EuroSciPy 2025

How to become a software detective and perform security research
2025-08-19 , Room 1.19 (Ground Floor)

Security research is crucial in IT - considering the fast-paced growth of cybercrime, the prevalence of nation-state attacks, or the 40k CVEs reported last year. Yet, performing one’s own security research is challenging. This talk explores fundamental approaches and techniques to discover vulnerabilities in software. Participants will exercise static analysis on a vulnerable Python application to apply new knowledge. The goal is to understand how to perform security research.


Participants of this tutorial will gain a solid foundation in software analysis, with a strong emphasis on security. We will explore the significance of security research in software development and consider various resources and tools to discover vulnerabilities - including static and dynamic analysis, signature matching, automated scanning and fuzzing.

To illustrate these concepts, we’ll perform static analysis with CodeQL, Bandit and Nuclei on a vulnerable Python library as a case study. Additionally, we’ll understand different approaches and techniques to security-oriented analysis. Participants will gain essential knowledge to identify vulnerabilities, find potential targets for analysis, and apply research methodology.

This tutorial will cover
* Introduction to security research
* Automated software analysis - SAST vs DAST
* Research methodologies and resources
* Basics of static code analysis
* Practical examples using vulnerable software to test acquired skills

Key takeaways
* Basic concepts related to vulnerability research
* Software analysis fundamentals
* Security analysis tools


Expected audience expertise: Domain:

none

Expected audience expertise: Python:

some

Supporting material: Supporting material Your relationship with the presented work/project:

Original author or co-author

Web & mobile security researcher with a few years of experience. MSc in computer sciences. Currently working on network security, including kubernetes infrastructure. In free time doing hackthebox, sharing knowledge and analysing applications in Apple ecosystem.