DeepSec 2022 Training: Practical Secure Code Review – Seth Law, Ken Johnson
Ready to take your bug hunting to a deeper level? Ever been tasked with reviewing source code for SQL Injection, XSS, Access Control and other security flaws? Does the idea of reviewing code leave you with heartburn? This course introduces a proven methodology and framework for performing a secure code review, as well as addressing common challenges in modern secure code review. Short circuit your development of a custom secure code review process by gleaning from Seth & Ken’s past adventures in performing hundreds of code reviews and the lessons we’ve learned along the way. We will share a proven methodology to perform security analysis of any source code repository and suss out security flaws, no matter the size of the code base, or the framework, or the language.
Please tell us the top 5 facts about your training.
- Since its creation, Ken and Seth’s Practical Secure-Code Review course has been delivered at DefCon (this course was one of only five trainings picked up by DefCon this year), Blackhat, AppSec EU and other conferences around the world, helping hundreds of developers and application security professionals to dive into the fundamentals of secure-code review.
- People who have taken the secure-code review training, have gone on to incorporate secure-code review within their own organizations or bug-hunting toolsets. This has often been relayed back to us by former students who often reach out to Seth and Ken through their Absolute AppSec podcast channels or who recommend the publicly available resources or live demonstrations of code-review that Seth and Ken periodically livestream on YouTube.
- During the second day of the training, Seth and Ken guide students through their own secure-code reviews of a selected codebase. During this workshop portion of the course organizations and bug-hunters alike often discover bugs within the few hours they apply the secure-code review methodology. We’ve watched this training turn into Jira Tickets or Bug-Bounty reports in real time!
- The course trains students in the Secure-Code Review methodology through repeated demonstrations of the process with simple applications from a variety of languages and frameworks. These exercises involve identifying source files that determine authentication flows, authorization functions, user-input handling, and source-to-sink tracing. This means students get some broad familiarity with the general shape of Django or Rails applications, but will especially be trained on how to prioritize the time they devote to understanding an application and focusing on the components that are most likely to reward their research efforts.
- Seth and Ken have used secure-code review as a key tool they use daily in, respectively, managing a successful application-security consultancy and the red- and blue-team groups at GitHub.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
In consulting for large organizations or spear-heading security teams at companies like GitHub, Seth and Ken have decades of experience in pentesting across many projects that included line-by-line code reviews. This type of bug-hunting often meant dropping into unfamiliar languages or frameworks with deadlines fast approaching. Ken and Seth realized that there wasn’t really a methodology that existed for helping code-reviewers rapidly get up to speed in understanding and ultimately finding vulnerabilities in such demanding contexts. Seth and Ken, as a result, developed this course to help people learn to hunt for bugs in source code from any language or framework, regardless of one’s initial familiarity with the language.
Why do you think this is an important topic?
Source-code review is a powerful tool for a range of tasks infosec professionals face on a near daily basis. By way of example, many people have the experience of a team leader or CISO coming to you or your team with a massive output from a static analysis tool scan and asking you to determine what is a false positive and what is an actual vulnerability finding. Secure-Code Review is one of the few ways to tackle this kind of project. Bringing source-code review into your own skillset can help an individual with career advancement goals, but it also benefits organizations that train developer or security teams in the methodology.
Is there something you want everybody to know – some good advice for our readers maybe?
“Don’t trust user input”/ “Don’t neglect logging and monitoring”/ “Friends don’t let friends roll their own authentication system”
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your workshop in particular?
- Practitioners will become less hands on with the broad scope of applications within their areas of responsibility and utilize signals to surface the riskiest apps so that the teams can focus on what matters and use safe guards for other services. This is already happening in bleeding edge shops but hasn’t gone completely mainstream yet.
- Source code reviewers will need to become more agnostic in their approach as their are too many frameworks and languages in use but they have short cycles for popularity so a jack of all trades approach will be more useful than an expert in one particular tech stack.
- SOA/micro services continue to present vulnerabilities that are best found outside source code reviews (ie – dynamic) and so there is a growing need for smarter automated dynamic analysis.
- Bug bounty programs will continue to grow.
Seth Law is an experienced Application Security Professional with over 15 years of experience in the computer security industry. During this time, Seth has worked within multiple disciplines in the security field, from software development to network protection, both as a manager and individual contributor. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth is employed as a security consultant, co-hosts the Absolute AppSec podcast with Ken Johnson, and is a regular speaker at developer meetups and security events, including Blackhat, Defcon, CactusCon, and other regional conferences.
Ken Johnson, has been hacking web applications professionally for 14 years and given security training for 10 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken also co-hosts the Absolute AppSec podcast with Seth Law.