Back to Pre-Conference Training Page

Back to Conference Home Page

Polyglot Security Code Review

Two-Day Interactive (Classroom) Training - OWASP New Zealand Day 2024

Abstract

Join our intensive, two-day code review training! Tailored for pentesters, AppSec engineers, and senior developers, this dynamic training delves into the nuances of identifying and mitigating vulnerabilities in diverse programming languages, including Java, Ruby, Golang, Python, and PHP.

Target Audience

• Penetration Testers, Code Reviewers, and Application Security Engineers
• Senior Developers with an understanding of common security vulnerabilities

Course Details

Dates: Tuesday and Wednesday, 3-4 September 2024

Time: 8:45 a.m. to 5:30 p.m. (NZST)

Instructor: Louis Nyffenegger (PentesterLab)

Course Fee: NZ $1,000.00 (plus GST and ticketing fees)

Registration Site: https://events.humanitix.com/owaspnz2024-training

Maximum Enrolment: 36 attendees

Prerequisites - What Students Should Bring

• A laptop with Internet access and Docker installed

What Students Will Receive

• A one-year subscription to PentesterLab PRO

Course Description

Join our intensive, two-day code review training! Tailored for pentesters, appsec engineers and senior developers, this dynamic training delves into the nuances of identifying and mitigating vulnerabilities in diverse programming languages, including Java, Ruby, Golang, Python, and PHP.

Our approach is hands-on and case study-driven, utilizing real bugs to illustrate key concepts in each section. By leveraging multiple languages, we aim at providing re-usable patterns as well as covering language specific knowledge and gotchas.

The workshop emphasizes practical skills, ensuring that you leave with not only theoretical knowledge but also the ability to apply these techniques effectively in your code reviews. Perfect for those looking to elevate their code review skills to a professional level, our training offers a unique opportunity to enhance your expertise in a collaborative and dynamic environment.

Attendees will also get to enjoy one-year access to PentesterLab PRO to keep learning after the training.

Course Outline

Day One

1. Introduction
   • Why get Into Security Code Review?
   • Previous Language Knowledge
   • Manual Review versus Automatic Tools
   • Improvement, Weakness, and Vulnerability
   • Train Your Code Review Muscles
   • The Right Incentive
2. Reading Code
   • Methodology
   • What to Look for
   • Non-Obvious Patterns
3. Keeping Notes
   • What to Write
   • How to Keep Notes
4. Architecture of Web Applications
   • Routing
   • MVC
   • User-Controlled Inputs
5. Data
   • Data Types and Web Applications
   • Type Comparison
   • Injections
   • Serialisation and Deserialisation
   • String Interpolation
   • XML Entities Attacks
   • Assumptions and Data
   • How Data Is Accessed
6. Patterns
   • Bad Default
   • Filtering
   • Time-of-Check Time-of-Use (TOCTOU)
   • Common Patterns

Day Two

1. Gotchas
   • Golang
   • Java
   • Ruby
   • Python
   • Others
2. CVE Analysis
   • Methodology
   • Example: An Interesting CVE
3. Tools
   • Text Editor
   • Docker
   • Git
   • SemGrep
   • Debugger
4. Deep Dive
   • Authentication (Registration, Password Storage, Login, Password Reset)
   • Authenticity
5. Strategies
   • Code Review Methodologies
   • Picking a Methodology

6. Remediation

7. Conclusion
   • Wrapping It Up
   • Creating Habits
   • Last Advice

Your Instructor

Louis Nyffenegger is a seasoned security engineer and the founder of PentesterLab, a platform dedicated to teaching Web penetration testing. With over a decade of experience in cybersecurity, Louis has focused on penetration testing, architecture analysis, and code reviews. He also launched a YouTube channel, AppSecSchool, further extending his passion for education in application security.