Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Philippe De Ryck
Location:
Whether you like it or not, we all live in a world of Single Page Applications. Frontend JavaScript frameworks such as Angular and React have changed the way we build web applications. However, did you know that these frameworks also disrupt the security landscape? For example, Angular and React change the nature of XSS as we know it. They also conflict with modern security measures, such as Content Security Policy.
In this bootcamp, you will learn how to build secure Single Page Applications. We cover changes in the security model of an application, common threats to an application, framework features that increase security, and state-of-the-art security technology you should start using. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Target group: This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here.
Participant requirements: To participate in this bootcamp, you should have development experience with single-page applications and the underlying APIs. Familiarity with
the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.
The training consists of both lectures and hands-on lab sessions. Lectures go into depth on security threats and mitigation strategies. Labs are conducted in a custom-built competitive lab environment. Security challenges give you hands-on experience with attacks and defenses. You will walk away from this training with an overview of current best practices, along with actionable advice on implementing them.
Hardware requirements: To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).
Maximum number of participants: 25
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Steven Wierckx
Location:
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing. For this training, we will teach an iterative and incremental threat modeling method that is integrated in the development and deployment pipeline.
Threat modeling allows you to consider, identify, and discuss the security implications of user stories in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. In this bootcamp you will learn how to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model based on an AWS and microservices migration from a classical web application.
Target group: DevOps Engineers
Participant requirements: Participants should be familiar with basic knowledge of microservices, cloud architectures and AWS.
Threat modeling introduction
Diagrams – what are you building?
Identifying threats – what can go wrong?
Addressing each threat
Practical threat modeling as part of the DevOps pipeline
Attack libraries
Threat modeling resources
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build and iteratively improve a threat model. Using this methodology for the hands-on workshops we provide the participants with a robust training experience and the templates to incorporate threat modeling best practices in their daily DevOps work.
The participants will be challenged to perform practical threat modeling in squads of 3 to 4 people covering the different stages of threat modeling on an incremental business driven CI/CD scenario:
After each hands-on workshop, the results are discussed, and the students receive a documented solution.
Participant package: The course students receive the following package as part of the course:
Hardware requirements: Participants should bring their own laptop or tablet to read and use the training handouts and exercise descriptions. No further requirements.
Maximum number of participants: 25
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Reinhard Kugler, David Gnedt
Location:
Your project intends to use a physical device and thereby enters the world of Internet of Things (IoT)? Your app uses state-of-the-art security but how does the IoT device impact the overall security? Does the device jeopardize the success of the company by exposing your data and making the project prone to a data breach? In this bootcamp you will learn the essential tasks to assess an IoT device and for its security evaluation.
This training slips you into the role of a full-stack engineer of the (fictitious) startup “TrackR4”. Your company is leading the vehicle tracking industry. The last year your team developed a new app and it is ready to ship. Besides the app the company decides to introduce a new hardware tracking solution last minute. The all-in-one box provides GPS, Internet via 3G, ethernet as well as serial and digital interfaces. You get two days to assess some evaluation devices and to report in with a Go/NoGo decision to buy 10 000 pieces. No pressure 😉
This bootcamp aims to teach the process of security testing of an Internet of Things (IoT) device. You will will learn to use tools and vender resources and the device itself to conduct tests in order to evaluate the security of the device and its ecosystem. This hands-on-training is lab based. After teaching the theoretical background and methods, you will be provided with challenges which are based on the device under test. The labs are guided by the instructors and outlined by a written guide.
Target group: Any software engineers, interested in learning the process of security testing of an Internet of Things (IoT) device.
Participant requirements: Software engineering or system administration background with limited or no skills in hardware security.
This training aims to cover the most common and hazardous security vulnerabilities of Internet of Things (IoT) devices, based on the OWASP IoT Top 10. First, we will start with basic penetration testing techniques like port scanning, service discovery and a wireless wiretap. After creating a threat model and populating it with vendor information, more advanced attacks are developed. Via extraction of the firmware the security test moves from a black box test to a grey box test and we will test for known vulnerabilities as well as discover new vulnerabilities. After spotting a possible vulnerability an exploit is prototyped, in order to proof the exploitability and to assess the resulting risk. After that, we will move from software attacks to hardware assessment, so that you learn to analyze the circuit board (PCB) and possible attack vectors.
