DEF CON 27 workshop on finding vulnerabilities at scale

Material from our DEF CON workshop on finding vulnerabilities at ecosystem-scale

A few weeks ago we hosted our first DEF CON workshop. We’re grateful we had the opportunity to share some of our work with a packed room, and we learned a lot from the experience.

We realize many people didn’t have the chance to attend DEF CON, so we’re sharing the workshop content here as well.

While some of the large-scale infrastructure was created for the workshop and has since been turned off, you should be able to follow the slides and run most of the exercises. And if you want to keep going beyond the guided instructions, let us know and we’ll give you access to our beta platform, where you can continue to hack away.

Here’s the agenda presented at the workshop so you can get an idea of the content:

  • What is program analysis?
  • Current tools available to analyze source
  • Writing your first program analysis
  • Writing a program analysis that actually looks for something interesting
  • Complex analysis and refining the analysis true positive / false positive

A few notes about the exercises:

We really enjoyed the workshop, but don’t worry, we had lots of fun outside the workshop, too: