Rails Security Workshop - September 2016

A series of security challenges in an intense one-day workshop

The only way to know in your gut how software works is to implement it by hand. The same applies to breaking into web apps. To be truly aware of the vulnerabilities in your code is to exploit them yourself.

In an intense one-day workshop, we’ll be taking a group of Ruby on Rails developers through a series of time-limited security challenges. You'll learn to bypass authentication, escalate privileges and thoroughly compromise the infrastructure of vulnerable Rails applications.

By the end of the workshop, you will:

  • Have an intuitive sense for vulnerable code and how to exploit it.
  • Be up to date with common attack vectors against Rails applications.
  • Be armed with strategies for keeping your codebases secure in the long-term.

Some nice things people have said

The security workshop was a real eye-opener, and loads of fun. The difference between reading on a blog that, "There's a remote code execution vulnerability..." and actually seeing just how easy it is to make an application do whatever you want (that it's not supposed to do), is huge. I would highly recommend this workshop to any programmers who care about their customers' security (hopefully, that's all of them).

David Salgado, CTO and Co-Founder at Admoda

 

The Rails Security Course run by Ali was fantastic! He has a great way of teaching and I learnt a huge amount in a short space of time. I've read lots about XSS, SQL injection, and the Rails remote code execution vulnerability, but there's only so much you can learn from just reading about them. Actually putting the attacks into practice and seeing how they work really shed a lot of light the lengths people are willing to go to hack your systems. I cannot recommend this course enough!

Tom Crinson, Senior Data Engineer at Metail

The Challenges

Over the day we'll progress from taking advantage of basic developer error to exploiting multiple vulnerabilities and totally compromising a web application.

The challenges increase in difficulty over the course of the day though we'll be dropping hints to keep everyone at roughly the same stage.

We’ve run this workshop several times over the past few years. We’ve removed some exercises that are no longer as relevant and added new ones based on vulnerabilities we’ve found in client codebases.

Requirements

  • Basic to intermediate Ruby programming skills - While we'll be covering a lot of technical material on the day, strong Ruby skills will help you spend less time plumbing and more time breaking into web applications.
  • Basic understanding of the HTTP protocol - You don’t need to be an expert on HTTP, but an understanding about how forms, headers, and cookies work would help you get through the challenges.
  • A laptop set up to develop Rails codebases - This typically means having access to a command line with a ruby version manager (like chruby, rbenv, or rvm) installed.

Money back guarantee

If at any point before, during or after the workshop you decide that it wasn't worth what you paid for it, let me know and we will immediately initiate a full refund.

Timeline

  1. (Optional) If you have any questions or queries, you email us and we get back to you ASAP. If you need to convince your boss, I wrote this article specifically for them to read.
  2. You buy a ticket! 🍻
  3. Before the workshop, we’ll get in touch to say hello and send over a single challenge as pre-work. This is to make sure you’re set up to run the exercises and we spend minimal time dealing with technical issues on the day. It is also so that you understand the structure of the challenges and can get stuck in right away at the workshop.
  4. On the day of the workshop, you turn up at 9am sharp and we do the thing. I will talk for about 15 minutes at the start and end, with brief interludes between each challenge. We break for lunch (not included) at 13:00 for an hour and finish at 18:00. The vast majority of the day will be you at your keyboard trying to break into insecure software.
  5. (Optional) For dinner (also not included) we have a reservation for all of us at the nearby Tajima-Tei for 18:15 which you’re welcome to attend for eating/drinking afterwards.
  6. After the workshop we’ll be in touch with a couple of extra exercises, recommended reading material, and a request for feedback.

Questions?

If there’s anything you’d like to know before buying a ticket, please send an email to ali@happybearsoftware.com and I’ll get back to you ASAP.

Can’t make these dates/tickets sold out?

No worries. You have a few options:

  1. Next public workshop - If you have less than ten developers on your team, enter your name/email below in the “Register Interest” form. We intend to run these workshops every quarter, so you’re welcome to the next one.
  2. In-house workshop - If you have ten or more developers on your team, it might make sense for us to run the workshop at your office, customising the material to your requirements if appropriate. Please get in touch regarding pricing and availability.
  3. DIY Workshop - For a fee we’d be happy to make the workshop exercises available to your team. You won’t have the focused single day, accompanying material, and witty conversations that the live workshop attendees will enjoy. However this can be a good option if you’re having difficulty scheduling an entire day to focus on levelling up your security skill. Please get in touch about this offer.