Secure Code Training 2019 – Reflections from a SCT Trainer

As a long-time SCT trainer I have the same thought each year when the next Secure Code Training comes into view; how to select from the best and hottest topics we have been working on for the past five months and pass them on to our delegates in only 3 days.

The overall schedule is easy:  three days, starting with introductory and high levels issues on the first, practical activities on the second, and issues related with source code analysis on the last day.  But to fill them with exactly the right content is a challenge we try to satisfy by talking to our audiences.

On May 28th, 17 international attendees from 10 institutions travelled to the new headquarters of PSNC in Poznan to listen to interesting talks and collaborate in practical workshops on such topics as ‘secure communication and configuration of databases’ and ‘building modern authentication and authorization mechanisms’. It was a home game for the trainers, all from PSNC.

Thanks to OWASP we presented the most recent version of ASVS (Application Verification Security Standard) which is able to provide a consistent and complete view on the Web application security. This is useful not only for the security testers, but also for the developers. We also provided new pieces of vulnerable source code to be analysed, refreshed people’s minds on GDPR and provided an updated review of free static source code analysis tools.

A returning, but fun workshop theme was the HackMe contest, where developers stand on the other side and feel like real attackers, exploiting inappropriately written applications.

The 3 days went by very fast and ended with some individual talks during the ‘Meet the Expert’ session. My after thoughts were the usual: “We have really covered a lot during these three days. And now we have to start thinking about the next SCT…”.

Written by Gerard Frankowski, SCT trainer