On This Page

Application Security: For Hackers and Developers

VDA Labs | August 4-5


Day 1:
Source Code Auditing
Understanding how and when to audit source code is key for both developers and hackers. Students learn to zero in on the important components. Automated tools are mentioned, but auditing source manually is the focus, since verifying results is a required skill even when using automated tools. Spotting and fixing bugs is the focus.

Fuzzing is a runtime method for weeding out bugs in software. It is used by a growing number of product and security organizations. Techniques such as dumb file fuzzing, all the way up to distributed fuzzing, will be covered. Students will write and use various fuzzers.

Reverse Engineering
Students focus on learning to reverse compiled software written in C and C++, though half-compiled code (.net, Java, etc) is mentioned as well. The IDA pro tool is taught and used throughout. Calling conventions, C to assembly, identifying and creating structures, RTTI reconstruction are covered. Students will also use IDA's more advanced features such as flirt/flare, scripting, and plug-ins.

Students will walk out of this class knowing how to find and exploit bugs in software. This is useful to both developers and hackers. The exploit component will teach common bug type such as: stack overflows, function pointer overwrites, heap overflows, off-by-ones, FSEs, return to libc, integer errors, uninitialized variable attacks, heap spraying, and ROP. Shellcode creation/pitfalls and other tips and tricks will all be rolled into the exciting, final component.

Who Should Take this Course

Developers, Testers, Hackers, Managers, Security Researchers, Penetration Testers, Journalists, etc.

Student Requirements

No hard prerequisites, but helpful to have a college Degree in a computer related disciple or equivalent work experience.

Programming (C/C++/.asm) and security experience will help, but you will still get a lot out of the course even if you lack that, so no fears. All questions are good questions in my classes. We have a fun but instructive and intense learning experience. You won't walk away disappointed.

What Students Should Bring

Students are required to provide a laptop for the course. Your laptop should have at least 30GB of free HD space, 4GB+ of RAM and VMware workstation/player for Windows or Fusion for the Mac installed ahead of time.

You will be given a Windows VM. Copy to your hard drive, and pass the portable Media to your neighbor. You will need a USB port and an OS that can read ExFat FileSystem to copy the data. (Most Mac and Windows have that, but with Linux, check for the driver) You may not share course media with non-students.

What Students Will Be Provided With

The course material will be provided to you on day 1. As soon as you receive the course material, copy it from the media and extract and test the virtual machine.

The course material is in 4 directories: SrcAudit, Fuzzing, Reversing, and Exploitation. In each directory you'll find a wealth of knowledge from documents to labs. Material cannot be shared or reproduced in any way.


Dr. Jared DeMott is the founder of the security company, Vulnerability Discovery & Analysis (VDA) Labs. DeMott is a former NSA security analyst, Microsoft BlueHat Prize winner, and was the CTO at Binary Defense. He's frequently quoted in media, and invited to speak at security events. You'll find fingerprints of his work across the InfoSec community: fuzzing, code auditing, exploitation, incident response, malware analysis, pentests, threat intelligence, and security training. When DeMott isn't leading a project, or bypassing a security control, he's enjoying time with his family outdoors.