This event has ended. Create your own event on Sched.
Back To Schedule
Sunday, April 10 • 3:30pm - 4:10pm
PCT - Practical Code Triage

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Source code auditing is a common bug finding method for both offensive and defensive security practitioners. In the security consulting game, coming up to speed quickly on a large, unfamiliar code base is paramount to successful source audits. Tracking source code coverage - which source files and functions have been audited, which still need attention, and which should be avoided - is a useful way to track source audits. This can scale out to assist teams of people in collaboration.

This talk presents a number of source auditing methods and tools. Standard techniques such as bug-clairvoyance, plaintext note taking, `grep strcpy`, and pen-to-paper will be covered. Additional tips and techniques Todd has learned along life’s journey will also be shared. He will cover more formal methods involving C language parsers, relational and graph databases, and other tools of his own divination. Finally, the talk shall present a suite of tools and techniques to apply deeper analysis to function execution, data handling, attack surface identification, and security boundary mapping.

avatar for Todd Manning

Todd Manning

Todd Manning lives in Austin, Texas. He is currently working in the Applied Research team at Optiv, where he performs source auditing, reverse engineering, and other security auditing for  a diverse set of customers. Todd’s indy research tends toward embedded systems and the mobile... Read More →

Sunday April 10, 2016 3:30pm - 4:10pm CDT
Ballroom A

Attendees (4)