Apply HN: Hacksplaining – what every web developer needs to know about security
Beta online now: https://www.hacksplaining.com
There's a gap in the market for online security training aimed at developers. Most training companies focus on security awareness for regular employees (making sure your receptionist doesn't click on phishing emails) or infosec training for security professionals (learning how to perform penetration tests). Developers have to make do with books, blog posts, and online videos.
We've taken the most common security vulnerabilities and put together a series of interactive exercises that ask a developer to put themselves in the shoes of a hacker. Next, we show how to protect against these vulnerabilities with real code samples. Finally, we test developers on what they've learnt.
The beta launched a few weeks ago and the feedback has been amazing. We hit the front page of reddit (300,000+ page views in one day) and have more than 13,000 sign-ups so far. Our users are consistently telling us the same thing: they have always worried there is a gap in their security knowledge but have generally been too embarrassed to bring it up to their boss.
Getting into YC will help us grow the site into a real product. We have a couple of big security firms interested in working with us and a lot of enquiries about the premium version (which will allow employers to invite and track their employees' progress through the course). There's clearly an appetite for the product, and we want to build a business out of it!
If you have any questions or feedback, we'd love to hear from you. :-) This sounds similar to Safelight (now, I guess, "Security Innovations"): https://www.securityinnovation.com/ They were quite successful with online security training, and companies will pay for it. So my questions, I guess, are: * How do you stack up content-wise against something like Safelight? * Who are you, and what's your pedigree? To a big extent, companies buying security CBT are buying a sort of stamp of approval for their process; how does your brand do that for them? * Why do security firms want online training? That seems like a really tough vertical to sell this kind of training for (big security firms tend to sell training courses like these themselves, except on-site, at nosebleed prices). - We don't have the breadth of Safelight's material (early days I guess), but the areas we cover, we do a much better job. It was our frustration with this kind of training material that inspired us to make Hacksplaining in the first place: https://www.youtube.com/watch?v=jkQgVO993W8 Our exercises are interactive, rather than passive, and focus on specific ways to fix code, rather abstract concepts. Compare with what we have on SQL injection: https://www.hacksplaining.com/exercises/sql-injection We started with the question "what are the essential things we would want our development team to know?" and then figured out the most compelling way to teach about them. - We are talking to a couple of firms that we could partner with to help establish credibility. It's a bit of Catch-22 selling this kind of training material - people buy your product on the basis of who your existing customers are, to some extent. Finding an established player to work with would really give us a leg up. - Most companies reluctantly pay for security training, precisely because so much of it is onsite and expensive. Making security training mandatory for developers is a good policy for a CTO of a large company (particularly if they have been hacked recently), but it's generally impractical to send to send everyone out for a 5-day course. We hope engaging, online material can fill that niche. Hey I just worked on the SQL injection course and I wouldn't use the Chase's logo for your fake banking application, or any major companies logo for your insecure sites. Wow, I like this quite a bit. Your tutorials are very informative without making me feel talked-down to. How will you get users? I can imagine doing distribution via company training programs or via people telling their coworkers/friends about it (or maybe something else?). One of these vectors is going to be better than the others. Given your success on Reddit it's possibly a viral product, but if so, you need to worry about retention - it'll be interesting to see if users keep coming back to learn more. This seems like a useful service that could get traction, but I think you'll need to find other ways to monetize it than charging companies to track their employees' progress. There are a lot of companies that sadly don't care enough about security to consider paying for a service like this. I would explore other avenues, such as certification (targeted at developers entering the field), referrals to security firms (e.g., consultants or pen testers), and job boards/placement. Please give the link to the Reddit comments. This was the post that got to the front page: https://www.reddit.com/r/InternetIsBeautiful/comments/4a4ol6... The warmest feedback tended to come through PMs and email. Thank you