Seth Law & Ken Johnson - Practical Secure Code Review $2,000 (Early $1,800)

Training Name: 

Practical Secure Code Review

Description:

This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review.

Training description:

Learn a proven methodology for discovering vulnerabilities in code through secure code reviews against any language or framework, no matter the amount of code. Whether analyzing code as a consultant, internal resource, or bug bounty researcher, enhance your bug-hunting techniques and code review skills using a strategy surpassing security review checks covered by language-specific guidance and automated tools plagued by false positives. During the training, you will learn and practice a methodology developed by Seth and Ken (co-hosts of the Absolute AppSec podcast) to find bugs in hundreds of code bases, including web3, mobile, and web applications. Students gain the confidence to take on code-review projects, knowing how to organize their limited time, avoiding unnecessary time sinks and focusing on an application’s security-relevant files and functions.

Trainer(s) bio:

Ken Johnson:

Ken Johnson has been hacking web applications professionally for 14 years and given security training for 11 of those years. Ken is both a breaker and builder and is the CTO & Co-Founder of DryRun Security. Previously, Ken was a Director with GitHub's Product Security Engineering team and has held both technical and leadership roles both within the consulting world as well as a corporate defender. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN,  DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken's current passion project is the Absolute AppSec podcast with Seth Law.

Seth Law:

Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is the founder and principal of Redpoint Security, hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.

Past training:

• OWASP AppSec USA 2018
• Global AppSec Amsterdam
• AppSec California 2019
• OWASP Virtual AppSec Days 2020
• AppSec Day
• Blackhat USA (2020/2021)
• KernelCon 2022
• LocoMocoSec 2022
• DEF CON 2022 LV

Absolute AppSec Channel is a good place to get an idea of how we present. https://www.youtube.com/c/AbsoluteAppSec

A good primer on some of the content is Ken doing a walkthrough of the framework taught in the following video attached to our podcast channel:
https://www.youtube.com/watch?v=f6UOBCJ9pjw 

Trainer(s) social media links:

https://twitter.com/sethlaw (Seth)
https://twitter.com/cktricky (Ken)
https://twitter.com/absoluteappsec (Absolute AppSec Podcast)

Outline:

Day 1:

  - Overview (1 hour)

      - Introductions, Philosophy, Expectations, Setup

  - Code Review Methodology

      - Overview (30 minutes)

          - Introduction, General Principles, Risk Assessment, Notes, Exercise

      -  Information Gathering (1.5 hours)

          - Activities, Application Mapping, Mapping Exercise, Authorization Functions, Authorization

Functions Exercise

      - Authorization (1.5 hours)

          - Authorization Review Activities, Vulnerabilities, Checklists, Exercise

      - Authentication (1.5 hours)

          - Authentication Review Activities, Vulnerabilities, Checklists, Exercise

      - Auditing (30 minutes)

          - Auditing Review Activities, Vulnerabilities, Checklists, Exercise

      - Injection (1 hours)

          - Injection Review Activities, Vulnerabilities, Checklists, Exercise

 

Day 2:

  - Methodology Continued

      - Cryptography (30 minutes)

          - Cryptographic Review Activities, Vulnerabilities, Checklists, Exercise

      - Configuration (30 minutes)

           - Configuration Review Activities, Vulnerabilities, Checklists

  - Technical Hands-On Review (3 hours)

    - Vulnerable Task Manager Class Review

  - Group Projects - Review of Open Source Applications (3 hours)

  - Presentation of Group Projects (1 hour)

Technical difficulty:

Intermediate.

Suggested Prerequisites:

Attendees must have knowledge of the OWASP Top 10, SANS CWE Top 25, and other common vulnerabilities.

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code.

What students should bring:

Laptop capable of running an IDE.

 

 

 

DATE: November 2nd-3rd 2024

TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center, Bellevue, WA
TRAINER: Seth Law & Ken Johnson

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before September 16th, the processing fee is $250.

Trainings are non-refundable after September 26th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.