Louis Nyffenegger
Louis Nyffenegger is a renowned application security expert and the founder of PentesterLab, a leading platform for hands-on security training. With extensive experience in penetration testing, code review, and application security, Louis has worked at organizations like the National Bank of Australia, Australia Post, and Fitbit.
He has delivered talks at security conferences, including DEFCON, Kawaiicon, and BSides Canberra, sharing insights on web security, code review techniques, and the intricacies of penetration testing.
As the primary author of PentesterLab’s labs, Louis has designed practical, real-world exercises that help security professionals and developers master vulnerabilities and improve their skills. He also runs AppSecSchool, a YouTube channel dedicated to application security, and writes thought-provoking blog posts to inspire the security community.
Beyond his technical contributions, Louis is passionate about teaching and empowering others to build secure software. He believes in a hands-on approach to security education, emphasising real-world applications and meaningful learning experiences.
Sessions
The industry needs more security code reviewers. Vulnerabilities are getting deeper, not simpler, and modern applications fail in subtle ways that scanners, and even AI, routinely miss. Meanwhile, developers are writing less code and reviewing more of it than ever (hopefully).
This workshop is a fast, hands-on introduction to reading code with a security mindset. Through real CVE-inspired examples, you’ll see how tiny inconsistencies, misplaced assumptions, and misunderstood framework behaviour turn into real, exploitable flaws.
You’ll learn how to detect red flags quickly, identify dangerous patterns in small snippets, and build intuition for where vulnerabilities hide. Whether you’re a developer, pentester, or security engineer, you’ll walk away with a foundational methodology for performing clear, consistent, and reliable code reviews.
This session dives into real-world vulnerabilities by dissecting CVEs directly in the code where they occurred. Each example showcases not just what went wrong, but why, with a focus on the subtle coding patterns, missed assumptions, and language misunderstandings that led to the bugs.
For every vulnerability, we will extract a few key lessons: principles or warnings that developers and reviewers can apply to prevent similar issues.