"Vulnerability Management" training programme - " Finding Vulnerabilities ll - Looking into Code"

(Timezone - Europe/Amsterdam)



Looking for vulnerabilities in existing systems and services has become a common practice, however, vulnerability scanning covers only software packages from established sources and only those vulnerabilities that are already known. But what about vulnerabilities you don't know about yet?

What about the software that is developed in-house. This module will give an introduction into the topics of code audits and vulnerability disclosure, covering two main aspects of vulnerability management for software that you are responsible for. The final session will be an introduction into Breach and Attack simulation, a relatively new approach to judge the risks and consequences of existing vulnerabilities in your network.

Participants will learn:

  • Code Audits
  • Vulnerability Disclosure
  • Breach and Attack Simulation

The module includes 3 sessions - please note that there is one registration - once registered you are welcome to attend all or selected sessions of this module.

Also please note that we shall send you an invitation with the Zoom link closer to the date of the session.

If you have registered less than an hour before the start of a session please email glad@geant.org to let us know and we shall forward you joining instructions.

Each session will be recorded; we shall notify all the participants how to access recorded sessions once recordings become available.

We look forward to seeing you (virtually) soon.

Glad Team (GEANT Learning and Development)
    • 2:00 PM 3:00 PM
      Code Audits 1h

      "Code audits - how to improve the quality of the code"

      Software without bugs or vulnerabilities doesn't exist. If your
      organization runs software development teams they would be aware of the importance of the secure software development lifecycles and relating subjects. This webinar will introduce some basic concepts as well as tools that help developers to identify bugs before the software goes into production.

      What you will learn:

      What are code audits?
      Why code audits?
      - How to deal with closed source software?
      - How to deal with open source software?
      - Code Scanner
      - SonarQube
      - White Source
      - Coverity?
      - OWASP Dependency Check
      - Web apps:
      - OWASP ZAP-Proxy
      - Burp suite
      - Microsoft One Fuzz https://github.com/microsoft/onefuzz
      Static Application Security Testing (SAST) Tools
      Dynamic Application Security Testing (DAST) Tools (Primarily for web apps)
      Interactive Application Security Testing (IAST) Tools - (Primarily for web apps and web APIs)
      Static Code Quality Tools

      Duration: 1 hour

      Presenter(s)/Facilitator(s): Stefan Kelm, DFN-CERT

      Affiliation (WP/Task): WP8 Task 1

      Authors (content is created by): Tobias Dussa, Klaus Möller, DFN-CERT

    • 2:00 PM 3:00 PM
      Vulnerability Disclosure 1h

      "Responsible Disclosure – Letting the cat out of the bag"

      So you have found vulnerabilities in other people's code. Or other people have found vulnerabilities in your own code. Either way: how to handle the situation? In the long run, trying to keep information about the vulnerability under wraps is unlikely to work, so in this module, we will cover some aspects and strategies of how to approach this issue.

      What you will learn:

      • Concepts
      • Vulnerability handling - Vulnerability disclosure
      • Exploitation
      • Advisories
        Defining Vulnerability policies
        How to report vulnerabilities to others (Vulnerability
      • CVE CNA
      • Coordinating vulnerability activities
        Receiving vulnerability information

      Duration: 1 hour

      Webinar Host: Pauline Smith (GLAD)

      Presenter(s)/Facilitator(s): Tobias Dussa, DFN-CERT

      Affiliation (WP/Task): WP8 Task 1

      Authors (content is created by): Stefan Kelm, Klaus Möller DFN-CERT

    • 2:00 PM 3:00 PM
      Breach and Attack Simulation 1h

      Date of delivery: Wednesday, 08th of September 2021

      "Break and Attack Simulation - matching attacker behaviour with vulnerabilities"

      Breach and Attack Simulation (BAS) is a relatively new approach to vulnerability assessment that goes beyond simple scoring of vulnerabilities by also taking the modus operandi of adversaries into account. This webinar will give an introduction into the topic and present some open source tools to do BAS.

      What you will learn:

      What is ...
      Why ...
      - Infection Monkey
      - Metta adversarial simulation tool (Uber)
      - Flight SIM (AlphaSOC)
      - Red Team Automation (Endgame)
      - Atomi Red Team (Red Canary)

      Duration: 1 hour

      Webinar Host: Pauline Smith (GLAD)

      Presenter(s)/Facilitator(s): Klaus Möller, DFN-CERT

      Affiliation (WP/Task): WP8 Task 1

      Authors (content is created by): Stefan Kelm, Tobias Dussa, DFN-CERT