course_info.md

Course Abstract:

Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing actual source for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing this code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit developing individual secure code review techniques by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.

Course Objectives:

This course introduces security professionals and software developers to the nitty/gritty details of performing a code review. Specifically, the course will impart the following to attendees:

• Code Review Methodology used to cover security issues
• Practical methods for identifying OWASP Top 10 vulnerabilities in:
  • Ruby/Rails
  • Django/Python
  • Node/Express
  • Java/Spring
  • .Net/MVC
• Open source code review tools available for different languages
• Hands-on experience identifying vulnerabilities in known-vulnerable code bases.

Training Outline:

Day 1:

• Overview
  • Introductions
  • Philosophy
  • What to Expect
  • The Circle-K Framework
  • Approach
  • Tools/Lab Setup
  • OWASP Top 10
• Code Review Methodology
  • Overview
    • Introduction to Methodology
    • General Code Review Principles
    • Application Overview & Risk Assessment
      • Behavior Profile
      • Technology Stack
      • Application Archeology
    • Note Taking
    • Application Overview & Risk Assessment Exercise
  • Information Gathering
    • Info Gathering Activities
    • Mapping
      • Generic Web App Mapping
      • Application Flow
        • Rails
        • Node.js
        • Django
        • .Net
        • Java
    • Mapping Exercise
    • Authorization Functions
      • How are users identified?
      • Identify its purpose
      • What could go wrong?
    • Authorization Functions Exercise
  • Authorization
    • Authorization Review
    • Authorization Review Vulnerabilities
      • Broken Access Control
      • Sensitive Data Exposure
      • Mass Assignment
      • Business Logic Flaws
    • Authorization Review Checklist
    • Authorization Exercise
  • Authentication
    • Authentication Review
    • Authentication Review Vulnerabilities
      • Broken Authentication
      • User Enumeration
      • Session Management
      • Authentication Bypass
      • Brute-Force Attacks
    • Authentication Review Checklist
    • Authentication Exercise
  • Auditing
    • Auditing Review
    • Auditing Review Vulnerabilities
      • Sensitive Data Exposure
      • Logging Vulnerabilities
    • Auditing Review Checklist
    • Auditing Review Exercise
  • Injection
    • Injection Review
    • Injection Review Vulnerabilities
      • SQL Injection
      • Cross-Site Scripting (XSS)
      • XML External Entities (XXE)
      • Server-Side Request Forgery (SSRF)
    • Injection Review Checklist
    • Injection Review Exercise
  • Cryptographic Analysis
    • Cryptographic Analysis Review
    • Cryptographic Analysis Vulnerabilities
      • Encoding vs. Encryption
      • Hashing
      • Stored Secrets
    • Cryptographic Analysis Checklist
    • Cryptographic Analysis Exercise
  • Configuration Review
    • Configuration Review
    • Configuration Review Vulnerabilities
      • Framework gotchas
      • Configuration files
      • Dependency Analysis
    • Configuration Review Checklist
• Reporting and Retesting
• Technical Hands-On Review
  • Django Vulnerable Task Manager
• Lab Review of Open Source Applications
  • Students divide in groups
  • Review an OSS application