Source Code Review for Penetration Testers

BSidesLV 2013

Presented by: Andrew Wilson
Date: Wednesday July 31, 2013
Time: 10:00 - 13:50
Location: Florentine F
Track: Training Ground

Course Rationale

This course is designed to expose penetration testers to various approaches used in professional source code reviews. This course will not focus on specific vulnerabilities, but instead focus on strategies and tactics outlined in “The Art of Software Security Assessment” which have been vetted through the personal experience of the instructor. This is a hands-on workshop.

Prerequisites

A student should have prior exposure to testing dynamic applications, as well as exposure to programming languages.

Learning Outcomes

Upon successful completion of this course, students will be able to:

• Find more security issues, more consistently
• Identify an appropriate approach to source code review that depends on client needs, scope and personal skill
• Demonstrate and apply the basic principles of code review strategies, such as:
• Design generalization
• Candidate point
• Code comprehension
• Leverage code review tactics to not get miserably lost during a review
• Develop a basic understanding of how to scale a review from several hundred lines to several thousand
• Build a custom list of candidate points for targeted reviews

Andrew Wilson

Andrew Wilson is a Senior Security Associate for Stach & Liu. In this role, Andrew focuses mainly on application assessments and security training. His primary areas of expertise are application penetration testing, secure developer training and the design and implementation of secure applications. Prior to Stach & Liu, Andrew worked for 9 years as a senior .NET engineer building secure applications in a variety of industries. Andrew has worked extensively in higher education and banking fraud, and is a Microsoft MVP in Developer Security.