Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Mathias Tausig, Martin Grottenthaler
Location:
Hosting applications and services with cloud providers has been one of the largest trends of the last decade in the IT world. While replacing your own infrastructure with that of a public cloud provider gives usability benefits, it creates a whole new set of security problems that people in operational or development roles need to be aware of.
This course gives an overview over many of the most widely used cloud services and their specific security threats and best practices. It provides you with the theoretical background to understand how problems arise, as well with the hands-on knowledge to effectively counter those threats within your organization.
Will discuss the most popular AWS services and their security applications, covering the following subjects and questions:
While tailored toward the Amazon Web Services (AWS), the largest public cloud provider of today's market, most of the concepts and lessons can be extrapolated to other providers like Azure, Google Cloud Platform or the AliBaba Cloud.
Everyone interesting in using cloud services
This course should contain valuable to lessons for everyone, even those without prior cloud usage experience. Since the hands-on exercises make use of AWS, some basic working knowledge with using standard cloud services from the management console and the CLI (command line interface), preferably from AWS (e.g. creating a EC2 instance or S3 bucket) is required to participate in the exercises.
To participate in the hands-on exercises, participants will need a laptop with a current version of a modern browser (e.g. Firefox, Chrome). Optionally, we recommend to install the following software:
Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Dimitrij Klesev, Filip Nikolic
Location:
Kubernetes has become the de-facto standard for Container Orchestration. Its powerful open-source code has initially been deployed by Google and over time became one of the most popular repositories there is. With an ever growing number of users and contributors more and more tools and plugins are being developed, including security features.
Setting up a production ready Kubernetes cluster is not an easy task, nor is the maintenance. In this workshop Klesev Dimitrij and Nikolic Filip (both Certified Kubernetes Administrators) will explain relevant concepts and usual downfalls when it comes to security.
Participants will learn about security best-practices including features like AppArmor, SELinux and seccomp as well as different kinds of Policies such as PodSecurityPolicies, NetworkPolicies and RuntimePolicies. In addition to that, a solid alternative to the problematic Kubernetes secret management will be shown.
Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Philippe De Ryck
Location:
Abstract
Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. Common failures result in authentication bypasses, data extraction, or full system compromise.
In this training, you will learn how to build secure APIs. Using a mix between lectures and hands-on exercises, we learn about different security approaches and their trade-offs. Throughout the training, we build up a set of best practices that allow you to analyse and improve the security of your own applications.
Concretely, we will cover the following topics in this hands-on training:
Who should attend?
This security training specifically targets API developers. Anyone involved in building APIs for mobile or Single Page Applications, or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Prerequisites
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful, but not required. The training will include NodeJS and Spring examples, but is just as relevant for other frameworks and technologies.
Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
Date:
Tuesday 23. February 2021
Speaker: Thomas Konrad
Location:
This is a completely free 3-hour training on the basics of secure coding. Although the examples will only be in one programming language each, most concepts can be applied to any language and type of software. You'll get a good overview of the following aspects of secure coding:
Ideally, you have some experience in software development, no matter what language. But even if you are just getting started with developing software, this is fine as well. There will definitely something to take away for you.
This session is free for everyone.
Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Dimitrij Klesev, Filip Nikolic
Location:
Kubernetes has become the de-facto standard for Container Orchestration. Its powerful open-source code has initially been deployed by Google and over time became one of the most popular repositories there is. With an ever growing number of users and contributors more and more tools and plugins are being developed, including security features.
Setting up a production ready Kubernetes cluster is not an easy task, nor is the maintenance. In this workshop Klesev Dimitrij and Nikolic Filip (both Certified Kubernetes Administrators) will explain relevant concepts and usual downfalls when it comes to security.
Participants will learn about security best-practices including features like AppArmor, SELinux and seccomp as well as different kinds of Policies such as PodSecurityPolicies, NetworkPolicies and RuntimePolicies. In addition to that, a solid alternative to the problematic Kubernetes secret management will be shown.
Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Philippe De Ryck
Location:
Abstract
Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. Common failures result in authentication bypasses, data extraction, or full system compromise.
