Participants of this tutorial will gain a solid foundation in software analysis, with a strong emphasis on security. We will explore the significance of security research in software development and consider various resources and tools to discover existing and new vulnerabilities - including static and dynamic analysis, signature matching, automated scanning and fuzzing.

To illustrate these concepts, we’ll perform static analysis with CodeQL, Bandit and Nuclei on a vulnerable Python library as a case study. Additionally, we’ll understand different approaches and techniques to security-oriented analysis. Participants will gain essential knowledge to identify vulnerabilities, find potential targets for analysis, and apply research methodology.

This tutorial will cover

• Relevance of security research
• Manual/dynamic software analysis - approaches, tools, techniques
• Automated software analysis - SAST, DAST, other tools
• Outline research methodologies and resources
• How to perform security research and update your knowledge
• Practical walkthrough of vulnerable software to test acquired skills

Key takeaways

• Basic concepts related to vulnerability research
• Software analysis fundamentals
• Security analysis tools

(edited)