2026-05-07 –, Main Stage
This session dives into real-world vulnerabilities by dissecting CVEs directly in the code where they occurred. Each example showcases not just what went wrong, but why, with a focus on the subtle coding patterns, missed assumptions, and language misunderstandings that led to the bugs.
For every vulnerability, we will extract a few key lessons: principles or warnings that developers and reviewers can apply to prevent similar issues.
The story starts with my analysis of a CVE affecting AES-GCM in a Ruby library and how this issue appears in other codebases and languages. I will show several related problems I reported across ecosystems.
From there, I cover the cyclic nature of vulnerabilities: "The end of the world, we forget, rediscovery."
Next, I explain a practical methodology for performing CVE analysis. This leads into a selection of excellent CVEs I have studied and the lessons they provide. I will also demonstrate how one CVE I found was directly inspired by another I had analyzed earlier. I will finish this section with the most interesting CVE I examined in the weeks leading up to the conference.
We will wrap up with clear recommendations for attendees.
Since the topic can be complex, I include a few jokes and memes throughout the presentation to help maintain attention.
Louis Nyffenegger is a renowned application security expert and the founder of PentesterLab, a leading platform for hands-on security training. With extensive experience in penetration testing, code review, and application security, Louis has worked at organizations like the National Bank of Australia, Australia Post, and Fitbit.
He has delivered talks at security conferences, including DEFCON, Kawaiicon, and BSides Canberra, sharing insights on web security, code review techniques, and the intricacies of penetration testing.
As the primary author of PentesterLab’s labs, Louis has designed practical, real-world exercises that help security professionals and developers master vulnerabilities and improve their skills. He also runs AppSecSchool, a YouTube channel dedicated to application security, and writes thought-provoking blog posts to inspire the security community.
Beyond his technical contributions, Louis is passionate about teaching and empowering others to build secure software. He believes in a hands-on approach to security education, emphasising real-world applications and meaningful learning experiences.