Cenzic 232 Patent
Paid Advertising
web application security lab

The Austin Project

Two days ago I found myself reading something written by one of my readers about something I had written. Unfortunately, it not only completely missed the point of what I had talked about, but some dramatic and ultimately incorrect assumptions were drawn due to complete lack of technical understanding on this reader’s part. I’m not going to out this person, because I don’t think it’s productive. But it was pretty upsetting to me, because I do want people like this person to be able to learn from this site. This site is super tricky to run. On one hand I have some of the most technically competent people in the web security community visiting regularly. For them, some of the most complex topics I cover make perfect sense, and there is very little confusion. For the non-techies the technical posts are either misread or left unread. Either way, that’s not good for the sake of learning.

A huge chunk of why I started this site was for my own testing. I wanted to learn on a site that I controlled completely. That works great if you’re a guy like me, who’s already been in the web space for well over a decade. But for people who are either new, or are shifting their interests from some other area of security, the web space is highly complex and deep. So herein lies the second reason I started this site. I wanted a place where I could teach people what I know. Call it altruism, call it wanting a sanity check on my own thoughts, but here we are, 2 years and 20,000 visitors a day later and things have changed.

I’m ultimately troubled by the fact that there are so many people out there who are in every way smart but are only in web application security because they have fallen into it, for whatever reason, and now are trying to play catch up with guys like us. I feel like there is a huge gap of knowledge out there, and I feel like there is a lot that I could share with people given enough time. A one hour speech isn’t enough time. It’s barely enough time to gloss over a topic, let alone go down to any level of detail that would allow someone to think they are proficient in a topic. I really feel like I could share a lot more of what I know to a willing participant if we made it a week long course. So that’s what I did.

I’m going to be offering a week long course that I am dubbing The Austin Project. The goal of the project is to get a group of likeminded people who are interested in talking about and learning more about web application security from yours truly. Honestly, I just feel like there’s a lot more I can talk about in a week’s time than I could ever cover in a series of blog posts, especially because in an intimate class it is far easier to communicate.

So I will be inviting five people to fly in and stay for five days. No cell phones, no computers, no distractions - just talking webappsec. I attended an invite only conference of this format before and it worked great, where the only open computer was the one operating the projector. Being off the grid really helps people focus. Everyone will sign non disclosure agreements so people can talk freely about problems they are concerned with without having to worry about it getting out. There will be eventual outputs from the classes, but they will be discussed only with people who attend. Days will be spent talking about webappsec, nights will be spent with me in downtown Austin, visiting the local nightlife and probably talking about webappsec some more. My goal is not to make myself the grand leader of a group of five people who are webappsec gods, but rather, build a collaborative group of people who change their way of thinking and come out of it with the knowledge on how to fix their little slice of the Internet.

I’m just not scalable, and while the blog has been a great conduit for sharing some of my ideas, it’s clear to me that people just aren’t getting the value out of it that they could in another format (I guess you get what you pay for, as this site is free!). It turns out I just have a lot more to say than I put on this site. That became apparent today when I started chatting with someone about a specific web application flow. It took me ten minutes to explain some of the esoteric nuances to watch out for and I suddenly realized I had never talked about it before on the site, and I probably never would have because I ultimately consider a lot of that stuff to be “the basics” (even though apparently not a lot of people know about it). I usually try to skirt around the basics as to avoid alienating the experts who frequent this site. How would anyone know about the esoteric gotchas if I didn’t talk about it? Well, now is your chance to come ask me. Not that I will just be covering basics - oh no, why come to me for the basics? But this will be your chance to get me to slow down and explain things to you in a virtually one on one environment.

My goal isn’t to get the best of the best and put them in a room together (although if I wind up with a bunch of people who are experts I will build a class specifically for them). The main goal of The Austin Project is to get people who want to learn but are otherwise starved for information. I want to help those people and bring them to the next level, so that they go off and eventually help others and so on. I firmly believe education at this level will help our industry, help us start developing better applications, better strategies, and ultimately will make all our lives better.

This isn’t like most training. There will be no CPE credits (although I’m sure you could convince someone it should count), no class of 40 people, no canned demonstrations. This is just a chance for you to sit with me for a week and talk about whatever it is you want to talk about in an collaborative environment. I don’t want five people from the same company showing up. That’s not the goal here. The goal is for you to meet other people with other problems and work through them together as much as it is to hear from me. Why? Because other people have interesting problems that relate to our industry that you should think about too! I want to facilitate the correct thought process, which is so much more important than me just solving your problems for you. I want to make people into the big thinkers (not just technologists) that this industry needs. I want the participants to build relationships that they can use to better themselves and their careers. Big goals for such a little class!

Anyway, if we wind up with way more than five people who are interested, we can separate the classes into groups, but I have no idea how many people will be interested. I don’t want to go over five people and I don’t want it smaller than that or it would defeat the goal of building a team, so I may actually turn people away if we don’t hit a critical mass. This is just as much an experiment for me as it is for anyone who would attend. I also may turn people away if I think they couldn’t benefit from this - which is why I’ll be asking for a resume from each of the people who are interested. If you have no experience, this isn’t the class for you. If you have been doing this longer than I have, this isn’t the class for you. If you just want to come to the class to heckle me, well, it’s an expensive prank, but it’s your money. ;) So if you are at all interested, check out The Austin Project web-page for the specifics and send your contact information through the form.

18 Responses to “The Austin Project”

  1. John Ther Says:

    I can’t say anything about the implemantation but I love the idea. Just clever and can be so interesting with right people.

