This hands-on workshop aims to address one of the most Time-consuming and Error-prone areas in the industry, “The code review process” by utilising CodeQL, one of the most advanced SAST tools. Participants will benefited by saving valuable time identifying new vulnerabilities or recurring ones in their applications which contains million lines of code. The code review process is prone to errors, as evidenced by the OWASP Top 10, which shows injection attacks ranking from Top 1 in 2017 to Top 3 in 2021, proving that these issues still persist. Identifying security vulnerabilities at the code level is crucial, as it is the most effective way to flag vulnerabilities and the cost of mistakes is unacceptable. This workshop helps participants reduce human errors, especially in feature-loaded applications and aims to provide the best quality in vulnerability identification in their codebases.
A portion of this workshop focuses on equipping participants with the skills to write vulnerability identification rules using CodeQL in their codebases, seamless setup, installation, demonstrating real-world examples and insightful results analysis. Training is supported by hands-on sessions with a custom-built application in Java which is designed to be vulnerable to the OWASP Top 10. Complemented by a Capture The Flag competition, a gamified way to compete and learn to make the experience enjoyable.
By the end of this workshop, participants will have the skills to enhance their code analysis capabilities and leverage CodeQL’s full potential for robust security and ultimately improving the security of applications.
Prerequisites
* Laptop running in Linux (Recommended): CodeQL and VS Code installed.
* Basic understanding of common web-based vulnerabilities. (Optional)
* Basic understanding of manual source code reviews.
* A curious soul.
Instructor Bio:
Sourav Kumar is passionate about software security, focusing on securing web applications, microservices, and software supply chains. As a Senior Security Engineer at CRED, he spearheads product security initiatives, conducts security research on trending attack vectors, and works on scaling secure code reviews.
Apart from his day job he loves to reverse engineer the latest Zero Days, researching new zero days on notable softwares and figuring new ways to break into enterprise tech stacks. Recently, he has been concentrating on researching attack vectors in Java EE technologies, software supply chains security and static analysis principles. Few notable contributions are mentioned below:
Securing Apple, earning a spot in their Hall of Fame: https://support.apple.com/en-gb/102812
- Multiple CVEs in prototype pollution in OSS:
- CVE-2021-23574: https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2320790
- CVE-2021-25943 [Duplicate]: https://www.mend.io/vulnerability-database/CVE-2021-25943
- Several other contributions were made to private bug bounty programs.
Sayooj B Kumar is a passionate security researcher and engineer with a keen focus on API and web application security. He currently works as a security engineer at CRED, where he focuses on providing end-to-end product security and conducts research to enhance SAST platforms and their integration into day-to-day security operations.
From the early days of his cybersecurity journey, Sayooj has been actively involved in CTF competitions, leading team Bi0s to become one of the top-ranking teams. In his spare time, he enjoys diving into vulnerability research, bug bounty hunting, and tackling CTF challenges. His interests span various areas, including client-side security and side-channel attacks, where he continually expands his expertise.
In addition to his professional work, Sayooj has helped secure multiple organizations and contributed to several open-source applications. Some of his notable contributions include:
- Securing StackOverflow: Earning a spot in their Hall of Fame.
- Enhancing Security for Deepnote.com
- Reporting Multiple CVEs for Securing Apache, Node Packages, and OpenLiteSpeed:
- CVE-2023-37379
- CVE-2021-23448
- CVE-2021-23718
- CVE-2024-31617
- Making Numerous Other Contributions in Private Bug Bounty Programs