2-day hands-on technical Workshop in HITB SecConf 2024 Bangkok

Secure Code Review for Developers & Security Professionals

Register$1,399.00

This 2-day workshop is designed to introduce students to a practical approach to Secure Code Review (SCR) to facilitate the detection of security weaknesses, which are unlikely to be detected via dynamic testing or automated static code analysis

Duration

2-day

Delivery Method

In-Person

Level

beginner

Current Capacity
0%

ATTEND IN-PERSON: Onsite in Bangkok, Thailand

DATE: 27-28 August 2024

TIME: 09:00 to 17:00 ICT/GMT+7

Date Day Time Duration
27 Aug Tuesday 0900-17:00 ICT/GMT+7 8 Hours
28 Aug Wednesday 0900-17:00 ICT/GMT+7 8 Hours

Secure Code Review (SCR) plays a crucial role in any professional software security initiative and complements other testing activities – such as dynamic testing – by significantly extending code coverage and increasing the chances of exposing complex and critical security weaknesses.

This workshop presents a beginner-friendly approach to manual Secure Code Review (SCR), which is the result of combining multiple methods and techniques to detect more bugs during your software security reviews. The presented methodology is intended to be focused on Android application and its development environment; students will be applying such methods to a variety of apps written with different libraries and frameworks, to facilitate students in getting comfortable in understanding the structure and common issues when assessing the security of Android applications.

The workshop is meant to be highly practical where students will be offered the chance to manually review multiple snippets of vulnerable code and develop rules to increase the detection of security issues from the source code.

 

Key learning objectives
  • Understand the unique role and value of secure code review in improving the security posture of modern software applications.
  • Learn how multiple review methodologies can be combined to increase code coverage and maximize the detection of high-impact security defects.
  • Learn how the most critical vulnerabilities are “manifesting” in Android applications’ source code by reviewing multiple real-world snippets of vulnerable code.

 

What will the students get
  • A methodology, principles, and approaches to initiate a secure code review activity against familiar and unfamiliar programming languages as well as mobile frameworks.
  • Fully configured Virtual Machine (VM) with a selection of pre-configured tools ready to be used for delivering effective secure code review activities with a focus on Android environment.

 

Agenda/Topics Covered

Overview on Secure Code Review

  • What is Secure Code Review.
  • Manual vs. Automated Secure Code Review.
  • The role of Secure Code Review in the Secure Development Lifecycle (SDLC).

 

Code Review Methodologies

  • Introduction to OWASP Code Review Guide.
  • Analysis of different review approaches: functionality-based, checklist-driven, entry/exit point-driven, etc.

 

Android Apps Secure Source Code Analysis 

  • Tools and Resources: introduction to SCA tools, library, and guidelines.
    • Semgrep to automate Secure Code Analysis tasks
  • OWASP Mobile Top 10: understanding the most common vulnerabilities in Android apps
  • Communication security
    • Detecting unsecure data transmission.
  • Analyzing data storage mechanism in mobile devices.
  • Identifying vulnerabilities in session & authentication mechanisms.
  • Detecting input validation vulnerabilities.
  • Code protection via obfuscation and anti-tampering techniques.

 

Fundamentals of backend security: APIs and Web Services

  • Introductive considerations when interacting with backend systems and service.

TRAINER

Antonio Pandolfi is a senior security researcher experienced in software penetration testing and secure code review for web and mobile applications and technologies.

Antonio holds a Bachelor of Science (BSc) in Computer Science from the University of Pisa, where he graduated with a thesis on advanced techniques for passive Operating System (OS) fingerprinting.

He holds multiple cybersecurity certifications including OPST, eMAPT and OWSE.

During his career, Antonio matured an extensive experience in fuzz testing techniques and procedures at the Huawei Munich Research Centre (Germany), where he served as senior vulnerability researcher.

In his spare time, he enjoys researching and exploiting vulnerabilities for Internet of Things (IoT) devices and open-source projects.

Adverse Theory is a disruptive startup focused on delivering “unconventional” cybersecurity advisory services to support organizations in establishing security teams, managing large-scare security programs, and developing innovative security technologies.

Why You Should Take This Course

This 2-day workshop is designed to introduce students to a practical approach to Secure Code Review (SCR) to facilitate the detection of security weaknesses, which are unlikely to be detected via dynamic testing or automated static code analysis

Who Should Attend

This workshop is designed for anyone interested in learning the core principles and methodologies for conducting Secure Code Review activities, including:
  • Professionals with experience in dynamic testing and willing to detect more bugs by looking at the source code of their targets.
  • Software Developers, Software Security Engineers, and DevSecOps Engineers.
  • Students willing to start maturing competences required to fulfill the security consultant or engineer with a focus on software security.

Prerequisite Knowledge

Basic understanding of Object-Oriented Programming (OOP) and the Model-View-Controller (MVP) design pattern. Basic knowledge of Android programming is preferred. The course is beginner friendly; no prior knowledge on vulnerable code hunting is required.

Hardware / Software Requirements

  • Laptop running a Microsoft Windows 10+ or Apple macOS platform
  • CPU: 64-bit Intel i5/i7 with 4th generation + (2.0 GHz)
  • 8 GB of RAM or higher
  • 100 GB free space
  • Wi-Fi 802.11 capability (no wired connection available in the classroom)
  • Installed VMware Workstation / Player for Windows or VMWare Fusion for macOS
  • Local administrative access to the host OS is required