Do not confuse being able to hack with knowing the art of writing secure code

You can turn writing good software security into a good habit. Something you barely stop to think about, like brushing your teeth or putting on your seat belt. High Tech Institute is working with the specialists at Hungary’s Cydrill to teach you how.
‘We teach developers how not to code.’ László Drajkó likes unsettling his conversational partners with this bold statement. Yet that’s what the software security courses taught by his company, Cydrill, revolve around: teaching coders the professional discipline to prevent weak spots in their software.

Perhaps ‘discipline’ is too strong a word. Drajkó thinks it’s more comparable to putting on your seat belt. ‘You no longer notice you’re putting it on. In the same way, you can teach yourself the good habit of writing good software security. And then you’ll automatically avoid pitfalls, without stopping to think about it. We teach people to instinctively use good coding habits.’ Secure coding doesn’t take more time, Drajkó says. ‘It takes time to learn how, but once you have there’s no difference.’

Teaching people to write secure code is a labour-intensive endeavour. Break-ins are continually happening around the world, exposing vulnerabilities. It takes a sizeable team to keep up with all that information and work it into training material as case studies. ‘An independent teacher would spend four hours staying up to date and incorporating new material for every hour of class,’ Drajkó estimates.

That’s why High Tech Institute is partnering with Cydrill, a specialist fully focused on training people to write secure code. The Hungarian company is especially focussed on security for embedded systems.

‘We aren’t selling painkillers and band-aids, but building an immune system that’s extremely resilient,’ say Ernõ Jeges (left) and László Drajkó (right), who visited the High Tech Campus in Eindhoven last summer.

The Commodore 64 and the ZX Spectrum

Cydrill is located in Hungary’s capital, Budapest. In the eighties young László Drajkó had access to computers, though within the Russian sphere of influence that access was very limited. His first acquaintance came when he was twelve. ‘Science was non-political. The educational system was highly theoretical, but quite good. Behind the Iron Curtain, we had to rely on our brains and we had few other resources.’

Drajkó and his fellow students wrote their code on paper. ‘We ran it in our heads. We checked for coding mistakes that had never been implemented. We made our corrections on paper, too. Because when we finally had access to a machine, we wanted to feed it error-free programs. We barely had money or computers.’

In the mid-eighties the Hungarian coders were permitted to travel to Germany and Austria, where they were able to buy Commodore 64s and ZX Spectrums. ‘The generation before ours had to shell out millions of dollars for a computer, but suddenly we could buy a home computer for five hundred dollars. The PC had a major impact on our age group.’

In the mid-eighties Drajkó was studying computer science in Hungary. The Iron Curtain fell while he was still in college, which had a huge impact on him. A European Economic Community grant enabled him to attend the Delft University of Technology. The result was culture shock. His first few months in the Netherlands immersed him in ‘total miscommunication’.

Though he spoke English, Drajkó didn’t understand his advisors’ questions. ‘Not in terms of language, but conceptually. The educational approach was completely different. They’d ask things like, ‘László, what problem would you like to work on?’ And I’d say, ‘No, no, I don’t have any problems. Just tell me what code you want me to write and I’ll find the best algorithm for it.’ But then they said things like, ‘How would you like to change the world for the better?’ And I thought, ‘I’ve wound up in art school!’’

‘When I went to college in Delft, I thought I’d wound up in art school’ – László Drajkó on the culture shock he experienced as a Hungarian university student in the Netherlands.

Novell, Compaq and Microsoft

After twenty-five years working for international companies such as Novell, Compaq and Microsoft, Drajkó decided to invest in a training company. He wanted to share what he knew and was looking for a suitable niche. He found it in security. ‘I asked myself what was going wrong and one of the answers was cybersecurity.’

Some time ago Drajkó ran into two familiar faces, Zoltán Hornák and Ernõ Jeges. All three studied at the Budapest University of Technology, but Hornák and Jeges have known each other since 1990. That year, the Hungarian and the Serbian competed against each other in the second International Olympiad in Informatics in Minsk. A few years later, Jeges decided to study computer science in Budapest.

Hornák and Jeges became fast friends and during their doctoral research they conducted tests for Nokia, breaking into mobile telephones and networked systems. Demand was so high they abandoned their PhDs and started hacking systems on assignment. ‘White hat hacking was uncharted territory back then,’ Jeges says. ‘Very few companies were doing it. Nokia had a ton of assignments, and we realized we were learning more on the job than we were at the university.’

The penetration testing (pentesting) assignments poured in to their company, Search Lab: the pair were hired to break into networking hardware, set-top boxes and more. Most of the target systems were embedded. ‘Not many security companies focus on those, because you need to understand the system at the chip level. Most pentesting companies focus on websites and web services, but we explicitly specialize in embedded.’

The 2008 crisis hit Search Lab hard. In that same period, the mobile phone industry switched entirely to the Iphone and Android platforms. Hornák and Jeges lost most of their business from clients with whom they had a long history.

Their shared focus on security sparked the click with Drajkó. ‘The number of incidents is growing exponentially, while awareness is minimal,’ he explains. ‘Only a handful of companies are doing something about it. Everyone’s busy patching errors, but that doesn’t address the problem. Education is the golden opportunity to prevent a software security crisis. Our stance is that we aren’t selling painkillers and band-aids, but building an immune system that’s extremely resilient.’

Ernõ Jeges’s goal is not to teach people how to hack, but to instil paranoia.

Instil paranoia

In 2018 Drajkó and Jeges founded Cydrill, the company that focusses on trainings. The security industry is in constant motion and to keep up with it, Cydrill offers online training in addition to traditional classroom fare. For a modest annual fee, participants can shore up their knowledge using a digital gamification platform. The online approach also makes it easy to track results. ‘We measure our success by the way clients translate our expertise into coding habits,’ Drajkó says.

The need for inherently secure code is high, but not all developers are enthusiastic about security classes. ‘If you ask developers to choose a course from nineteen different options, security will probably come in at the bottom. It sounds very prescriptive. A new platform, new language or new architecture is much more appealing to them.’

Cydrill’s software security courses don’t teach developers how to hack. There are plenty of classes that do that, Drajkó says. Many of his clients in the US have experience with them. ‘But they’ve been turned off by them, because the course designers couldn’t relate it to their daily work.’

Drajkó believes that learning hacking techniques in order to prevent hacks is a waste of time. ‘It doesn’t matter whether it’s ethical hacking or hacking with bad intent. Because in terms of technology there’s no difference; it’s a question of morality.’

Drajkó believes that developers do need to be well versed in what exactly hacking is. ‘That’s why we address it. Participants also need to understand that hackers have infinite time and infinite resources. They make use of bots and third-party computers. In the embedded domain that use is growing in lockstep with the Internet of Things.’

That’s why Cydrill’s courses always start with a peek inside the hacker’s mind. ‘For example, we show them that a buffer overflow can be a problem,’ Jeges says. ‘That someone can take control that way, and it will no longer be your program that’s running.’

Jeges’s goal is not to teach people how to hack, but to instil paranoia. ‘The first day, participants go home feeling uneasy. They realize they’ve made mistakes in the past. That feeling is important. It has an impact we can’t achieve through online training.’ After that experience participants are all ears, Jeges notes with a smile. ‘Emotionally and intellectually.’

That makes the class ripe for covering best practices. ‘We show them the difference between well-meant attempts to make code hack-proof and actual best practices,’ Jeges says. ‘They can apply the new techniques and skills they learn the next day.’

Case studies are an important component of those best practices. ‘We use every incident that’s been global news,’ Jeges explains.

This article is written by René Raaijmakers, tech editor of Bits&Chips.