In this training, you will learn how to build secure APIs. Using a mix between lectures and hands-on exercises, we learn about different security approaches and their trade-offs. Throughout the training, we build up a set of best practices that allow you to analyse and improve the security of your own applications.
Concretely, we will cover the following topics in this hands-on training:
Who should attend?
This security training specifically targets API developers. Anyone involved in building APIs for mobile or Single Page Applications, or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Prerequisites
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful, but not required. The training will include NodeJS and Spring examples, but is just as relevant for other frameworks and technologies.
Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
Dates:
Monday 22. February 2021
Tuesday 23. February 2021
Speaker: Mathias Tausig, Martin Grottenthaler
Location:
Hosting applications and services with cloud providers has been one of the largest trends of the last decade in the IT world. While replacing your own infrastructure with that of a public cloud provider gives usability benefits, it creates a whole new set of security problems that people in operational or development roles need to be aware of.
This course gives an overview over many of the most widely used cloud services and their specific security threats and best practices. It provides you with the theoretical background to understand how problems arise, as well with the hands-on knowledge to effectively counter those threats within your organization.
Will discuss the most popular AWS services and their security applications, covering the following subjects and questions:
While tailored toward the Amazon Web Services (AWS), the largest public cloud provider of today's market, most of the concepts and lessons can be extrapolated to other providers like Azure, Google Cloud Platform or the AliBaba Cloud.
Everyone interesting in using cloud services
This course should contain valuable to lessons for everyone, even those without prior cloud usage experience. Since the hands-on exercises make use of AWS, some basic working knowledge with using standard cloud services from the management console and the CLI (command line interface), preferably from AWS (e.g. creating a EC2 instance or S3 bucket) is required to participate in the exercises.
To participate in the hands-on exercises, participants will need a laptop with a current version of a modern browser (e.g. Firefox, Chrome). Optionally, we recommend to install the following software:
Date:
Tuesday 23. February 2021
Speaker: Johanna Ullrich, Tanya Janca, Alyssa Miller, Violeta Damjanovic-Behrendt, Christine Wahlmüller, Daniela Rabiser, Evelyn Haslinger, Pia Gerhofer, Hannah Wundsam, Maha Sounble, Martina Lindorfer, Adela Mehic-Dzanic, Dani Michaux, Maria Leitner, Doris Schlaffer
Location:
We are beyond excited to bring to you a bunch of inspirational women and their stories. Join in for success stories, mentoring and networking.
Agenda
19:30 |
Welcome, Stephanie Jakoubi (SBA Research) |
19:40 |
Impulse Talk, Adela Mehic-Dzanic (Female Tech Leaders) |
20:00 |
Mentoring, Tanya Janca (Founder of We Hack Purple) |
20:30 |
Perspectives on … |
moderated by Christine Wahlmüller (WOMENinICT) | |
… Education and Learning, Tanya Janca (Founder of We Hack Purple), Pia Gerhofer (Mentor, Female Coders), Daniela Rabiser (Technical Product Manager, dynatrace) |
|
… Challenges in Work Life , Alyssa Miller (Hacker, Advocate and Security Leader), Johanna Ullrich (Key Researcher, SBA Research) |
|
… Leadership, Violeta Damjanovic-Behrendt (Senior Researcher, Salzburg Research), Evelyn Haslinger (Co-Founder & COO, Symflower), Dani Michaux (Head of the Cyber Security practice Ireland, KPMG) |
|
21:30 |
Empowerment, Startups and Entrepreneurship, Hannah Wundsam (CEO, AustrianStartups) |
21:45 |
Women Careers, Mentoring, Networking & a Glas of Wine all Speakers & |
This session is free.
Women only.
Date: Tuesday, February 23, 2021
Time: 19:30 - 22:30
In Cooperation with
Can a single page application store tokens in localStorage?
Yes, of course! LocalStorage is persistent storage, so the token is available to all tabs and windows. It even survives a browser restart.
No, absolutely not! LocalStorage is insecure, and an attacker will be able to steal the token.
