Participants of this tutorial will gain a solid foundation in software analysis, with a strong emphasis on security. We will explore the significance of security research in software development and consider various resources and tools to discover vulnerabilities - including static and dynamic analysis, signature matching, automated scanning and fuzzing.

To illustrate these concepts, we’ll perform static analysis with CodeQL, Bandit and Nuclei on a vulnerable Python library as a case study. Additionally, we’ll understand different approaches and techniques to security-oriented analysis. Participants will gain essential knowledge to identify vulnerabilities, find potential targets for analysis, and apply research methodology.

This tutorial will cover

• Introduction to security research
• Automated software analysis - SAST vs DAST
• Research methodologies and resources
• Basics of static code analysis
• Practical examples using vulnerable software to test acquired skills

Key takeaways

• Basic concepts related to vulnerability research
• Software analysis fundamentals
• Security analysis tools