  2. Ashven Giovanni Says:

    Do you know of any resources you could point us to that would provide the basics? It would be greatly appreciated!

    For somebody just developing an interest in internet security, there tends to be quite a lot of mining for information.

  3. RSnake Says:

    @John - thanks! We’ll see how it turns out! I’ll give updates if it’s worthwhile, if not, it just might silently disappear! ;)

    @Ashven - I don’t unfortunately (at least nothing I’d recommend). However, if that’s something you’re really interested in, we could do a class specifically for beginners if we can get enough of them. I’d be willing to do that, although it would require everyone be fast learners, because there’s lots to cover!

  4. malkav Says:

    woo. that’s the kind of ideas i love. but why not extend the concept ?

    it seems that slackers even not proficient with the internals of webapp sec are coming from other area of security.

    as the field grows, there is more and more distance between, let’s say web applicative security, system (and kernel level in particuliar) sec etc… people (by here, the web app security isn’t managed by the information security people of the group, but by specialized subsets of dev teams)

    maybe be it is time to mix up again, share ideas, and see where it leads ?

    just my 0.2 :)

  5. RSnake Says:

    Looks like there are four slots left….

  6. Malkav Says:

    note to self : no js, no comments.

    RSnake, if you can convince my boss that it can be considered legitimate training… oh, and of course, nil count as legitimate training.
    the concept is great, one day or the other i think i’ll grab some hackers from around here for a few days, and see what can get out off our minds.

    as for my 0.2 i don’t think the isolation of the different part of security as it is going is a very good thing. for exemple, you’ll see at work we have an ISG (information security group) which is responsible of network security (but not network management), system level security is left to us (systems engineering) and appsec is left to the coders (much of the guys in the two later having nil experience in security, much of the guys in the first having nil experience in the real needs of our users)

    doesn’t the most technically challenging hacks come from multiple culture/PoV/whatever ?

    why not extend the concept to a assembly of whatever-the-subject hacks and let each of the participant do a preso on his matter of interest ?

    i’d *love* hearing some random guy speak about branching predicts based attacks *really done*

  7. RSnake Says:

    @Malkav - oh, this isn’t isolation of the ideas, only isolation so that the companies involved can speak freely about their problems. I definitely try to bring what I know to light on this site, but unfortunately I never go very deep and I rarely talk about a lot of the topics that I think really interest people, just because it would bore so many others.

    Anyway, three slots left…

  8. Tim Gaines Says:

    I am in austin and I would love to attend.

  9. Tim Gaines Says:

    actually i did until i saw the price tag. may i listen through the vents?

  10. bitburglar Says:

    Robert, this is a grand idea. A beginner’s class is also a grand idea. I don’t know where my knowledge of webappsec comes in on the scale of things but I’m fairly sure I’m on the beginner end of it - but I would love to take some time off and take an intensive web application security “boot camp” to bring me up to speed, so to speak.

    I don’t want to be in the whole “IT Support” hole for long so it would be a great opportunity….

  11. RSnake Says:

    @Tim - hahah… we could probably drop the price a little for local people. Drop me an email if you’re actually interested in something a little less intensive. Maybe we can work something out for beginners.

    @bitburgler (yes, still the best/worst name ever) I think you’re right… if enough people want to learn the basics, we can throw together a basics only class. That shouldn’t be a problem at all.

  12. RSnake Says:

    Two seats left.

  13. PR3VIOUS Says:

    I’m sharing bitburglars sentiments. I was pretty enthousiastic reading the blog post announcing this, but unsure if my capabilities / experiences are enough to pull it. But the interest is surely there, so any more ‘jumpstart’ alike would be very nice!

  14. RSnake Says:

    Four out of five seats sealed up, with two maybes. We might need to make another session.

    @PR3VIOUS - well if you are serious, send sign up and we’ll just create another day. Do you want it to be a full five days or something smaller? I’m okay with either, I’m just trying to get a feel for what people want. That goes for anyone else who’s interested in a beginner class as well. I don’t want to exclude anyway.

  15. logadmin Says:

    …and what about people from outside of EE.UU?

    It would be a great idea to do this project around the world, for example.. Europe among others. :D
    There are great and funny places like the 6th street where the people could share their knowledge while enjoy.

    If it woulnd’t possible We’ll always have this blog. But this is really a great idea.


  16. Spyware Says:

    While the idea of having a group of intellects, talking and discussing important matters is a great idea, I feel that it is a big loss to put a price tag on these discussions. Shouldn’t information be free? One cannot BUY common sense, so what are you really buying? A hands-on approach? Is it worth all that money? Is there not another way, or even ways to train people in Web Security?

    I encourage your think-tank method of spreading AND creating information, I just don’t like the fact that information is so expensive in these days, days in which the Internet holds such large amounts of “free” information (gotta pay for the connection) you just wonder if it will ever end.

    Consider this post just a gentle cheer from the sideline.

  17. RSnake Says:

    @Spyware - if everything in life were free life would indeed be great. Unfortunately the cost of hotels, cabs, materials, and indeed time are all expensive items. It may not be worth it to you if you can find the information elsewhere though (like a lot of books which are culled together from other places, for instance - not necessarily worth the cost if you can find the information elsewhere). If you can’t find that information elsewhere then it is. I think it really is just that simple.

  18. RSnake Says:

    At this time I think we’re going to put the Austin project on hold (we have a pretty conflicting group of interests, which would make it tough to move forward). We’ll be looking at other formats and will update everyone when we come up with something, if we can come up with something we like. Sorry for all the noise!