Believe it or not, but both answers are correct. As simple as this question is, the answer is far from straightforward. In this session, we dive into the security properties of SPAs. We investigate why localStorage is insecure and discuss potential alternatives. By the end of this session, you will be able to decide where to store tokens in your applications. Even better, you’ll be able to argue why your decision is the right one.
Adding static security analysis into CI/CD pipeline is a great way to improve security and quality of the product’s codebase. But does it work as intended? Does a green pass mark really means there are no security defects left? Are we sure that all our code is even covered by the scans? And do we know how our programming paradigm affects the results? In this talk we’ll dive into types of static security analysis that currently exist, practically look into their respective strengths and weaknesses, and learn how to properly set up right tool for a project.
Abstract:
If you are serious about secure software development, you should be eager to establish security requirements engineering as the backbone of you SSDLC. Once you have reached mastery in this discipline, the effects can be felt throughout the whole development process. In this talk Thomas will discuss the fundamental buildings blocks of security requirement engineering based on OWASP SAMM v2 and how to integrate this activity in your established practices. He will also show common pitfalls others have made so that you can avoid them right from the start. No matter where you stand right now, this talk will inspire you to take another step on the maturity ladder towards mastery.
Although OAuth 2.0 and OpenID Connect are standards for Authorization and Authentication, in practice a lot of developers failed to implement them correctly, paving the way for severe security flaws. One reason could be the diversity of documents that are published later to introduce new mechanisms, functionalities for the OAuth/OpenID Connect core standards. In this talk, we firstly dive into the latest BCPs that are needed to be considered by developers to secure their implementations against known threats for web apps, mobile apps, and SPAs. Then, in the second part of the talk, we mainly focus on the mobile native apps and highlight the common wrong implementation choices based on my experience on Google Play Store application analysis.
Threat modeling and risk assessments are powerful tools to focus security efforts in the right places. The author co-designed the Rapid Risk Assessment framework at Mozilla in 2013 and spent years using it to review the designs of new and existing projects. In this talk, we will present the RRA framework, discuss how to use it, and demonstrate how it helps creates a cohesive security culture across the organization.
DevOps and Continuous Delivery has changed how technology operates and how business is run, but security continues to struggle to catch-up with the velocity of change in this new world : it’s almost a cat-and-mouse game when it comes to spot security holes into code before delivering to production, and traditional manual security assessment just continue to be untenable as a way of working with modern agile teams.
The concept of DevSecOps can be the ultimate answer, but unfortunately most articles and vendor pitches about this subject are incredibly superficial, and it’s all about dumping existing/traditional security tools on developers, which adds more complexity and frustration without solving the real problem.
“Modern problems require modern solutions” : this talk explains the evolution of security tooling over the last years, and how they must change (or has changed) to match the macro trends and keep up with the shifting threat.
As an example, this talk demonstrates how modern “lightweight” code analysis techniques, when combined with secure-by-default frameworks/patterns, can be used to easily detect potential holes within a code base, and provide accurate/fast feedbacks to developers.
Date:
Wednesday 24. February 2021
Speaker: Pascal Schulz, Thomas Konrad, Mathias Tausig, Julien Vehent, Alexander Barabanov, Thomas Kerbl, Michael Koppmann, Martin Schlatzer
Location:
Join the breakout sessions with our experts where you can ask questions regarding the respective topic! There are three such sessions. Join the respective session in Hopin. Link: https://hopin.com/events/sec4d...
Go to "sessions" on the left sidebar and select the breakout session you would like to join.
Experts: Alexander Barabanov (Huawei), Thomas Kerbl (SEC Consult), Thomas Konrad (SBA Research)
Session sponsored by: SBA Research
Expert topics include:
Experts: Pascal Schulz (Dynatrace), Martin Schlatzer (Bitpanda), Michael Koppmann (SBA Research)
Session sponsored by: Bitpanda and Dynatrace
Expert topics include:
Experts: Julien Vehent, Mathias Tausig (SBA Research)
Session sponsored by: SBA Research
Expert topics include:
We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization.
