At SAP TechEd, Boston, I offered a "guided hacking tour" in the SDN clubhouse. The idea was to raise awareness among the participants regarding how easy it can be for an attacker to break into a web application if the developers don't do their homework.
The setup was an online shop running on my VMWare system with some serious security holes planted in the code.
Interested participants were confronted with 4 "hacking" goals to achieve:
Buy one of the items in the shop at a heavily discounted price: 1$
Get as many credit card information from the system as possible
Acquire another user's logon credentials
Become Administrator of the shop
Practically all participants had no idea where or how to begin and started by playing around with the application. The idea was that everyone should try to break into the system as far as they could, but if someone got stuck, I'd give a hint.
This way all participants were in the position of an attacker rather than a developer and learned to look at applications with different eyes. Telling people about security is one thing, but sitting right in front of a vulnerable system with a hidden back door just a few keystrokes away, is another. After seeing the vulnerabilities some people even recognized that their own applications had the same type of problem...
There was no price to win, but still a lot of people came by and spent considerable time trying to break the application. Everyone told me it was an eye-opener. Everyone learned. And most importantly: everyone had fun.
