Application Security

Application Security teaches students the fundamental technical skills required to identify and prevent appplication vulnerabilities. Students will learn to apply the theory and practice of code auditing; a process which includes learning how to dissect an application, discover security vulnerabilities, and assess the danger each vulnerability presents. We also discuss methods to support secure software development. Taught by a team of security industry experts, we cover the following topics:

  • Operational Reviews and Code Audits, taught by Brandon Edwards
    Identify vulnerabilities and programmer errors by auditing source code
  • Windows Internals, taught by Alex Sotirov
    Understand operating system issues and security considerations specific to Windows
  • Exploit Mitigation, taught by Dino Dai Zovi
    Accurately evaluate the impact of available exploit mitigations
  • Mobile Security, taught by Chris Rohlf
    Identify security-relevant changes in mobile client architectures
  • Cryptography, taught by Tom Ptacek
    Identify and understand issues with how cryptography is used in modern systems
  • Security Program Management, taught by Shyama Rose
    How to design effective, strategic security programs for complex organizations
  • Security at Scale, taught by Zane Lackey
    Approaches to ensure application security in a continuous deployment environment

Vulnerability Analysis

Vulnerability Analysis is a project-based course that introduces the fundamental technical skills required to analyze and exploit software vulnerabilities. This hands-on course ensures that students understand how modern attacks are developed and performed. Taught by a team of security industry experts, students are guided to learn the following topics:

  • Reverse Engineering, taught by Alex Sotirov and Aaron Portnoy
    Understand, modify, and analyze compiled applications and systems to identify vulnerabilities
  • Operations: Post exploitation, persistence and exfiltration, taught by Colin Ames
    Expanding access, maintaining persistence, and evading detection


These courses and this website have been organized and maintained for the past five years by Dan Guido. You can read more about the history of the vulnerability analysis course and some of the past work that students have created in it. If you would like to take these courses for credit, they are offered through:

For outside users, there is a reddit study group as well as a twitter that helps you keep up with new course material and other announcements regarding the class.