1. Events
  2. HITB GSEC 2018 – Singapore
  3. 3-DAY TRAINING 3 – Source Code Auditing Like a Ninja
Star 0

Abstract

DURATION: 3 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: REGISTRATION CLOSED

REGISTER NOW

SGD2999 (early bird)
SGD3999 (normal)
Early bird registration rate ends on the 30th of April

Overview

Reading source code is like the x-ray goggles of hacking. The more you are able to see, the more bugs may appear under the hood.
You might be a proficient Penetration Tester or a skilled Bug Bounty Hunter without ever doing a source code assessment. But, if you like to broaden your horizon with source code reviews to identify bugs in source code, this is the training you are looking for.
This training aims to enable the participants to perform source code assessments on managed languages. In order to teach the general aspects of source code audits, as well as the identification and exploitation of vulnerabilities, the training will follow a language agnostic approach.
Managed languages covered in this training include:
* PHP
* Java
* .NET
* Python
* Ruby
* Go
The general concepts and key take-aways of this training, however, are independent from specific languages.

Who Should Attend
Penetration Testers, Bug Bounty Hunters, Developers or anyone else interested in finding (and exploiting) flaws in Software by reading the respective sources.
Key Learning Objectives

Language agnostic code audit approaches
Recognition of common patterns leading to vulnerabilities
Recognition of vulnerabilities caused by erroneously used interfaces
Handling of vast code bases
Creation of PoCs exploits based on code audits

Preequisite Knowledge

Reasonable IT security background (e.g. penetration tests, bug bounties, etc.)
Reasonable programming experience in at least one managed language

Hardware / Software Requirements

Latest version of VirtualBox Installed
Administrative access on your laptop with external USB allowed
At least 20 GB free hard disk space
At least 4 GB RAM (the more the better)

Agenda

DAY 1 – Basic Topics

Opening and Introduction
Code audit toolchain set-up
Patterns and idioms in source code which enable vulnerabilities
Practical exercises

DAY 2 – Advanced Topics

Underhanded vulnerabilities
Tackling large code bases
Interface / environment considerations
Practical exercises

DAY 3 – PoC Creation

Verification of findings
Creation of simple triggers
Creation of working PoC exploits
Practical exercises
Final practical exercises on real-world code bases