Most of the time, working code does not equal secure code. Troy was able to convey the importance of secure code as there can be real-life implications after a security flaw has been discovered. Assessing the consequences of your work will definitely motivate you to improve it.
Apart from the developers, there were also network/system engineers. The workshop was very useful to them as it gave a better understanding of why there is a need for layered security defenses and next-generation firewalls such as those of Palo Alto Networks and advanced endpoint protection as provided by Cylance. Sometimes, an information leak can be equally destructive as a zero-day exploit. Detecting and preventing these breaches requires security measures at various points in the network: perimeter, distribution and at the end-point.
Can you see them lurking around the corner?
Topics such as XSS, CSRF, Session hijacking, SQL Injection and Account Enumeration were reviewed by Troy and he did an excellent job demonstrating the faulty code that allowed such attacks. Each topic demonstrated by him was also accompanied by a hands-on exercise.
Keeping the target audience in mind, all exercises were done using a Fiddler intercepting proxy and Chrome’s Developer tools or FireDebug for Firefox. By using such common tools, the learning curve is dropped drastically. Almost anyone can ‘hack’ now and the threat is very, very real.
Security is not just limited to the network and security team anymore. Everyone has their responsibility from server admin to developer. That is why I highly recommend awareness training such as this workshop. It can definitely help you prevent and/or deal with future incidents.