An Authorization Example from the Absolute AppSec Secure-Code Review Course

To promote this new incarnation of the Practical Secure-Code Review course, we’re sharing a short clip: a window into the tantalizing details that get covered during the in-depth course. In this highlight, Seth and Ken dial down on the topic of authorization in an instance where application code meant to redirect an unauthorized user keeps executing a process even as the UI redirects the user to another location (say a 301 error page). In such cases, authorization control bypasses sometimes exist. And, a malicious user can exploit the bypass to access resources for which they aren’t authorized. It’s a pretty cool nuance in the ways intended code goes haywire. Consequently, it can be devastating for application security. Would you like to help find these types of vulnerabilities in code?

Well consider this a teaser for the kind of details that are covered in Seth and Ken’s long established Practical Secure-Code Review course. Without exaggeration, this course has helped some industry titans level up their careers in the course of the decade or so that Seth and Ken have been offering it. And it’s now adapted to meet the current needs of application pentesters, bug-bounty hunters, and security units trying to protect their organizations and customers.

The industry-leading methodology in secure-code review provides a combination of components that lead to robust Secure-Code Review practices. This includes Generic checks (as seen in the above course overview) that one can adopt for looking into a codebase, Language-specific nuances that can help avoid certain pitfalls, Stories that illustrate the above as well as provide examples of what to do and avoid in your secure-code review projects.

Overall, this course introduces developers to a proven framework for conducting secure code reviews, addressing common challenges, and integrating AI tooling into the practical secure-code review process.

More generally, the Absolute AppSec Secure-Code Review methodology was developed through extensive experience in code reviews. It’s an approach that focuses on preventing common errors and aligning application security checklists with a code-review process. This prioritization helps testers efficiently allocate their time to code operations and files with significant security implications. Students who learn this methodology will understand how to analyze a codebase and manage their time effectively to avoid time traps, side quests or rabbit holes.

Key skills gained:

1) Discovering a repeatable process for conducting secure-code review that applies regardless of one’s initial familiarity with specific languages and frameworks.

2) Learning how to orient yourself quickly in an unfamiliar codebase, and map out high priority routes, source-to-sink traces, and potential fruitful anti-patterns.

3) Developing well informed checklists for conducting any secure-code review, which includes integrating templates of general checks with risk-prioritized checklist items generated from information gathering performed within the codebase.

4) Strategies for focusing one’s time on the routes or endpoints that could lead to finding important bugs in a codebase, which can help better secure an application or earn bigger bug-bounty payouts.

In short, the practical secure-code review course aims to equip students with the confidence to manage code-review projects effectively. It helps students prioritize their time to focus first on security-relevant aspects of an application and avoid time-consuming distractions. Furthermore, the curriculum integrates the use of powerful AI tools to enhance the code review process.

Don’t miss this chance to build your confidence in undertaking code-review projects, and let your security engineer or developer friends know about the course if their careers would benefit from adding secure-code review to their skillsets.

For more information on Secure-Code Review, read our whitepaper, check out Ken’s demonstration of the Absolute AppSec method in a hour-long walkthrough here on our YouTube channel as well as checking out the Training site here on our webpage.