With a logic analyzer, we will capture the logic signal of some wires and you will learn to transform the signals in a form usable with a computer. With this ability the hunt for debug interfaces begins. Is the device prone to manipulation, as the attacker opens the case? You will learn the stages of the boot process and how to interfere with it. The last part is a man-in-the-middle attack between on-board components of the PCB.
After the technical evaluation of the device, we will learn to rate vulnerabilities and how to communicate with the vendor of the device in order to improve the quality of the next builds.
Hardware requirements: All participants should bring a Laptop (see below) and are provided with a Virtual Machine.
Maximum number of participants: 12
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Andreas Falk
Location:
All developers today are also DevSecOps engineers even if they are not aware of it. In this Bootcamp, you will learn how to secure cloud-native Java microservices. First, we will look into what are the common security risks for server-side applications. Then we will directly dive into the hands-on coding parts to see how we can mitigate those security risks in our own applications. Specifically, we'll see how the security patterns are implemented with the most widely used frameworks Spring Boot and Micronaut. In the last part, you will also learn how to deploy your applications securely as containers into a Kubernetes cluster.
Training content:
This security training specifically targets Java developers. Anyone involved in building cloud-native backend applications (e.g., Spring Boot or Micronaut) should participate.
To participate in this Bootcamp, you should have development experience with Java backend applications. Familiarity with the basics of either Spring Boot or Micronaut would be helpful but is not required.
To participate in the hands-on lab sessions, participants need an internet-accessible laptop (having at least 8GB RAM) with a modern browser installed. In addition, the following software is required:
Maximum number of participants: 25
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Philippe De Ryck
Location:
Whether you like it or not, we all live in a world of Single Page Applications. Frontend JavaScript frameworks such as Angular and React have changed the way we build web applications. However, did you know that these frameworks also disrupt the security landscape? For example, Angular and React change the nature of XSS as we know it. They also conflict with modern security measures, such as Content Security Policy.
In this bootcamp, you will learn how to build secure Single Page Applications. We cover changes in the security model of an application, common threats to an application, framework features that increase security, and state-of-the-art security technology you should start using. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Target group: This security training specifically targets modern web developers. Anyone involved in building single-page applications (e.g., Angular, React) or managing development teams should be here.
Participant requirements: To participate in this bootcamp, you should have development experience with single-page applications and the underlying APIs. Familiarity with
the basics of security (e.g., simple XSS attacks) is helpful, but not required. The training will talk about Angular and React specifically, but also applies to other frameworks, such as EmberJS or Vue.js.
The training consists of both lectures and hands-on lab sessions. Lectures go into depth on security threats and mitigation strategies. Labs are conducted in a custom-built competitive lab environment. Security challenges give you hands-on experience with attacks and defenses. You will walk away from this training with an overview of current best practices, along with actionable advice on implementing them.
Hardware requirements: To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).
Maximum number of participants: 25
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Steven Wierckx
Location:
Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing. For this training, we will teach an iterative and incremental threat modeling method that is integrated in the development and deployment pipeline.
Threat modeling allows you to consider, identify, and discuss the security implications of user stories in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. In this bootcamp you will learn how to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model based on an AWS and microservices migration from a classical web application.
Target group: DevOps Engineers
Participant requirements: Participants should be familiar with basic knowledge of microservices, cloud architectures and AWS.
Threat modeling introduction
Diagrams – what are you building?
Identifying threats – what can go wrong?
Addressing each threat
Practical threat modeling as part of the DevOps pipeline
Attack libraries
Threat modeling resources
As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world.
In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build and iteratively improve a threat model. Using this methodology for the hands-on workshops we provide the participants with a robust training experience and the templates to incorporate threat modeling best practices in their daily DevOps work.
