Secure-er Code Reviews with Seth & Ken (w/ Rana Khalil as special guest host)

OWASP DevSlop Project
OWASP DevSlop Project
Public group

Online event

This event has passed


Finding vulnerabilities and exploits by reviewing source code prior has always been a critical part of the AppSec pipeline, but has lacked a formal, methodology. As such, these reviews and their results vary widely and so does the experience that they leave developers and security engineers, with. The Absolute AppSec Secure Code Review framework is an approach developed over the last 10 years by Seth & Ken for finding security issues in code as both industry consultants and code contributors.

Ken Johnson (@cktricky) and Seth Law (@sethlaw) will perform a live code review on an open-source code base as a demonstration for implementing their secure code review framework.

Covered during the review:
* Prioritizing review checks.
* Tracing authorization functions for further analysis.
* Short-circuiting traces using code searches and automated tools.


Seth Law is the Principal Consultant of Redpoint Security ( During the last 15 years, Seth has worked within multiple security disciplines, including application development, cloud architecture, and network protection, both as a manager and individual contributor. Seth has honed his security skills using offensive and defensive techniques, including tool development. His understanding of the software development lifecycle and ability to equate security issues to development tasks has allowed him to speak at conferences ranging from Blackhat and DEF CON to local security meetups. In his spare time, Seth revels in deep-level analysis of programming languages and inherent flaws, develops the iOS version of HackerTracker, and co-hosts the Absolute AppSec podcast with Ken Johnson.

Ken Johnson, has been hacking web applications professionally for 11 years and given security training for 8 of those years. Ken is both a breaker and builder and currently works on the GitHub application security team. Previously, Ken has spoken at RSA, You Sh0t the Sheriff, Insomnihack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about appsec, devops security, and AWS security. Ken’s current projects are WeirdAAL, OWASP Railsgoat, and the Absolute AppSec podcast with Seth Law.

You can find Seth and & Ken on social media: