3-DAY TRAINING 4 – Source Code Auditing Like a Ninja

DURATION: 3 DAYS

CAPACITY: 20 pax

SEATS AVAILABLE: REGISTRATION CLOSED


EUR2599 (early bird)

EUR2999 (normal)

Early bird registration rate ends on the 12th of January


Overview

Reading source code is like the x-ray goggles of hacking. The more you are able to see, the more bugs may appear under the hood.

You might be a proficient Penetration Tester or a skilled Bug Bounty Hunter without ever doing a source code assessment. But, if you like to broaden your horizon with source code reviews to identify bugs in source code, this is the training you are looking for.

This training aims to enable the participants to perform source code assessments on managed languages. In order to teach the general aspects of source code audits, as well as the identification and exploitation of vulnerabilities, the training will follow a language agnostic approach.

Managed languages covered in this training include:

* PHP
* Java
* .NET
* Python
* Ruby
* Go

The general concepts and key take-aways of this training, however, are independent from specific languages.

Who Should Attend

Penetration Testers, Bug Bounty Hunters, Developers or anyone else interested in finding (and exploiting) flaws in Software by reading the respective sources.

Key Learning Objectives

  • Language agnostic code audit approaches
  • Recognition of common patterns leading to vulnerabilities
  • Recognition of vulnerabilities caused by erroneously used interfaces
  • Handling of vast code bases
  • Creation of PoCs exploits based on code audits

Preequisite Knowledge

  • Reasonable IT security background (e.g. penetration tests, bug bounties, etc.)
  • Reasonable programming experience in at least one managed language

Hardware / Software Requirements

  • Latest version of VirtualBox Installed
  • Administrative access on your laptop with external USB allowed
  • At least 20 GB free hard disk space
  • At least 4 GB RAM (the more the better)

Agenda

DAY 1 – Basic Topics

  • Opening and Introduction
  • Code audit toolchain set-up
  • Patterns and idioms in source code which enable vulnerabilities
  • Practical exercises

DAY 2 – Advanced Topics

  • Underhanded vulnerabilities
  • Tackling large code bases
  • Interface / environment considerations
  • Practical exercises

DAY 3 – PoC Creation

  • Verification of findings
  • Creation of simple triggers
  • Creation of working PoC exploits
  • Practical exercises
  • Final practical exercises on real-world code bases

TRAININGS
Location: Training Rooms Date: April 9, 2018 Time: 9:00 am - 6:00 pm Joern Schneeweisz Stefan Seefeldt