Software (both managed and native code) has been plagued by security errors for a long time. To combat that reality, security researchers, software quality assurance/test engineers, developers, and software managers need to acquire 6 critical skills for continuous bug hunting and repair (or exploitation): SDL, System Investigation, Static Analysis (open source and commercial), Dynamic Analysis (Burp and Fuzzers), Manual Code Auditing (source and with IDA/reversing), and PoC/Repair (ROP exploits, etc).  Each of these domains is covered in detail in this mature course. As a bonus, students will leave with homework content, so they can continue pushing their abilities, well beyond the duration of the course.

 

Click here to register:

https://www.eventbrite.com/e/application-security-for-hackers-and-developers-tickets-65685610429

 

 TRAINERS:

 

      Dr. Jared DeMott (@jareddemott) has been training at conferences like Black Hat and DerbyCon for over 12 years.  He’s the founder of VDA Labs, and previously served as a vulnerability analyst with the NSA. He holds a PhD from Michigan State University. He regularly speaks on vulnerabilities at conferences like RSA, ToorCon, GrrCon, HITB, etc. He was a finalist in Microsoft’s BlueHat prize contest, which helped make Microsoft customers more secure. Dr. DeMott has been on three winning Defcon capture-the-flag teams, and has been an invited lecturer at prestigious institutions such as the United States Military Academy. Jared is also a Pluralsight author, and is often quoted online and has made TV appearances.

      John Stigerwalt (@jstigerwalt1) is a cyber security engineer who is experienced in penetration testing, application auditing, social engineering, exploit development, and reverse engineering. He has spent many years protecting financial organizations from evolving threats, and is very passionate about improving organizations security. John is always striving to better himself by enhancing his security knowledge. He believes in contributing to the security community with new security findings and helping others learn as well. John holds the OSCE, OSCP, and SLAE certifications.   

 

Day 1: Managed, C/C++, and Fuzzing

8am - 8:30am

Handout Material

·         Pass around Thumb drives for VM Setup 

8:30am - 10:00am

Part 1 - Managed Code/Web Vulns

Lab 1 - iSpyCentral Architecture Review and Reversing

·         Can start looking at before class even kicks off if your VM is ready

Lecture 1: SDL and Product Security Testing

·         Lab 2 - iSpyCentral Key Exploit

·         Lab 3 - SAST iSpy

10:00am - 10:15am

Break 1 - Coffee/snacks

10:15am - 12pm

Continue working on first 5 labs

·         Lab 4 - DAST iSpy

·         Lab 5 - iSpyCentral RCE

12:00pm - 1:00pm

Lunch - On your own

1:00pm - 3pm

Part 2 - Unmanaged/Native Code Vulnerabilities 

Lecture 2: Auditing C and C++

·         Lab 6 - Basic C Bugs

·         Lab 7 - UV Investigation

·         Lab 8 - Warm up with C++

·         Lab 9 - Basic C++ Bugs

3pm - 3:15pm

Break 2 - Coffee/snacks

3:15pm - 5pm

Lecture 3: Fuzzing

·         Pydbg Demo

·         Lab 10 - Peach fuzzer (file fuzzing)

·         Lab 11 - In-memory fuzzing

 

Day 2: Finish Fuzzing, Reversing, and Native Exploits

8am - 8:30am

Work on anything from yesterday

Ask questions about specific things

8:30am - 10:00am

Lecture 3: Modern Fuzzing

• ·         Lab 12 - MSRD and AFL

Lecture 4: Reversing C and C++

• ·         Lab 13 - Easy Crackme

10:30am - 10:15am

Break 1 - Coffee/snacks

10:15am - 12:00pm

Keep Reversing

·         Lab 14 - Med Crackme

·         Lab 15 – Patcher

·         Lab 16 - C++

12:00pm - 1:00pm

Lunch - On your own

1:00pm - 3pm

Last Reversing Lab

·         Lab 17 - Scripting

Lecture 5: Exploiting Native Programs

·         Lab 18 - Function Pointer Overwrite

3pm - 3:15pm

Break 2 - Coffee/snacks

3:15pm - 5pm

·         Lab 19 - Windows Server Exploit

·         Lab 20 - ROP

Student Requirements

No hard prerequisites, but helpful to have a college Degree in a computer related disciple or equivalent work experience. Programming experience will help, but you will still get a lot out of the course even if you lack that, so no fears. All questions are good questions in VDA classes. We have a fun but instructive and intense learning experience. You won't walk away disappointed.

What Students Should Bring

Students are required to provide a laptop for the course.  You need admin rights on the laptop. Your laptop should have a USB port, at least 60GB of free HD space, 6GB+ of RAM, and VMware Fusion for the Mac or workstation/player for Windows/Linux.   Vmware should be installed ahead of time, or you’ll spend a bit of class time doing that.

What Students Will Be Provided With

You will be given a Windows 10 VM. Copy the VM to your disk drive and pass the portable Media to your neighbor.  You will need a normal USB port (bring an adapter if you have the newer/smaller USB-C) and an OS that can read an ExFat file system thumb drive. (Most Mac and Windows have that, but with Linux, check for the driver.) You may not share course media with non-students.