- GDPR vs. ML
- The legal peril of fully automated decisions
- Requirements to make your AI explain itself
As Machine Learning is increasingly integrated in many applications, including safety critical ones such as autonomous cars, robotics, visual authentication and voice control, wrong predictions can have a significant influence on individuals and groups.
Advances in prediction accuracy have been impressive, and while machine learning systems still can make rather unexpected mistakes on relatively easy examples, the robustness of algorithms has also steadily increased.
However, many models, and specifically Deep Learning approaches and image analysis, are rather susceptible to adversarial attacks. One form of these attacks, adversarial examples, overlays images with small perturbations that remain (almost) imperceptible to human vision, but can cause a neural network classifier to completely change its prediction about an image, with the model reporting a very high confidence on the wrong prediction.
This talk will give an overview on various attacks (backdoors, evasion, inference/inversion), and will show they could be mitigated.
The microservice architecture is being increasingly used for designing and implementing application systems in both cloud-based and on-premise infrastructures. There are many security challenges need to be addressed in the application design and implementation phases, e.g.:threat modeling and enforcement of the principle of least privilege, data leakage analysis and attack surface analysis.In order to address some security challenges it is necessity to collect security-specific information on application architecture, but in most cases existing application architecture documentation is not suitable for AppSec engineers. The goal of this research was to provide a concrete proposal of approach to collect microservice-based architecture information to securing application. Research results were contributed to the OWASP community – please see “Microservices based Security Arch Doc” cheat-sheet in OWASP Cheat Sheet Series.
Application developers tend to focus on features first with security being an afterthought to those features. Instead of rolling your own security, this talk will show how to integrate seccomp into your self written applications. We will take a look at the different possibilities of how to add a seccomp policy to your application. We will also take a look at different programming languages to show, that it is easy in many programming languages to add this kind of feature. Lastly, we will also show how to monitor and detect seccomp violations using Elasticsearch, Kibana and auditbeat.
The goal of this talk is make sure that any developer in the room does absolutely have zero excuses to not use seccomp to secure their application.
Modern container orchestrators like Kubernetes, Docker or LXC work like magic. We run a simple command or submit a declaration file and the system pops up the requested application - but what is happening behind the curtains? What Linux features are leveraged to create something we call a container? This is a hands on session in which we create a simple, but (hopefully) secure container. We discuss the moving parts like namespaces, capabilities and cgroups as we dodge upcoming pitfalls and challenges. Jump in and create your first container by hand!
Date:
Thursday 25. February 2021
Speaker: Magno Logan
Location:
This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real world attack scenario using real world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. After that we'll provide some best practices to securing your cluster based on the scenarios and on the CIS Benchmarks for Kubernetes. We'll show how to use RBAC, to enable audit logs for better visibility, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.
Date:
Thursday 25. February 2021
Speaker: Thomas Konrad, Reinhard Kugler, Artem Bychkov, Michael Koppmann, Jan Wienand, Edwin Sturrus, Juarez Barbosa Junior, Timon Kopp, Mitun Zavery
Location:
Join the breakout sessions with our experts where you can ask questions regarding the respective topic! There are three such sessions. Join the respective session in Hopin. Link: https://hopin.com/events/sec4d...
Go to "sessions" on the left sidebar and select the breakout session you would like to join.
Experts: Jan Wienand (Micro Focus), Timon Kopp (Micro Focus), Thomas Konrad (SBA Research)
Session sponsored by: Micro Focus
Expert topics include:
Experts: Artem Bychkov (Huawei), Mitun Zavery (Sonatype), Michael Koppmann (SBA Research)
Session sponsored by: Sonatype
Expert topics include:
Experts: Juarez Barbosa Junior (Microsoft), Edwin Sturrus (KPMG), Reinhard Kugler (SBA Research)
Session sponsored by: Microsoft and KPMG
It’s been 12 years since DevOps was introduced. But recent studies show that security is still often viewed as a bottleneck. Alyssa Miller dives into the key issues that keep security shut out of the DevOps Pipeline. She’ll provide insights from her recent research that indicate organizations are still failing to mature and achieve a shared responsibility culture. She shares practical actions that security practitioners can take to successfully enable security practices within the pipeline.