Web Security Code Review Training - PARIS

Course Overview:

Join our dynamic, live in-person course designed for penetration testers, security engineers, application security engineers, and developers who aim to master the techniques of security code review. Over 2 days, you will learn how to review source code to uncover vulnerabilities. This course focuses on practical, real-world applications of code review to improve web application security.

The training will be run in English but the trainer can answer questions in both French and English.

Two-day in-person training:

This training will take place over 2 days on the 7th and 8th of October in Paris (location to be confirmed). Between 9AM and 5PM. Tea, coffee, and lunch will be provided, along with snacks during breaks.

Key Benefits:

• Enhance your ability to detect and mitigate potential vulnerabilities before they are exploited.
• Learn from an experienced instructor in-person.
• Gain hands-on experience with real codebases.

Content:

1. Introduction
   • Objectives of the course
   • Benefits of code review
2. Reading Code
   • Documentation
   • Non-Obvious Code
3. Keeping Notes
4. Architecture/Routing/Attack Surface/Code navigation
   • Different types of routing
   • Attack surface for libraries
   • Navigating codebases
5. Data management
   • Data types
   • Data access
   • Data comparison
   • Generating data
6. Patterns
   • Bad default
   • Non-Recursive checks
   • Filtering
   • ...
7. Gotcha
   • Example of Gotchas in Python, Ruby, Golang, ...
   • How to find Gotchas
8. CVE analysis
   • Methodology
   • Analysis of hand-picked CVEs
9. Tools
   • Editors
   • Debuggers
   • Rules/pattern matching tools
10. Deep Dive
    • Authenticity/JWT/Signature
    • Authentication
11. Strategies
    • Bottom-up/Top bottom
    • Routing based
    • Grep
12. Remediation
    • Disclosure
    • Fixing bugs
    • Other activities
13. Conclusion
    • Recommendations to keep improving
    • Final words
    
    

(We reserve the right to adjust the course content and organisation based on participant feedback and the dynamics of the class to ensure the best learning experience for everyone.)

Prerequisites:

To ensure all participants can fully benefit from this course, a foundational understanding of common web vulnerabilities is required. This knowledge will be crucial for understanding the vulnerabilities discussed and reviewed in our sessions.

Additionally, practical skills in managing and running Docker containers are necessary, as part of the course involves using Docker to test and explore different security scenarios. Familiarity with basic Docker commands and concepts will allow participants to smoothly engage in all hands-on activities and testing exercises provided throughout the course.

These prerequisites are designed to optimize learning and ensure that all attendees are prepared to dive deep into the complexities of security code review and vulnerability analysis.

About the instructor:

Louis Nyffenegger is the founder of PentesterLab, a leading educational platform renowned for its comprehensive, hands-on security labs, many of which were personally created by him. Before establishing PentesterLab, Louis honed his expertise in penetration testing across France and Australia. He subsequently specialized in security code reviews at the National Bank of Australia, followed by application security roles at Australia Post and Fitbit, where he regularly performed code reviews. Louis is also a well-regarded speaker, frequently sharing his insights at security conferences such as DEFCON, multiple OWASP events (Auckland, Brisbane, California, Melbourne, ...) and multiple BSides events (Canberra, Perth, Toronto, ...). Additionally, he runs the YouTube channel AppSecSchool, where he shares knowledge and insights on application security.

Reviews from previous cohorts:

"Before doing the training, I had absolutely zero confidence in auditing code. Now, I can say I know where to start & have learned a ton about where to look, what questions to ask and how to go about finding vulnerabilities."

"I highly recommend this training for anyone who wants to get into code review I learned a ton of new stuff and understand most of the recently published CVEs because of it And helped me write a PoC for other CVEs" 

"This is the number one code review course your team should be doing this year! The course covers methodology, detailed root causes of source code vulnerabilities, and examples of secure patterns to look up to. These are covered across all the popular languages and frameworks too. The volume of examples and depth of explanations are a great way to open your eyes to your own code or help you become a better code reviewer of other people's code."