Code & Architecture Review Fundamentals - Assessment Prep

Assessment Prep

This course focuses on the essential preparation required for code and architecture review assessments. It covers the tasks that should be completed during scoping to ensure a successful and valuable assessment, as well as the critical steps to take once the assessment begins. While primarily theory-based, the course includes practical exercises to familiarise you with key concepts. Please note that vulnerability identification is not covered in this course.

At a high level, the course covers:

  • Creating an effective scoping document for code and architecture reviews
  • Using a selection of tools to assist in scoping and pre-assessment work
  • Building diagrams to provide an overview of the moving parts within a solution
  • Applying the methodology through various exercises to help you practise the approach

By applying the knowledge gained from this course, you will enter your assessment with:

  • A clear understanding of what you are assessing and how it functions
  • A list of components that make up the solution
  • A list of critical assets to target during your assessment
  • An architecture/data-flow diagram highlighting key data flows

Many testers proceed with testing without performing this due diligence and often miss out on crucial, big-picture attack scenarios or potential vulnerabilities targeting critical assets, as they simply follow a web application testing checklist. Because of this, this might actually be the most important course in the series!

This course is not intended to teach you how to identify vulnerabilities in code and architecture but rather to equip you with the ability to ask the right security questions about what you are reviewing. The only exception to this is a lesson that discusses how vulnerabilities and potential misconfigurations may arise during the review of a client’s documentation.

Course Pre-requisities

This course assumes a basic of knowledge regarding common infrastructure and web application security vulnerabilities, as well as a general understanding of the typical components used to build a web application. You’ll benefit most from this course if you have this foundational knowledge, but if you’re willing to research terminology, components, or vulnerabilities for context, you should still be able to follow along without any issues.

The tools covered in this course can be installed on a Kali virtual machine (I’m using version 2024.1). I recommend setting one up for the exercises in this course. However, most of the tools can be run on various operating systems, so you don’t have to use a Kali VM unless you choose to.

Buy Now

Please follow the link below to make a purchase of the course. You’ll be redirected to Lemon Squeezy – our payment provider. Once your payment is processed, you’ll receive an email from our platform provider, CourseStack, to create an account and complete your course enrolment.

Base Price: £75 — Total: £90 (inc. VAT)

Note: Tax is calculated according to your country of residence. Click ‘Buy Now’ to view the final price, including applicable taxes.

Assessment Prep
Buy Now

For more information about our payment and platform providers, please see the following articles:

Course Breakdown

Overview

This section introduces the course and covers any prerequisites or caveats you need to be aware of before starting (mentioned above).

Lessons:

  • Introduction
  • About the Course
  • Course Prerequisites & Caveats

Example Solutions

This course uses a couple of example projects to provide context to the assessment process. We introduce these projects here to guide you through the learning journey.

Lessons:

  • Introduction
  • Event Planner Perfection (EPP)
  • Papermerge

Assessment Focus Areas

This chapter introduces the key concepts that should be considered when performing code and architecture reviews.

Lessons:

  • Introduction
  • Architecture
  • Configuration
  • Implementation
  • Business Logic
  • Chapter Summary

Scoping

In this chapter, we take a step back to think about scoping and the tools we can use to gather information that will help us determine the level of effort and understand more about what we will be assessing.

Lessons:

  • Introduction
  • Scoping
  • Tool - cloc
  • Scoping with Online Information
  • Tool - CodeTriage
  • Scoping with Code
  • Exercises
  • Chapter Summary

Code & Asset Delivery

This chapter outlines what should be requested when performing code and architecture reviews to ensure you have everything you need for a comprehensive assessment.

Lessons:

  • Introduction
  • The Code
  • Binaries & Builds
  • Environment/System Access
  • Other Assets
  • Exercises
  • Chapter Summary

Preparation

With scoping and code/asset delivery complete, it’s time to prepare for the assessment. This chapter covers the goals and importance of thorough preparation before diving into the review.

Lessons:

  • Introduction
  • Goals

Documentation Review

In this chapter, we explore how to extract critical information from available documentation about the target product to meet your preparation goals.

Lessons:

  • Introduction
  • Learning About the Product
  • Industry-Specific Knowledge
  • Notetaking
  • Documentation-Based Vulnerabilities or Misconfigurations
  • Tool - Draw.io
  • Papermerge - Learning About the Product
  • Papermerge - Online Documentation Review
  • Papermerge - Documentation-Based Vulnerabilities or Misconfigurations
  • Exercises
  • Chapter Summary

Initial Code Inspection

This chapter focuses on gathering key information from specific areas of the code to expand your understanding of the product. This is not the start of the formal review but a way to gain a preliminary understanding.

Lessons:

  • Introduction
  • Quick Overview
  • Dependency Management
  • Seonaut - No Framework?
  • Clues in Config
  • Papermerge - Initial Code Inspection
  • Exercises
  • Chapter Summary

Technical Overview Call

This section covers the potential agenda for a technical overview call, helping you fill any gaps in your assessment preparation goals.

Lessons:

  • Introduction
  • Agenda
  • Housekeeping
  • Call Introductions
  • High-Level Overview
  • Product Demo
  • Architecture Overview
  • Implementation
  • Deployment
  • Security Q&A
  • Follow-Ups
  • Exercise
  • Chapter Summary

Course Summary

This final chapter wraps up the course and offers guidance on time management, which is essential in the often fast-paced assessment phase.

Lessons:

  • Time Management
  • Summary

Any questions?

If you have any questions about the course or need additional support, please don’t hesitate to reach out. You can visit our support page for more information, or join our Discord community server where you can connect with other learners and get assistance. Click here to join the community!