No announcement yet.

Seth Law & Ken Johnson - Practical Secure Code Review

  • Filter
  • Time
  • Show
Clear All
new posts

  • Seth Law & Ken Johnson - Practical Secure Code Review

    Seth Law & Ken Johnson - Practical Secure Code Review
    Latest details, requirements, description, cost:

    Training description:

    Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.

    Course overview:

    Day 1:
    • Overview (1 hour)
    • Introductions
    • Philosophy
    • What to Expect
    • The Circle-K Framework
    • Approach
    • Tools/Lab Setup
    • OWASP Top 10
    • Code Review Methodology
    • Overview (30 mins)
    • Introduction to Methodology
    • General Code Review Principles
    • Application Overview & Risk Assessment
    • Behavior Profile
    • Technology Stack
    • Application Archeology
    • Note Taking
    • Application Overview & Risk Assessment Exercise
    • Information Gathering (1.5 hour)
    • Info Gathering Activities
    • Mapping
    • Generic Web App Mapping
    • Application Flow
    • Rails
    • Node.js
    • Django
    • .Net
    • Java
    • Mapping Exercise
    • Authorization Functions
    • How are users identified?
    • Identify its purpose
    • What could go wrong?
    • Authorization Functions Exercise
    • Authorization (1.5 hour)
    • Authorization Review
    • Authorization Review Vulnerabilities
    • Broken Access Control
    • Sensitive Data Exposure
    • Mass Assignment
    • Business Logic Flaws
    • Authorization Review Checklist
    • Authorization Exercise
    • Authentication (1.5 hour)
    • Authentication Review
    • Authentication Review Vulnerabilities
    • Broken Authentication
    • User Enumeration
    • Session Management
    • Authentication Bypass
    • Brute-Force Attacks
    • Authentication Review Checklist
    • Authentication Exercise
    • Auditing (30 mins)
    • Auditing Review
    • Auditing Review Vulnerabilities
    • Sensitive Data Exposure
    • Logging Vulnerabilities
    • Auditing Review Checklist
    • Auditing Review Exercise
    • Injection (1 hour)
    • Injection Review
    • Injection Review Vulnerabilities
    • SQL Injection
    • Cross-Site Scripting (XSS)
    • XML External Entities (XXE)
    • Server-Side Request Forgery (SSRF)
    • Injection Review Checklist
    • Injection Review Exercise
    • Cryptographic Analysis (30 mins)
    • Cryptographic Analysis Review
    • Cryptographic Analysis Vulnerabilities
    • Encoding vs. Encryption
    • Hashing
    • Stored Secrets
    • Cryptographic Analysis Checklist
    • Cryptographic Analysis Exercise
    • Configuration Review (30 mins)
    • Configuration Review
    • Configuration Review Vulnerabilities
    • Framework gotchas
    • Configuration files
    • Dependency Analysis
    • Configuration Review Checklist
    • Reporting and Retesting (30 mins)
    Day 2:
    • Technical Hands-On Review (2-3 hours)
    • Django Vulnerable Task Manager
    • Lab Review of Open Source Applications (3-4 hours)
    • Students divide in groups
    • Review an OSS application
    • Presentation of OSS Results (1 hour)

    Student skill level:

    Intermediate. Attendees must have knowledge of the OWASP Top 10, SANS CWE Top 25, and other common vulnerabilities.

    What should students bring to the Training?:

    Laptop capable of running an IDE.


    Seth Law
    Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is employed as a security consultant, hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.

    Ken Johnson

    Ken Johnson, has been hacking web applications professionally for 12 years and given security training for 9 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken’s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law.

    Trainer(s) social media links:
    (Absolute AppSec Podcast)

    Previous Trainings:

    • OWASP AppSec USA 2018
    • Global AppSec Amsterdam
    • AppSec California 2019
    • OWASP Virtual AppSec Days 2020
    • AppSec Day

    DATE:Aug 15th to 16th 2022
    TIME:8am to 5pm PDT
    VENUE:Caesars Forum Ballroom
    TRAINER:Seth Law & Ken Johnson

    CERTIFICATE TEST AVAILABLE (after class) Please purchase Certificate test

    - 16 hours of training with a certificate of completion for some classes
    - COVID safety: Masks required for indoor training
    - Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
    - Note: Food is NOT included
    Last edited by number6; August 14, 2022, 21:12.

  • #2
    Start time updated from 9am to 8am.