Days: September 23 to September 25
Instructors: Abraham Aranguren
This course has been prepared after years of research and experience gained through pentesting mobile applications. It is structured to follow the OWASP Mobile Top Ten and the OWASP Mobile Security Testing Guide. This is a hands-on practical course, the skills gained can be applied to mobile security assessments immediately.
Each day starts with a brief introduction to the mobile platform for that day and then continues with a look at the static analysis, moves on to dynamic checks finishing off with a nice CTF session to test the skills gained. Overview
Day 1 includes but is not limited to a brief introduction to Android security, a series of techniques focused on static analysis, followed by dynamic analysis covering both monitoring and modifying app behavior at runtime. The day ends with beautiful CTF challenges to entertain even advanced mobile app penetration testers. Laptop Requirements
Day 2 begins with a brief iOS security crash course, static analysis techniques, followed by dynamic analysis including both monitoring and modifying app behavior at runtime. The day ends with more lovely CTF challenges.
Day 3 takes a deeper look at instrumentation on both Android and iOS, with a special focus on app behavior modification at runtime. Learn more about Frida scripts, Objection, and Xposed modules. Bypass jailbreak detection and much more. End the day by testing your skills, more CTF time!
Connect to wireless/wired networks.
Read PDF files.
Administrative rights (access USB, deactivate AV and firewall, install software, etc)
Minimum of 8GB of RAM (16GB+ Recommended)
40GB+ free disk space (to copy the lab VM and other goodies)
VMWare Player (ideally VMWare Workstation)
One of the following (ideally, all):A jailbroken iPhone/iDevice with iOS >= 9 (ideally iOS 12) for the iOS labs, a Mac/Hackintosh with the latest XCode installed for iOS code review and labs, and optionally Genymotion and Burpsuite
Days: September 23 to September 25
Instructors: Ken Johnson and Seth Law
Have you ever been tasked with reviewing 3.2 million lines of code manually for SQL Injection, XSS, and Access Control flaws? Have you been asked to review a new framework on short notice? Does the idea of reviewing Ruby, Go, or Node code leave you with heartburn? This course addresses all of these common challenges in modern code review. We have concentrated on taking our past adventures in code review, the lessons we’ve learned along the way, and made them applicable for others who perform code reviews. We will share our methodology to perform analysis of any source code and suss out security flaws, no matter the size of the code base, or the framework, or the language. You as a student will learn the methodology, techniques, approach, and tools used by Seth Law and Ken Johnson to understand code flows, trace user input, identify vulnerabilities, and effectively secure an application codebase.
Upon completion, attendees will know:
Students will take away knowledge and experience in approaching numerous code languages and frameworks to complete a security source code review. In addition, the learned methodology can be customized by the attendee to fit into any organization’s security SDLC. Finally, the attendee will have the tools to review source code for any web, mobile, or modern application, whether or not the targeted language is specifically covered during the course