A few months ago, I asked on this website and other places on the Internet what you wanted to see in a vulnerability discovery workshop.
The Linux, Ubuntu, and open source communities successfully organised the Ubuntu Summit less than two weeks ago. On the event’s final day, I presented the first iteration of a software security workshop, “The Open Source Fortress: Finding Vulnerabilities in Your Codebase Using Open Source Tools”.
Based on a custom, purposefully vulnerable Python and C codebase, I proposed tasks using a variety of techniques and tools:
- Threat modelling with OWASP Threat Dragon;
- Secret scanning with Gitleaks;
- Dependency scanning with OSV-Scanner;
- Linting with Bandit and flawfinder;
- Code querying with Semgrep;
- Fuzzing with AFL++; and
- Symbolic execution with KLEE.
The workshop consists of an online wiki and a GitHub repository with source code and pre-built Docker images.
It is meant to be solved at home without the live assistance of a workshop host. Just follow the next steps:
- Review the concepts of SDLC and software security.
- Understand and set up the analysis infrastructure.
- Understand the vulnerable application that will be analysed: its functionality, architecture, and vulnerabilities.
- For each analysis technique, solve the proposed tasks. If encountering blockers, the proposed solutions can be used.
- Review what other analysis techniques exist and how all techniques can be automated.
- Review the security checklist and think about how the techniques and tools can be embedded in the development process of participant’s projects.
Please let me know what you think about it!
If you need support or have a question or proposal, reach out to me, or just create an issue in the GitHub repository.