The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Tuesday, January 22 • 9:00am - 5:00pm
Seth & Ken's Excellent Adventures (In Code Review) [Day 1 of 2]

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Course Abstract

Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application code base.

Training Syllabus

Day 1:

● Overview
● Introductions
● Philosophy
● What to Expect
● Tools/Lab Setup
● OWASP Top 10
● Code Review Methodology
● Overview
■ Introduction to Methodology/Philosophy
■ Documentation
● What/When/Where
■ Automated Tools
■ Manual Analysis
● Information Gathering
■ Profiling
■ Mapping
■ Threat Modeling
■ Enumeration
■ AAA (Authentication/Authorization/Auditing)
■ Other interesting finds
● Comments
● Keys
● 3rd-party libraries
● Authentication
■ User Enumeration
■ Timing Attacks
■ Password Complexity
■ Typical Logic Flaws
■ Insecure Password Resets
■ Insecure Forgot Password Functionality
■ Password Storage
● Authorization
■ Broken Access Control
● Insecure Direct Object Reference
● Forced Browsing
● Missing Function Level Access Control
● Auditing
■ Sensitive Data Exposure
■ Logging Vulnerabilities
● Injection
■ Input Validation
■ SQL Injection
● ORM and ActiveRecord Patterns/Flaws
● Examples from previous assessments
■ Server-Side Request Forgery
■ HTML/Content Injection
● Cryptographic Analysis
■ Encoding vs. Encryption
■ Hashing
■ Stored Secrets
● Configuration Review
■ Framework gotchas
■ Configuration files
■ Dependency Analysis

Day 2:

● Technical Hands-On Review
● Java
● .Net
● Ruby On Rails
● Node.js
● Django

Upon Completion of this training, attendees will know:

Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course.

Attendees should bring:

Laptop with wireless and virtual machine (VMWare/Virtual Box) capabilities.
Preferred IDE

Pre-requisites for attendees: 

Attendees should be familiar with the development process (SDLC) and where security code reviews fit into the process. Attendees must have experience using an IDE, running command-line tools, and be able to read application source code. Attendee must have knowledge of the OWASP Top 10 and other common vulnerabilities.

avatar for Ken Johnson

Ken Johnson

AppSec Person, GitHub
Ken Johnson, has been hacking web applications professionally for 11 years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec... Read More →
avatar for Seth Law

Seth Law

President and Principal Security Consultant, Redpoint Security
Seth Law is the President and Principal Security Consultant of Redpoint Security (rdpt.io). During the last 15 years, Seth has worked within multiple disciplines, from software development to network protection, as a manager and individual contributor. Seth has honed his application... Read More →

Tuesday January 22, 2019 9:00am - 5:00pm
Guest House Parlor/Salon