Integrating secure coding to DevSecOps cycle
2025-10-22 , Vianden & Wiltz

This workshop aims to overcome the drawbacks of the current approach of teaching application security by blindly attacking applications to analyze vulnerabilities.
This results in engineers being unable to figure out the proper fix for the vulnerabilities and hence allowing attackers to exploit the same.
The labs will help security enthusiasts, developers and students to identify the root cause of the vulnerability in the code, patch it, re-deploy the application, and finally verify the fix.
As an attendee, you will learn to find vulnerabilities with both an attacker and a defenders point of view which would help in a swift SDLC of fixing and moving forward instead of traditional pentesting procedures of fixing
the issues at the end of the cycle. The demonstration will be done using a vulnerable e-cart application with microservice architecture which is deployed using docker where the vulnerable code is attacked and replaced with secure code snippets, compiled, deployed and pentested again to demonstrate how fixing a vulnerability at the root saves engineers time and efforts.


Who should attend this talk?
This talk is completely beginner friendly, from newbies, developers, security engineers to pentesters who want to get more practical experience in finding vulnerabilities and secure coding practices.

Detailed Plan
The talk will be divided into two sections: Attack & Secure Coding. This talk is completely beginner friendly for an audience ranging from students to
professionals and will start with fundamentals of web, web architecture and technologies.
Web Architecture (Client-Server components, models, styles and types)
Web Fundamentals:
● Caching
● Cloud Storage
● Load Balancers
● CDN
● Databases
Application layer (Web services mapped in OSI Layer):
● Requests & Responses
● HTTP Methods
● HTTP Status codes
● Cookies & Sessions
● SOP
● Sandbox
● URL & its decomposition

Web & API Exploitation:
Note: The demonstration will be shown for every vulnerability and patches alongside the talk. If the participant wants to have a hands-on session, the dockerized application will be provided to the participants to be set up in their personal laptops.
The Hands-on lab is an intentionally vulnerable dockerized e-commerce application for testing for bugs which our team would demonstrate. The application uses a microservice architecture which uses multiple components of the e-commerce app as services which are written in different programming languages and databases to help attendees learn attack and defense vectors in multiple tech stacks. We would explain the bug, where to find it and why it occurs along with a demonstration of how to look for the bug in any application. This class focuses on specific areas of
appsec and on advanced vulnerability identification and exploitation techniques.

Hands-on labs to attack the components of the vulnerable e-commerce site would be provided with multiple ways of exploiting the bug.
● Mass Assignment vulnerability
● SQL Injection
● File Upload Vulnerability
● Remote Code Execution
● IDOR
● Server Side Template Injection
● OS Command Injection
● Server Side Request Forgery
● Cross Site Scripting
● Lack of validation
● Local File Inclusion

This talk takes a comprehensive and practical approach at implementing DevSecOps Practices for efficient Application Security.
The attendees would be taught to do source code analysis, mitigation techniques and security practices. Secure code snippets to implement the following practises would be taught:
● Input Sanitisation
● Data transfer Objects
● Parameterized queries
● Stored procedures
● File type validation checks
● Access Controls
● Whitelisting
● Rate Limiting
● Sandboxing
● Shell Escape Mitigations
● Parameter Validation
● Response Validation
● Regex checks
● Authorization Checks

They will in turn have to modify the vulnerable code with secure code snippets, deploy it with docker and test the attack vectors again. We will wrap the session with a Capture the Flag style competition hosted in CTFd platform with multiple challenges on Source code review where the participants will be provided with dockerised challenges to test their attacking and patching skills learned from the talk.
Main Take-Away
Web Fundamentals
Web & API Exploitation
Advanced Vulnerability analysis
Secure Coding Practises
A&D CTF Challenges

Gopika Subramanian is a security researcher with primary focus on Web and Mobile Application Security. She is currently working as a Secops Engineer at Fuze. Gopika is responsible for engineering, threat modeling and implementing security Initiatives at Fuze. In her free time she participates in CTF competitions and has presented/trained in a multitude of conferences.