

defcontrainings
Seth Law & Ken Johnson - Practical Code Review $2,000
Trainer(s) bio:
Ken Johnson
Ken Johnson, has been hacking web applications professionally for 12 years and given security training for 9 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken’s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law.
Seth Law
Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is employed as a security consultant, hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.
Trainer(s) social media links:
https://twitter.com/sethlaw (Seth)
https://twitter.com/cktricky (Ken)
https://twitter.com/absoluteappsec (Absolute AppSec Podcast)
Training information:
• OWASP AppSec USA 2018
• Global AppSec Amsterdam
• AppSec California 2019
• OWASP Virtual AppSec Days 2020
• AppSec Day
• Blackhat USA (2020/2021)
• KernelCon 2022
• LocoMocoSec 2022
• DEF CON 2022 LV
Links:
Absolute AppSec Channel is a good place to get an idea of how we present. https://www.youtube.com/c/AbsoluteAppSec
A good primer on some of the content is Ken doing a walkthrough of the framework taught in the following video attached to our podcast channel:
https://www.youtube.com/watch?v=f6UOBCJ9pjw
Training description:
Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken's past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.
Outline the class in enough detail that we can determine the hour-by-hour experience a student will experience:
Day 1:
• Overview (1 hour)
• Introductions
• Philosophy
• What to Expect
• The Circle-K Framework
• Approach
• Tools/Lab Setup
• OWASP Top 10
• Code Review Methodology
• Overview (30 mins)
• Introduction to Methodology
• General Code Review Principles
• Application Overview & Risk Assessment
• Behavior Profile
• Technology Stack
• Application Archeology
• Note Taking
• Application Overview & Risk Assessment Exercise
• Information Gathering (1.5 hour)
• Info Gathering Activities
• Mapping
• Generic Web App Mapping
• Application Flow
• Rails
• Node.js
• Django
• .Net
• Java
• Mapping Exercise
• Authorization Functions
• How are users identified?
• Identify its purpose
• What could go wrong?
• Authorization Functions Exercise
• Authorization (1.5 hour)
• Authorization Review
• Authorization Review Vulnerabilities
• Broken Access Control
• Sensitive Data Exposure
• Mass Assignment
• Business Logic Flaws
• Authorization Review Checklist
• Authorization Exercise
• Authentication (1.5 hour)
• Authentication Review
• Authentication Review Vulnerabilities
• Broken Authentication
• User Enumeration
• Session Management
• Authentication Bypass
• Brute-Force Attacks
• Authentication Review Checklist
• Authentication Exercise
• Auditing (30 mins)
• Auditing Review
• Auditing Review Vulnerabilities
• Sensitive Data Exposure
• Logging Vulnerabilities
• Auditing Review Checklist
• Auditing Review Exercise
• Injection (1 hour)
• Injection Review
• Injection Review Vulnerabilities
• SQL Injection
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Server-Side Request Forgery (SSRF)
• Injection Review Checklist
• Injection Review Exercise
• Cryptographic Analysis (30 mins)
• Cryptographic Analysis Review
• Cryptographic Analysis Vulnerabilities
• Encoding vs. Encryption
• Hashing
• Stored Secrets
• Cryptographic Analysis Checklist
• Cryptographic Analysis Exercise
• Configuration Review (30 mins)
• Configuration Review
• Configuration Review Vulnerabilities
• Framework gotchas
• Configuration files
• Dependency Analysis
• Configuration Review Checklist
• Reporting and Retesting (30 mins)
Day 2:
• Technical Hands-On Review (2-3 hours)
• Django Vulnerable Task Manager
• Lab Review of Open Source Applications (3-4 hours)
• Students divide in groups
• Review an OSS application
• Presentation of OSS Results (1 hour)
Technical difficulty of the class:
Intermediate. Attendees must have knowledge of the OWASP Top 10, SANS CWE Top 25, and other common vulnerabilities.
Suggested prerequisites for the class:
Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code.
Items students will need to provide:
Laptop capable of running an IDE.
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Seth Law & Ken Johnson
- 16 hours of training with a certificate of completion.
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
DEF CON Communications, Inc.
1100 Bellevue way NE
8A-85
Bellevue, WA 98004