CTRL+F - A Practical Guide to Security Reviews

This four-session mini-course offers a practical and accessible introduction to vulnerability research. Through a combination of theory, guided labs, and real-world case studies, you’ll learn how security vulnerabilities are discovered, from reviewing source code to using modern program analysis tools.

We’ll begin with the fundamentals: how to approach code, understand attack surfaces, and recognize common vulnerability patterns. From there, we’ll explore manual discovery techniques, analyze real CVEs, and tackle hands-on challenges. In the later sessions, you'll work with professional tools for static analysis and fuzzing, demonstrating how automation enhances and extends human capabilities.

Whether you're curious about application security, interested in bug bounties, or simply want to understand how software breaks, this course will equip you with the mindset and skills to begin your journey into security research.

• CISA known exploited vulnerabilities
• Google 0day "In the Wild"
• http://threatmodelingmanifesto.org
• Mark Dowd- Keynote -How Do You Actually Find Bugs? (video)
• The Art of Software Security Assessment (book)
• Threat modelling – Designing for security (book)
• The Web Application Hacker's Handbook (book)
• CWE/SANS Top 25 Most Dangerous Software Errors.
• OWASP Top 10 list of the most critical web application security flaws.
• Search the CVE Vulnerability Database.
• Search the exploit-db database.
• Hacker One reward program for internet vulnerability disclosures.
• Full Disclosure mailing list.
• Black Hat and DEF CON hacking conferences.