Secure Code Review for Developers & Security Professionals

ATTEND IN-PERSON: Onsite in Bangkok, Thailand

Secure Code Review (SCR) plays a crucial role in any professional software security initiative and complements other testing activities – such as dynamic testing – by significantly extending code coverage and increasing the chances of exposing complex and critical security weaknesses.

This workshop presents a beginner-friendly approach to manual Secure Code Review (SCR), which is the result of combining multiple methods and techniques to detect more bugs during your software security reviews. The presented methodology is intended to be focused on Android application and its development environment; students will be applying such methods to a variety of apps written with different libraries and frameworks, to facilitate students in getting comfortable in understanding the structure and common issues when assessing the security of Android applications.

The workshop is meant to be highly practical where students will be offered the chance to manually review multiple snippets of vulnerable code and develop rules to increase the detection of security issues from the source code.

Key learning objectives

• Understand the unique role and value of secure code review in improving the security posture of modern software applications.
• Learn how multiple review methodologies can be combined to increase code coverage and maximize the detection of high-impact security defects.
• Learn how the most critical vulnerabilities are “manifesting” in Android applications’ source code by reviewing multiple real-world snippets of vulnerable code.

What will the students get

• A methodology, principles, and approaches to initiate a secure code review activity against familiar and unfamiliar programming languages as well as mobile frameworks.
• Fully configured Virtual Machine (VM) with a selection of pre-configured tools ready to be used for delivering effective secure code review activities with a focus on Android environment.

Agenda/Topics Covered

Overview on Secure Code Review

• What is Secure Code Review.
• Manual vs. Automated Secure Code Review.
• The role of Secure Code Review in the Secure Development Lifecycle (SDLC).

Code Review Methodologies

• Introduction to OWASP Code Review Guide.
• Analysis of different review approaches: functionality-based, checklist-driven, entry/exit point-driven, etc.

Android Apps Secure Source Code Analysis 

• Tools and Resources: introduction to SCA tools, library, and guidelines.
  • Semgrep to automate Secure Code Analysis tasks
• OWASP Mobile Top 10: understanding the most common vulnerabilities in Android apps
• Communication security
  • Detecting unsecure data transmission.
• Analyzing data storage mechanism in mobile devices.
• Identifying vulnerabilities in session & authentication mechanisms.
• Detecting input validation vulnerabilities.
• Code protection via obfuscation and anti-tampering techniques.

Fundamentals of backend security: APIs and Web Services

• Introductive considerations when interacting with backend systems and service.