Week 2 - Source Code Auditing \\ Part 1

This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities.

Workshop Materials

Pico CTF Python Eval

1. https://2013.picoctf.com/problems/pyeval/stage1.html
2. https://2013.picoctf.com/problems/pyeval/stage2.html
3. https://2013.picoctf.com/problems/pyeval/stage3.html

Vulnerable Python Programs

1. https://github.com/isislab/Hack-Night/tree/master/2015-Spring/workshops/week2

Real World Vulnerabilities

1. Linux backdoor attempt
2. Heartbleed
   • http://xkcd.com/1354/
   • http://asecuritysite.com/Encryption/heart2
3. Shellshock

Resources

1. Source Code Analysis
2. Application Security
3. The Art of Software Security Assessment
4. Integer Overflows
5. Catching Integer Overflows
6. The Fortify Taxonomy of Software Security Flaws