Prateek Thakare
Gaurav Bhosale
Description
Workshop Breakdown
What You’ll Learn
What You’ll Need
What We’ll Provide
Who Should Attend
Speaker Profile
Training Title:
Read, Break, Fix: Secure Code Review in Python from Fundamentals to Automation
Training Schedule:
Start Date: 10 September 2025
End Date: 11 September 2025
Description
Secure coding starts with deeply understanding code and vulnerabilities, and secure code reviews are crucial in finding issues early. In this hands-on secure code review workshop, we will teach the participants how to perform effective code reviews with both manual and automated techniques.
We start by understanding how a common web application code is structured: from imports to functions to object-oriented logic. Participants will learn how code and data flow in real-world applications and be able to kickstart their journey with source code reviews.
From there, we dive into the OWASP Top 10 vulnerabilities, one by one, showing how each one appears in real Python code. For every vulnerability, we:
- • Explain the security issue with a live example
- • Show how to detect it during code review
- • Demonstrate exploitation in a lab environment
- • Teach how to remediate it securely
Vulnerabilities include insecure deserialization, command injection, broken authentication, and more, tailored to Python and its ecosystem (e.g., Flask, Django, FastAPI).
The workshop will also cover automated code review using open-source tools:
- • SAST (Static Application Security Testing) with tools like Semgrep and Snyk.
- • SCA (Software Composition Analysis) using tools like Snyk
We'll walk participants through the setup of these tools, demonstrate how to analyze results, reduce false positives, and even write custom rules to suit project-specific needs..
Workshop Breakdown:
Day 1 - Break & Fix Labs - Server-Side
Module 1: Getting started
- • Reading and understanding entry points of interest
Module 2: OWASP Top 10 in Python: Break & Fix Labs (Part - 1)
- • This section will include spotting vulnerabilities via code reviews.
- • Each vulnerability will be explained with an example and appropriate remediation.
- • Server-side Vulnerabilities
- i. Authentication and Authorisation vulnerabilities (IDOR, Broken Access Controls, etc.)
- ii. Server Side Request Forgery (SSRF)
- iii. XXE
- iv. Command Injection
- v. SQL injection - all types
- vi. Mass assignment
- vii. Information Disclosure
- viii. Common Security Misconfigurations
- ix. Insecure logging
- x. SSTI
- xi. Path traversals
- xii. Session Fixation
- xiii. DOS
Module 3: OWASP Top 10 in Python: Break & Fix Labs (Part - 2)
- • Client Side Vulnerabilities
- i. Cross-Site Scripting
- ii. Reviewing CSP misconfiguration
- iii. Insecure CORS
- iv. Open Redirect
Secure coding guidance with reusable snippets and best practices
Day - 2 Automated Code Review in Python Project
Module 4: Automated Code Review in Python Projects
- • Introduction to Semgrep, CodeQL, and Snyk
- • Writing custom rules for Python projects
- • Reduce the false positives
- • Analyzing SAST results effectively (triaging & remediation)
- • Best Practices for Continuous False Positive Reduction
- • Developer-first remediation workflows
What You’ll Learn:
- • Identify and Fix OWASP Top 10 and Business Logic Vulnerabilities
Learn how to spot and remediate common security flaws like Injection, Broken Access Control, and Insecure Deserialization—as well as subtle business logic issues that scanners often miss.
- • Review Real-World Python Code with Confidence
Understand how to read, analyze, and break down real Python applications to find security bugs early—before they reach production.
- • Automate Code Reviews with Semgrep, CodeQL, and Snyk
Get hands-on with open-source security tools to streamline code analysis and make secure development scalable across teams.
- • Find True Positives in a Sea of False Alarms
Learn effective techniques for triaging results, reducing noise, and focusing only on high-impact, true-positive findings.
- • Write Custom Rules to Fit Your Codebase
Discover how to tailor your security tools with custom rules, making them smarter and more aligned with your application’s context.
What You’ll Need:
Note: We will provide this software link 1 week before the training to configure your laptop. It will save time on training day!
- • A laptop with Python 3.9+ and Docker installed
- • Virtual environment
- • Burpsuite community
- • Git
- • Semgrep and synk installed
- • Any IDE, preferably VSCode (install python and pylance extensions) or Pycharm
- • Basic familiarity with Python coding and Git
What We’ll Provide:
- • Access to a vulnerable Python app (Flask/FastAPI-based)
- • GitHub repos for labs and tools
- • Cheat sheets for code review and secure coding in Python
Who Should Attend:
- • Developers of all experience levels
- • Application security engineers
- • DevSecOps professionals
- • Engineering leads/security champion
Speaker Profile:
Prateek Thakare
Prateek Thakare is a Senior Security Engineer at GoDaddy with a strong focus on web and mobile application penetration testing, secure code reviews, and security automation. He has developed and contributed to open-source security tools like Mantis and has presented his work at security conferences including Black Hat Arsenal, ThreatCon & Vulncon.
Linkedin: https://www.linkedin.com/in/prateek-thakare/
Gaurav Bhosale
Gaurav Bhosale is an Application Security Engineer in a fintech product-based company. With over 6 years of experience, he has worked with global leaders like Mastercard. His expertise includes secure code reviews, SAST/SCA, SBOM + VEX, and CI/CD integration. He has presented at Seasides Security Conference, ThreatCon & Vulncon.