On This Page

Application Security: For Hackers and Developers

Dr. Jared DeMott | August 1-2 & 3-4


Source Code Auditing
Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.

Fuzzing is a runtime method for weeding out bugs in software. It is used by a growing number of product and security organizations. Techniques such as dumb file fuzzing, all the way up to distributed fuzzing, will be covered. Students will write and use various fuzzers.

Reverse Engineering
Students focus on learning to reverse compiled software written in C and C++, though half-compiled code is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, identifying and creating structures, RTTI reconstruction are covered. Students will also use IDA's more advanced features such as flirt/flare, scripting, and plug-ins.

Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach common bug type such as: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and ROP. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

Who Should Take this Course

Software testers, developers, managers, enthusiasts. Security engineers, researchers, and malware analysts. Anyone looking to learn about software security.

Student Requirements

No hard prerequisites, but helpful if:

1. College Degree in a computer related disciple or equivalent work experience

2. If desired, feel free to read "Introduction to Application Security": http://www.vdalabs.com/tools/AppSec_Whitepaper.html

3. Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You wonêt walk away disappointed.

What Students Should Bring

Students are required to provide a laptop for the course: Your laptop should have at least 18GB of free HD space and should have 4GB+ of RAM. Install Ahead of Time " VMware workstation/player for Windows or Fusion for the Mac

What Students Will Be Provided With

You will be given a Windows 7 VM. Copy to your hard drive, and pass the portable Media to your neighbor. You may not share course media with non-students.

Examples of Tools on the Virtual Machines
  • WinDbg and Immunity Debugger
  • IDA pro 6.x DEMO
  • Python (From Sulley installer. PyDbg works with 2.4 by default in this installer)
  • Peach Fuzzer Â" 010 hex editor (trail available)
  • SciTools Understand (demo)
  • And much more...


Dr. Jared DeMott is a seasoned security researcher, and has spoken at conferences such as DerbyCon, Black Hat, Defcon, ToorCon, Shakacon, DakotaCon, CarolinaCon, ThotCon, GRRCon, and Bsides*. Past notable research relates to stopping a trendy hacker exploit technique (known as ROP), by placing as a finalist in Microsoft's BlueHat prize contest, and by more recently showing how to bypass Microsoft's EMET protection tool. Jared is active in the security community by teaching his Application Security course, and has co-authored the book -- Fuzzing for Software Security Testing and Quality Assurance. DeMott has been on three winning Defcon CTF teams, and has the black badges to prove it. He has been an invited lecturer at prestigious institutions such as the United States Military Academy, and previously worked for the National Security Agency. DeMott holds a PhD from Michigan State University.

Video Preview (Training Description Above - Top of Page)