Wong Liang Zan

Wong Liang Zan

© 2020

Breaker 101: the experience so far

Lock. By Alexandre Dulaunoy

Breaker 101 is a course conducted by Cody Brocious. It aims to teach you the basics to web security. I’ve always been curious about security. When the opportunity arose, I signed up without hesitation. It is not cheap though. But I thought the course would benefit me. It already did.

It has fundamentally transformed the way I code. I view things differently. When I code, I am security conscious. I’m spotting security vulnerabilities in my old code after taking the course. That alone is worth the price of the course. I’m now confident my apps aren’t easy to break.

The course

The course is conducted via a live video stream each week. Cody would go through the material. We ask questions after the class. We have an IRC channel and a forum. Those serve as additional aveneues to ask questions. We also have study groups that are formed organically. I have a small group for those located in Asia. We would discuss coursework.

The bulk of the learning is done through the practicals. These are ‘capture the flag’ style practicals. Each practical would focus on a class of vulnerabilities. There are about 5 vulerabilities in each practical. The practicals are web apps with vulnerabilities hidden in them. Our job is to find them, break them and write them in a report to be submitted. Most of the time, we can find most of the vulerabilities. There is a myth that good builders cannot be good breakers. I don’t think that is true. Most of the class are coders in their day jobs. And we were all able to find the vulnerabilities. The key approach is to understand how an app works. Then make use of hidden assumptions to break the app. Being coders give us an advantage. We can easily guess how it works.

The course can be hectic. Personally, I had to take one to two days off to catch up. Going through the coursework does not feel like work. It is fun! Every time I spot a vulnerability, I get a quick endorphin rush. The sense of satisfaction is similar to that of building. The coursework is not easy but not impossibly difficult. There is a light amount of outside reading that you have to do. I never knew about OWASP before this. Now I regard OWASP as the wikipedia of security. The exams is similar to the practical. Except it is time limited. The most boring part of the course is the report writing.

Security cannot be covered in a mere 12 weeks. Breaker 101 did show us the way forward. Like any skill it needs practice to hone it. Reading books alone is not effective. You got to go out there and break things(legally of course). There are plenty of security courses around. But I prefer to be taught by real hackers. If you want to get into security, take Breaker 101. You won’t regret it.