VDA Labs Application security for hackers and developers 2019 - ENGLISH ONLY

October 30-31st

The 11th edition of Hackfest invites you to attend the VDALabs training : Application Security: for Hackers and Developers

What’s included

  • Coffee breaks: morning and afternoon
  • Lunch for the 2 days
  • Hackfest badge to access Hackfest talks and rooms

Registration

Eventbrite - Application security for hackers and developers 2019

This course is only given in English

Description

Software (both managed and native code) has been plagued by security errors for a long time. To combat that reality, security researchers, software quality assurance/test engineers, developers, and software managers need to acquire 6 critical skills for continuous bug hunting and repair (or exploitation): SDL, System Investigation, Static Analysis (open source and commercial), Dynamic Analysis (Burp and Fuzzers), Manual Code Auditing (source and with IDA/reversing), and PoC/Repair (ROP exploits, etc). Each of these domains is covered in detail in this mature course. As a bonus, students will leave with homework content, so they can continue pushing their abilities, well beyond the duration of the course.

Course schedule

Day 1: Managed, C/C++, and Fuzzing

  • 8am - 8:30am
    • Handout Material
      • Pass around Thumb drives for VM Setup
  • 8:30am - 10:00am
    • Part 1 - Managed Code/Web Vulns
    • Lab 1 - iSpyCentral Architecture Review and Reversing
      • Can start looking at before class even kicks off if your VM is ready
    • Lecture 1: SDL and Product Security Testing
      • Lab 2 - iSpyCentral Key Exploit
      • Lab 3 - SAST iSpy
  • 10:00am - 10:15am
    • Break 1 - Coffee
  • 10:15am - 12pm
    • Continue working on first 5 labs
      • Lab 4 - DAST iSpy
      • Lab 5 - iSpyCentral RCE
  • 12:00pm - 1:00pm
    • Lunch - Hotel Restaurant, included
  • 1:00pm - 3pm
    • Part 2 - Unmanaged/Native Code Vulnerabilities
    • Lecture 2: Auditing C and C++
      • Lab 6 - Basic C Bugs
      • Lab 7 - UV Investigation
      • Lab 8 - Warm up with C++
      • Lab 9 - Basic C++ Bugs
  • 3pm - 3:15pm
    • Break 2 - Coffee
  • 3:15pm - 5pm
    • Lecture 3: Fuzzing
      • Pydbg Demo
      • Lab 10 - Peach fuzzer (file fuzzing)
    • Lab 11 - In-memory fuzzing

Day 2: Finish Fuzzing, Reversing, and Native Exploits

  • 8am - 8:30am
    • Work on anything from yesterday
    • Ask questions about specific things
  • 8:30am - 10:00am
    • Lecture 3: Continue Fuzzing
      • Lab 12 - AFL
    • Lecture 4: Reversing C and C++
      • Lab 13 - Easy Crackme
  • 10:30am - 10:15am
    • Break 1 - Coffee
  • 10:15am - 12:00pm
    • Keep Reversing
      • Lab 14 - Med Crackme
      • Lab 15 - Patcher
    • Lab 16 - C++
  • 12:00pm - 1:00pm
    • Lunch - Hotel restaurant, included
  • 1:00pm - 3pm
    • Last Reversing Lab
      • Lab 17 - Scripting
    • Lecture 5: Exploiting Native Programs
      • Lab 18 - Function Pointer Overwrite
  • 3pm - 3:15pm
    • Break 2 - Coffee/snacks
  • 3:15pm - 5pm
    • Lab 19 - Windows Server Exploit
    • Lab 20 - ROP

Student requirements

No hard prerequisites, but helpful to have a college Degree in a computer related disciple or equivalent work experience. Programming experience will help, but you will still get a lot out of the course even if you lack that, so no fears. All questions are good questions in VDA classes. We have a fun but instructive and intense learning experience. You won’t walk away disappointed.

What students should bring

Students are required to provide a laptop for the course. You need admin rights on the laptop. Your laptop should have a USB port, at least 60GB of free HD space, 6GB+ of RAM, and VMware Fusion for the Mac or workstation/player for Windows/Linux. Vmware should be installed ahead of time, or you’ll spend a bit of class time doing that.

What students will be provided with

You will be given a Windows 10 VM. Copy the VM to your disk drive, and pass the portable Media to your neighbor. You will need a normal USB port (bring an adapter if you have the newer/smaller USB-C) and an OS that can read an ExFat file system thumb drive. (Most Mac and Windows have that, but with Linux, check for the driver.) You may not share course media with non-students.

Who should take this course

Developers, Testers, Hackers, Managers, Security Researchers, Penetration Testers, Journalists, etc. – we get a great variety of students interested in learning about AppSec. Any level of learner is appropriate.

Biographies


@jareddemott
@vdalabs
Dr. Jared DeMott has been training at conferences like Black Hat and DerbyCon for over 12 years. He’s the founder of VDA Labs, and previously served as a vulnerability analyst with the NSA. He holds a PhD from Michigan State University. He regularly speaks on vulnerabilities at conferences like RSA, ToorCon, GrrCon, HITB, etc. He was a finalist in Microsoft’s BlueHat prize contest, which helped make Microsoft customers more secure. Dr. DeMott has been on three winning Defcon capture-the-flag teams, and has been an invited lecturer at prestigious institutions such as the United States Military Academy. Jared is also a Pluralsight author, and is often quoted online and has made TV appearances.


@jstigerwalt1
John Stigerwalt is a cyber security engineer who is experienced in penetration testing, application auditing, social engineering, exploit development, and reverse engineering. He has spent many years protecting financial organizations from evolving threats, and is very passionate about improving organizations security. John is always striving to better himself by enhancing his security knowledge. He believes in contributing to the security community with new security findings and helping others learn as well. John holds the OSCE, OSCP, and SLAE certifications.