About The Training
Goa 2025 | Trainings
- AI Security: Terminating The Terminator
- Advanced Infrastructure Security Assessment
- Attack and Defend Software Supply Chains
- Azure Cloud Attacks for Red and Blue Teams
- Blocking the Storm: A Hands-On Guide to Hardening and Securing Kubernetes Clusters
- DevSecOps - A Hands-on Experience
- Efficient Malware Analysis: Comprehensive Approach
- HackTheWeb: Pentesting Beyond Basics
- Hacking Android Applications
- IoT Security Bootcamp GOA Edition
- Rapid Threat Model Prototyping (RTMP) - Agile Threat Modeling Mastery including Cloud and AI
- Slaying the RE Dragon: Mastering Reverse Engineering
- The Application Security Tool Stack - How to Discover Vulnerabilities in Software
The Application Security Tool Stack - How to Discover Vulnerabilities in Software
Start Date: Feb 26, 2025
End Date: Feb 28, 2025
Venue: TBA
Some of the techniques you will learn during this course
- How automated analysis can be integrated into manual code reviewing workflows
- Advanced Fuzzing using AFL++ and LIBFUZZER
- Using and extending different analysis tools
- Clang static analyzer basics
- How to create Checker plugins for the Clang static analyzer
- Using semantic patching tools such as COCCINELLE to create patches quickly and detecting more issues
- Applying dataflow tracking tools such as CodeQL and modern static analysis frameworks to identify vulnerable code patterns and perform variant analysis
- The course is hands-on with a mix of demonstrations and lecture. Both, methodology and tools will be focus of this training.
Advanced
Day-1 Basics of Application Security and Fuzzing
On the first day the basics of software security and approaches to identify flaws in larger projects will be discussed. We will show examples of security vulnerabilities, common places where they emerge, and how to analyze the API of large projects for dangerous functionality.
Important aspects here are the strategies to identify the right places to look for vulnerabilities. Following this we will show how to create interfaces and test cases that are suitable for dynamic analysis. We will also show basic tools and use them to analyze common targets.
Takeaways:
- What are the most important vulnerabilities to discover.
- How to approach large software projects when looking for vulnerabilities.
- How to identify attack vectors.
- How to use basic tools to analyze binaries or source code.
- What Fuzzing is.
- How to use fuzzers to their to its full potential (focus on AFL++ and libfuzzer).
Day 2 - Static and Dynamic Analysis
The second day covers static analysis tools, which help to identify issues in software by analyzing the source code with the help of powerful tools. Since some issues are quite special to a specific code base, this day also covers how to extend analysers to make them adapt to a specific code base.
Takeaways:
- What is static analysis.
- When to apply static analysis.
- How to use CPPCHECK and implement a new check.
- How to use Clang and write custom checkers to analyze your codebase.
- Speed up bug finding and patching by using COCCINELLE.
- Using dynamic analysis for blackbox analysis without source code.
Day 3 - Advanced Bughunting
The third day covers advanced topics such as semantic grepping and bug pivoting. Additionally it covers the combination of manual and automated techniques, such as targeted fuzzing and combining static and dynamic analysis.
Takeaways:
- Using semantic grep to find vulnerable code patterns.
- Patching and identifying flaws at scale with tools such as COCCINELLE
- Analysing crashes, triaging interesting errors and creating test cases.
- Tainted input where it shows up, and how to find and trace it
- Combining different techniques to find complex and deeply hidden vulnerabilities.
- A system able to run VirtualBox x86_64 based VMs, either via USB stick or download
- A minimum 40GB of disk space
- 8 GB of RAM
- Basic Linux command line skills, e.g. the ability to invoke a tool on one or many input files)
- Good knowledge of programming languages, preferably also a low level language such as C and/or Assembly.
- Understanding of security issues in software.
The training is aimed at security engineers, security researchers, software developers, and anyone generally interested in how to identify vulnerabilities in software.
When auditing or managing large software projects, identifying security vulnerabilities is often a hard task. If you want to go beyond vulnerabilities others have found, you need to find your own fresh and previously undiscovered issues. Especially in high profile targets this is getting more and more important. After this workshop you will be able to use techniques of static and dynamic analysis to discover security issues fast and efficient. Besides the tools, the mindset and approach of manual code review is presented as well.
- Training VM image including all the tools
- Concrete examples of vulnerable software and the methods and tools how to find the hidden vulnerabilities
- Tools and scripts that can be applied to software in your own work
- Introduction to software development
- 0days (unless you find them yourself during the training)
Eric Sesterhenn is working as an IT Security consultant for more than 15 years, working mostly in the areas of penetration testing and source code auditing.
He has identified vulnerabilities in various software projects including the Linux kernel, BIND9 and X.org and analysis of complex software applications and infrastructures and extensive experience in code reviewing, penetration testing, and vulnerability analysis;- speaker at DEF CON, beVX 2018 and 35c3 about smartcard driver security: https://www.x41-dsec.de/lab/blog/smartcards
He worked as a speaker at Nullcon 2018 about security issues in IoT OS: https://archive.nullcon.net/website/goa-2018/speakers/eric-sesterhenn.php
Markus Vervier is Head of Research and Managing Director at X41 D-Sec GmbH. Software security is his main focus of work. During the last 15 years of professional experience in offensive IT security he worked as a penetration tester and security consultant and was doing active security research. He has Extensive experience in the field of code-review, reverse engineering, and vulnerability analysis of applications on various platforms and architectures;- reverse engineering and security analysis of embedded firmware for mobile devices (Android device baseband firmware);- discovery of the first vulnerabilities in the Signal Private Messenger: https://pwnaccelerator.github.io/2016/signal-part1.html
He worked as a speaker at OffensiveCon 2023, BruCon 2023, hack.lu 2023, Infiltrate, HITBSECCONF, and Troopers security conferences about offensive security topics such as baseband reverse engineering and application security;- memory corruption vulnerability in libOTR:https://x41-dsec.de/lab/advisories/x41-2016-001-libotr/