The participants will be challenged to perform practical threat modeling in squads of 3 to 4 people covering the different stages of threat modeling on an incremental business driven CI/CD scenario:
After each hands-on workshop, the results are discussed, and the students receive a documented solution.
Participant package: The course students receive the following package as part of the course:
Hardware requirements: Participants should bring their own laptop or tablet to read and use the training handouts and exercise descriptions. No further requirements.
Maximum number of participants: 25
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Reinhard Kugler, David Gnedt
Location:
Your project intends to use a physical device and thereby enters the world of Internet of Things (IoT)? Your app uses state-of-the-art security but how does the IoT device impact the overall security? Does the device jeopardize the success of the company by exposing your data and making the project prone to a data breach? In this bootcamp you will learn the essential tasks to assess an IoT device and for its security evaluation.
This training slips you into the role of a full-stack engineer of the (fictitious) startup “TrackR4”. Your company is leading the vehicle tracking industry. The last year your team developed a new app and it is ready to ship. Besides the app the company decides to introduce a new hardware tracking solution last minute. The all-in-one box provides GPS, Internet via 3G, ethernet as well as serial and digital interfaces. You get two days to assess some evaluation devices and to report in with a Go/NoGo decision to buy 10 000 pieces. No pressure 😉
This bootcamp aims to teach the process of security testing of an Internet of Things (IoT) device. You will will learn to use tools and vender resources and the device itself to conduct tests in order to evaluate the security of the device and its ecosystem. This hands-on-training is lab based. After teaching the theoretical background and methods, you will be provided with challenges which are based on the device under test. The labs are guided by the instructors and outlined by a written guide.
Target group: Any software engineers, interested in learning the process of security testing of an Internet of Things (IoT) device.
Participant requirements: Software engineering or system administration background with limited or no skills in hardware security.
This training aims to cover the most common and hazardous security vulnerabilities of Internet of Things (IoT) devices, based on the OWASP IoT Top 10. First, we will start with basic penetration testing techniques like port scanning, service discovery and a wireless wiretap. After creating a threat model and populating it with vendor information, more advanced attacks are developed. Via extraction of the firmware the security test moves from a black box test to a grey box test and we will test for known vulnerabilities as well as discover new vulnerabilities. After spotting a possible vulnerability an exploit is prototyped, in order to proof the exploitability and to assess the resulting risk. After that, we will move from software attacks to hardware assessment, so that you learn to analyze the circuit board (PCB) and possible attack vectors.
With a logic analyzer, we will capture the logic signal of some wires and you will learn to transform the signals in a form usable with a computer. With this ability the hunt for debug interfaces begins. Is the device prone to manipulation, as the attacker opens the case? You will learn the stages of the boot process and how to interfere with it. The last part is a man-in-the-middle attack between on-board components of the PCB.
After the technical evaluation of the device, we will learn to rate vulnerabilities and how to communicate with the vendor of the device in order to improve the quality of the next builds.
Hardware requirements: All participants should bring a Laptop (see below) and are provided with a Virtual Machine.
Maximum number of participants: 12
Dates:
Monday 24. February 2020
Tuesday 25. February 2020
Speaker: Andreas Falk
Location:
All developers today are also DevSecOps engineers even if they are not aware of it. In this Bootcamp, you will learn how to secure cloud-native Java microservices. First, we will look into what are the common security risks for server-side applications. Then we will directly dive into the hands-on coding parts to see how we can mitigate those security risks in our own applications. Specifically, we'll see how the security patterns are implemented with the most widely used frameworks Spring Boot and Micronaut. In the last part, you will also learn how to deploy your applications securely as containers into a Kubernetes cluster.
Training content:
This security training specifically targets Java developers. Anyone involved in building cloud-native backend applications (e.g., Spring Boot or Micronaut) should participate.
To participate in this Bootcamp, you should have development experience with Java backend applications. Familiarity with the basics of either Spring Boot or Micronaut would be helpful but is not required.
