CTRL+F - A Practical Guide to Security Reviews

• The second session of CTRL+F will be on Friday May 29 at 4pm in Huxley 308!

This four-session mini-course offers a practical and accessible introduction to vulnerability research. Through a combination of theory, guided labs, and real-world case studies, you’ll learn how security vulnerabilities are discovered, from reviewing source code to using modern program analysis tools.

We’ll begin with the fundamentals: how to approach code, understand attack surfaces, and recognize common vulnerability patterns. From there, we’ll explore manual discovery techniques, analyze real CVEs, and tackle hands-on challenges. In the later sessions, you'll work with professional tools for static analysis and fuzzing, demonstrating how automation enhances and extends human capabilities.

Whether you're curious about application security, interested in bug bounties, or simply want to understand how software breaks, this course will equip you with the mindset and skills to begin your journey into security research.

• Timetable:
  • All sessions are in Huxley 308 on Fridays at 4pm. We have the room for 2 hours, but plan to use less than that.
  • Session 1: May 15 Huxley 308
  • Break: May 22
  • Session 2: May 29 Huxley 308
  • Session 3: June 5 Huxley 308
  • Session 2: June 12 Huxley 642
• Slack will be used for course announcements and course related questions.
• Course materials: on this website.
• Assessment: no assessment 😅
• Recordings: no recordings 😐
• BYOL: bring your own laptop!
  • Code editor, e.g. VS Code
  • Git
  • Docker

• CISA known exploited vulnerabilities
• Google 0day "In the Wild"
• http://threatmodelingmanifesto.org
• Mark Dowd- Keynote -How Do You Actually Find Bugs? (video)
• The Art of Software Security Assessment (book)
• Threat modelling – Designing for security (book)
• The Web Application Hacker's Handbook (book)
• CWE/SANS Top 25 Most Dangerous Software Errors.
• OWASP Top 10 list of the most critical web application security flaws.
• Search the CVE Vulnerability Database.
• Search the exploit-db database.
• Hacker One reward program for internet vulnerability disclosures.
• Full Disclosure mailing list.
• Black Hat and DEF CON hacking conferences.

Lecturer. Ibrahim ElSayed is an experienced security engineer specializing in leveraging program analysis to detect and prevent security vulnerabilities at scale. With over a decade of expertise in building advanced static analysis tools, he has contributed to securing massive codebases written in languages like PHP, Python, and Java. Ibrahim is also passionate about researching vulnerabilities in end-to-end encrypted messaging applications like WhatsApp, Telegram, and Signal, aiming to enhance their security. He leads efforts to empower developers and scale security teams to identify and mitigate critical vulnerabilities effectively.

TA. Adbdullah Adlaihan is a PhD student at Imperial under the supervision of Dr. Maffeis. He received his MSc in computer science from Georgia Institute of Technology, and his BSc in computer science from King Saud University. Abdullah's focus is on utilizing Large Language Models (LLMs) for systems security.

TA. Archie Licudi is a PhD student at Imperial under the supervision of Dr. Maffeis. They received their Joint Mathematics and Computing MEng from Imperial and have worked at Oxford as a research assistant in federated learning for healthcare. Archie’s research is now focused on applications of concepts from algebra, pattern theory, and formal methods to the design of reliable machine learning systems for cybersecurity.

Course leader. Sergio Maffeis is an associate professor in Computer Security at Imperial, where he leads the Security and Machine Learning Lab. He received his PhD from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, machine learning, formal methods, and programming languages. You can find out more from his home page.