Web Security Code Review Training - October over 2 weeks

Course Overview:

Join our dynamic, live online course designed for penetration testers, security engineers, appsec engineers, and developers who aim to master the techniques of security code review. Over four sessions, totalling 12 hours, you will learn how to review source code to uncover vulnerabilities. This course focuses on practical, real-world applications of code review to improve web application security. Through interactive sessions, detailed homework assignments, and hands-on activities, participants will develop a keen eye for security weaknesses in code.

4 Sessions over 2 weeks:

• October 21, 4PM-7PM PDT (October 22, 9AM-12PM AEST/GMT-10)
• October 23, 4PM-7PM PDT (October 24, 9AM-12PM AEST/GMT-10)
• October 28, 4PM-7PM PDT (October 29, 9AM-12PM AEST/GMT-10)
• October 30, 4PM-7PM PDT (October 31, 9AM-12PM AEST/GMT-10)

Key Benefits:

• Gain hands-on experience with real codebases.
• Enhance your ability to detect and mitigate potential vulnerabilities before they are exploited.
• Learn from experienced instructor in live, interactive settings.

Content:

1. Introduction
   • Objectives of the course
   • Benefits of code review
2. Reading Code
   • Documentation
   • Non-Obvious Code
3. Keeping Notes
4. Architecture/Routing/Attack Surface/Code navigation
   • Different types of routing
   • Attack surface for libraries
   • Navigating codebases
5. Data management
   • Data types
   • Data access
   • Data comparison
   • Generating data
6. Patterns
   • Bad default
   • Non-Recursive checks
   • Filtering
   • ...
7. Gotcha
   • Example of Gotchas in Python, Ruby, Golang, ...
   • How to find Gotchas
8. CVE analysis
   • Methodology
   • Analysis of hand-picked CVEs
9. Tools
   • Editors
   • Debuggers
   • Rules/pattern matching tools
10. Deep Dive
    • Authenticity/JWT/Signature
    • Authentication
11. Strategies
    • Bottom-up/Top bottom
    • Routing based
    • Grep
12. Remediation
    • Disclosure
    • Fixing bugs
    • Other activities
13. Conclusion
    • Recommendations to keep improving
    • Final words
    
    

(We reserve the right to adjust the course content and organisation based on participant feedback and the dynamics of the class to ensure the best learning experience for everyone.)

Prerequisites:

To ensure all participants can fully benefit from this course, a foundational understanding of common web vulnerabilities is required. This knowledge will be crucial for understanding the vulnerabilities discussed and reviewed in our sessions.

Additionally, practical skills in managing and running Docker containers are necessary, as part of the course involves using Docker to test and explore different security scenarios. Familiarity with basic Docker commands and concepts will allow participants to smoothly engage in all hands-on activities and testing exercises provided throughout the course.

These prerequisites are designed to optimize learning and ensure that all attendees are prepared to dive deep into the complexities of security code review and vulnerability analysis.

About the instructor:

Louis Nyffenegger is the founder of PentesterLab, a leading educational platform renowned for its comprehensive, hands-on security labs, many of which were personally created by him. Before establishing PentesterLab, Louis honed his expertise in penetration testing across France and Australia. He subsequently specialized in security code reviews at the National Bank of Australia, followed by application security roles at Australia Post and Fitbit, where he regularly performed code reviews. Louis is also a well-regarded speaker, frequently sharing his insights at security conferences such as DEFCON, multiple OWASP events (Auckland, Brisbane, California, Melbourne, ...) and multiple BSides events (Canberra, Perth, Toronto, ...). Additionally, he runs the YouTube channel AppSecSchool, where he shares knowledge and insights on application security.

Reviews from previous cohorts:

"Louis from PentesterLab is running an outstanding code review training program that you won’t find anywhere else. It’s a brilliant resource for newcomers, offering content that’s hard to come by online. The training is jam-packed with in-depth material, covering every aspect of code review, and it's presented in a clear, well-explained manner. Whether you’re in the appsec industry and want a refresher or need to level up your skills, or you're a newcomer wanting to break into appsec or expand your knowledge for other fields of cybersecurity, I highly recommend this training."

"Before doing the training, I had absolutely zero confidence in auditing code. Now, I can say I know where to start & have learned a ton about where to look, what questions to ask and how to go about finding vulnerabilities."

"I highly recommend this training for anyone who wants to get into code review I learned a ton of new stuff and understand most of the recently published CVEs because of it And helped me write a PoC for other CVEs" 

"This is the number one code review course your team should be doing this year! The course covers methodology, detailed root causes of source code vulnerabilities, and examples of secure patterns to look up to. These are covered across all the popular languages and frameworks too. The volume of examples and depth of explanations are a great way to open your eyes to your own code or help you become a better code reviewer of other people's code."