To participate in the hands-on lab sessions, participants need an internet-accessible laptop (having at least 8GB RAM) with a modern browser installed. In addition, the following software is required:
Maximum number of participants: 25
Not a week goes by without a breaking story on a major software security incident. Most of us shrug off the incident, often forgetting that these incidents have a deep impact on the people behind the code. Judging and shaming are easy, but how often do you really think about the story behind an incident?
This keynote reflects on several real-life security incidents and their impact on the people behind the code. From each incident, we will extract lessons learned and translate them into best practices for building secure software. These best practices are easy to comprehend, but they might be challenging to follow.
Threat modelling is a systematic way of finding threats to IT security of a system. It consists of developing a model of the system and a tool identifying threats. While this approach is suitable for any system we will focus on the railway and automotive domain.
In this talk we will introduce the STRIDE approach to threat modelling and then proceed to the state-of-the-art research performed at AIT: Communication and data-flow diagrams that allow us to consider not only the logical, but also the physical architecture of a system.
We work on a system that will advance threat modelling by enabling a cooperative approach towards threat intelligence. We will give hands-on demonstrations of our system.
According to the Department of Homeland Security, 90% of security incidents result from exploits against defects in the design or code of software. This is even so in 2002 Bill Gates already requested a paradigm shift from features to security in his trustworthy computing memo with the sentence "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Lucas v. Stockhausen will show in his talk how applications can be built in a secure way using existing technologies and how developers can be best involved into this.
We are living in a world that is increasingly run by software. Daily activities, such as online banking, mobile communications and air traffic use, are controlled by software. This software is growing in size and functionality, but its reliability is hardly improving. We are getting used to the fact that computer systems are error-prone and insecure. To (re)gain the trust of end-users in software and Web services, formal automated reasoning is one of the main investments made by ICT companies in preventing software errors.
In this talk I will present recent advancement in automated reasoning, in particular computer-supported theorem proving, for generating and proving software properties that prevent programmers from introducing errors while making changes in this software. When testing programs manipulating the computer memory, our initial results show our work is able to prove that over 80% of test cases are guaranteed to have the expected behavior. The work described in this talk, and its results,
are supported by an ERC Starting Grant and ERC Proof of Concept Grant, aiming at providing ICT customers and investors a tool-supported methodology for ensuring continuous growth in software functionality, thus increasing software reliability and user's trust in software technologies.
Ever thought of encrypting uploaded files in the web browser before they hit the server? Most web browsers nowadays offer encryption modules via the Web Crypto API for the encryption itself, but we’ll soon see that this isn’t enough. What about the correct cipher modes? How can we ensure confidentiality, integrity and authenticity? What about big files and limited memory availability. In this talk, we’ll cover the following topics:
Tagged memory is one of the most promising ways to achieve memory safety. The ARM architecture supports such technology since version 8.5 under the name memory tagging extension (MTE). In this work we explore a memory tagging approach for RISC-V CPUs using low latency ciphers. In particular, instead of storing the tag in RAM alongside the data, the tag is used to encrypt the data in RAM. This has the advantage that larger tags (providing higher levels of security) are possible and no extra RAM is needed to store tags.
What you'll learn:
Since the 2010s the unstoppable rise of the Internet-of-Things is evolving, secure firmware updates became one of the most crucial processes in the IoT. Due to the fact that a device may be broken by a corrupted firmware, the need for a secure and safe update is obvious. Various approaches were developed...from secure bootloaders to memory partitioning. Nevertheless, there does not seem to be any satisfying solution: not generic, not usable, not automatic, not secure, not safe. This talk will take a look at current approaches and give a live demonstration of one of these.
This talk will use the existing Elasticsearch codebase as an example of how to secure a service while remaining the same level of usability. Several features will be covered, amongst others the use of the Java Security Manager within Elasticsearch, the integration of seccomp and other native features, the implementation of a secure scripting language and how to properly implement secure use of plugins.
