Black Hat USA Registration Black Hat USA Registration Black Hat USA Briefings Black Hat USA Briefings Black Hat USA Training Black Hat USA Training Black Hat USA Schedule Black Hat USA Schedule Black Hat USA Sponsors Black Hat USA Sponsors Black Hat  USA Special Events Black Hat  USA Special Events Black Hat USA Venue Black Hat USA Venue

On This Page

Application Security for Hackers and Developers

Jared DeMott | July 27-28



Ends May 31



Ends July 24



Ends July 30


There are four technical skills required by security researchers, software quality assurance and test engineers, or developers concerned about security: Source code auditing, fuzzing, reverse engineering, and exploitation. Each of these domains is covered in detail. C/C++ code has been plagued by security errors resulting from memory corruption for a long time. Problematic code is discussed and searched for in lectures and labs. Fuzzing is a topic book author DeMott knows about well. Mutation file fuzzing and framework definition construction (Sulley and Peach) are just some of the lecture and lab topics. When it comes to reversing C/C++ (Java and others are briefly discussed) IDA pro is the tool of choice. Deep usage of this tool is covered in lecture and lab. Exploitation discussions and labs are the exciting final component. You’ll enjoy exploitation basics, and will also use the latest techniques.


No hard prerequisites, but helpful if:

  1. College Degree in a computer related disciple or equivalent work experience
  2. If desired, feel free to read "Introduction to Application Security":
  3. Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You won’t walk away disappointed.


By the end of this course, you will be able to: research and develop an exploit from scratch by auditing code or fuzzing an application, reverse engineering the issue, and developing an exploit for the vulnerability you discovered. This knowledge will help developers produce better code, and will help security researchers or malware analysts in their daily tasks.


The course material will be provided to you on day 1. As soon as you receive the course material, copy it from the media and extract and test the virtual machine. Begin by writing a C program and disassembling it, if you arrive to the course early on day 1.

The course material is in 4 directories: SrcAudit, Fuzzing, Reversing, and Exploitation. In each directory you’ll find a wealth of knowledge from documents to labs. Material cannot be shared, directly reproduced, or used for profit.

Please fill out the course review form. Any other comments can be sent directly to the instructor at


What Students Should Bring

Students are required to provide a laptop for the course:

Your laptop should have at least 18GB of free HD space and should have 4GB+ of RAM.

Install Ahead of Time

Examples of Tools on the Virtual Machines


Jared DeMott has spoken at security conferences such as Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, and GRRCon. He is active in the security community by teaching his Application Security course, and has co-authored a book on Fuzzing. Jared has been an invited lecturer at prestigious institutions such as the United States Military Academy, has worked primarily as a vulnerability researcher, and holds a PhD from Michigan State University.