Date:
Wednesday 26. February 2020
Speaker: Philippe De Ryck, Steven Wierckx, Pascal Schulz, Laura Kovacs, Stefan Jakoubi, Johanna Ullrich
Location:
Surface attack, networking complexity and data explosion and siloed teams and services are consequences of moving to microservices architectures. In this introductory talk, you learn what the different challenges this type of architecture – and less decoupled ones, half way between monolith and microservices – mean in terms of development and security and how we cope with them at GitLab.
Legal liability for insecure software - "write once, cause damage anywhere"
In this talk we will cover the basics of Mobile (Android and iOS) App Security.
We will first start with an introduction and motivation, talking about why do you need to care about app security, what are the important things to protect, and try to understand the motivation an attacker might have to hack your application.
After that we will move on to more technical details, and we will cover the things you (as a developer) can do to protect your applications against the most common security threads. This includes secure networking, user data protection, root/jailbreak detection (and understanding the effects of a rooted device), IP protection, etc.
This talk aims to discuss the relationship between human behavior and security measures. When developing a security-training tool, it is important to understand the users’ needs and experience in order to fulfill the security policy. This talk is taking its point of departure in learnings acquired in the development project ‘Emergency cockpit-training app’, and how DBI applied ethnographic methods to understand the user and used these insights while developing the app. Researching the user’s environment is a crucial part of avoiding classical pitfalls that relates to Human Computer Interaction.
User authentication has become so complex that developers should not touch it anymore. Anyone building a modern application should consider using an identity provider that handles authentication. However, doing so requires the use of OpenID Connect (OIDC), which brings its own complexity.
In this talk, we look at securely implementing OIDC in an Angular application. We investigate which flow to use in which scenario. We look at the security properties in OpenID Connect, and how to ensure your application respects them. In the end, you will walk away with practical advice on implementing authentication with OIDC in Angular.
The PHP security landscape has evolved a lot since its first steps 24 years ago: well-known dangerous code patterns of last year are already outdated, and new exploitation techniques flourish regularly.
This talk aims to present the most common "modern" vulnerabilities on PHP
applications along their associated risks, such as SSRF, SSTI, arbitrary instantiation, disabled_functions / open_basedir bypasses, bugs in the language's engine, framework specifics and pitfalls, etc.
Although the presented security vulnerabilities are not specific to PHP, choosing a specific language to use as a basis for the talk will allow illustrating every concept described with real-life examples.
Currently software development processes follow more a natural growth and security is hardly ever a core component of it. With the new ISO/IEC 62443 standard the first secure development process was outlined which can be certified. This gives developers and vendors the possibility to be on the same page regarding how to develop secure products. During this talk we will look at the 62443-4-1 and 62443-4-2 standards, which are relevant for developers and architects who want to introduce security into their software development process. We will talk about our experience in helping industrial vendors to achieve certification as well as common pitfalls.
In large cluster environments with hundreds of different users with their respective permissions, access management is sometimes difficult to apply. Common approaches are using a corporate PKI to issue individual client certificates or adding webhooks. Another way is verifying signed JWT tokens (OpenID Connect) which is well-suited for companies who already using directory services (like Active Directory or OpenLDAP).
In this talk, ÖBB and WhizUs will demonstrate a real-live example of how we manage multiple kubernetes clusters in multiple projects with hundreds of different users by connecting to the company's Active Directory Service through Keycloak for JWT validation.
Participants will learn how it is possible to configure and operate multiple, including larger, Kubernetes clusters in terms of centralized user and rights management. In particular, best practices, open source solutions and common enterprise setups will be presented.
Security vulnerability categories are constantly evolving. Evidence for that can be found in a comparison of all OWASP TOP 10 releases. This leaves all blue teams with question marks about the next big bang. James Kettle (@albinowax) just last year aroused the security world by introducing everyone to HTTP desync attacks. This talk provides quick summaries of popular attack vectors, which gained a lot of attention throughout the last two years. Next to a recap on how those vulnerabilities work, practical guidance is given on how to detect and mitigate those issues. |