Training Overview

Hosting applications and services with cloud providers has been one of the largest trends of the last decade in the IT world. While replacing your own infrastructure with that of a public cloud provider gives usability benefits, it creates a whole new set of security problems that people in operational or development roles need to be aware of.

This course gives an overview over many of the most widely used cloud services and their specific security threats and best practices. It provides you with the theoretical background to understand how problems arise, as well with the hands-on knowledge to effectively counter those threats within your organization.

Will discuss the most popular AWS services and their security applications, covering the following subjects and questions:

• Why would I want to move to the cloud?
• The fabric of cloud security: Identity and Access Management
• The most popular AWS services
• Something happened: Logging and Monitoring
• Attacking the cloud

While tailored toward the Amazon Web Services (AWS), the largest public cloud provider of today's market, most of the concepts and lessons can be extrapolated to other providers like Azure, Google Cloud Platform or the AliBaba Cloud.

Target Group

Everyone interesting in using cloud services

• Developer
• Admins
• DevOps
• CTO
• Software Architects
• Security Champions

Prerequisites and Requirements

This course should contain valuable to lessons for everyone, even those without prior cloud usage experience. Since the hands-on exercises make use of AWS, some basic working knowledge with using standard cloud services from the management console and the CLI (command line interface), preferably from AWS (e.g. creating a EC2 instance or S3 bucket) is required to participate in the exercises.

To participate in the hands-on exercises, participants will need a laptop with a current version of a modern browser (e.g. Firefox, Chrome). Optionally, we recommend to install the following software:

• The AWS CLI with the Session Manager plugin
• An SSH client

Kubernetes has become the de-facto standard for Container Orchestration. Its powerful open-source code has initially been deployed by Google and over time became one of the most popular repositories there is. With an ever growing number of users and contributors more and more tools and plugins are being developed, including security features.

Setting up a production ready Kubernetes cluster is not an easy task, nor is the maintenance. In this workshop Klesev Dimitrij and Nikolic Filip (both Certified Kubernetes Administrators) will explain relevant concepts and usual downfalls when it comes to security.

Participants will learn about security best-practices including features like AppArmor, SELinux and seccomp as well as different kinds of Policies such as PodSecurityPolicies, NetworkPolicies and RuntimePolicies. In addition to that, a solid alternative to the problematic Kubernetes secret management will be shown.

Requirements

• Laptop with modern Browser (Chrome, Firefox, Safari)
• Internet Access
• Experience with Linux!
• Experience with Docker!
• Experience with Kubernetes advantageous

Abstract

Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. Common failures result in authentication bypasses, data extraction, or full system compromise.

In this training, you will learn how to build secure APIs. Using a mix between lectures and hands-on exercises, we learn about different security approaches and their trade-offs. Throughout the training, we build up a set of best practices that allow you to analyse and improve the security of your own applications.

Concretely, we will cover the following topics in this hands-on training:

• The security model of the web
• API authentication techniques
• REST APIs, sessions and security
• Cross-Origin Resource Sharing (CORS)
• Using JSON Web Tokens (JWT) for security
• Introduction to OAuth 2.0 and OpenID Connect
• Securing APIs with OAuth 2.0
• Q & A

Who should attend?

This security training specifically targets API developers. Anyone involved in building APIs for mobile or Single Page Applications, or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

Prerequisites

To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful, but not required. The training will include NodeJS and Spring examples, but is just as relevant for other frameworks and technologies.

Computer setup

To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).

Kubernetes has become the de-facto standard for Container Orchestration. Its powerful open-source code has initially been deployed by Google and over time became one of the most popular repositories there is. With an ever growing number of users and contributors more and more tools and plugins are being developed, including security features.

Setting up a production ready Kubernetes cluster is not an easy task, nor is the maintenance. In this workshop Klesev Dimitrij and Nikolic Filip (both Certified Kubernetes Administrators) will explain relevant concepts and usual downfalls when it comes to security.

Participants will learn about security best-practices including features like AppArmor, SELinux and seccomp as well as different kinds of Policies such as PodSecurityPolicies, NetworkPolicies and RuntimePolicies. In addition to that, a solid alternative to the problematic Kubernetes secret management will be shown.

Requirements

• Laptop with modern Browser (Chrome, Firefox, Safari)
• Internet Access
• Experience with Linux!
• Experience with Docker!
• Experience with Kubernetes advantageous

Abstract

Building secure APIs and microservices is hard, really hard. Not only do you have to make the right architectural security decisions, you also have to be aware of various implementation vulnerabilities to ensure the security of your applications. Common failures result in authentication bypasses, data extraction, or full system compromise.

In this training, you will learn how to build secure APIs. Using a mix between lectures and hands-on exercises, we learn about different security approaches and their trade-offs. Throughout the training, we build up a set of best practices that allow you to analyse and improve the security of your own applications.

Concretely, we will cover the following topics in this hands-on training:

• The security model of the web
• API authentication techniques
• REST APIs, sessions and security
• Cross-Origin Resource Sharing (CORS)
• Using JSON Web Tokens (JWT) for security
• Introduction to OAuth 2.0 and OpenID Connect
• Securing APIs with OAuth 2.0
• Q & A

Who should attend?

This security training specifically targets API developers. Anyone involved in building APIs for mobile or Single Page Applications, or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

Prerequisites

To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful, but not required. The training will include NodeJS and Spring examples, but is just as relevant for other frameworks and technologies.

Computer setup

To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).

Training Overview

Hosting applications and services with cloud providers has been one of the largest trends of the last decade in the IT world. While replacing your own infrastructure with that of a public cloud provider gives usability benefits, it creates a whole new set of security problems that people in operational or development roles need to be aware of.

This course gives an overview over many of the most widely used cloud services and their specific security threats and best practices. It provides you with the theoretical background to understand how problems arise, as well with the hands-on knowledge to effectively counter those threats within your organization.

Will discuss the most popular AWS services and their security applications, covering the following subjects and questions:

• Why would I want to move to the cloud?
• The fabric of cloud security: Identity and Access Management
• The most popular AWS services
• Something happened: Logging and Monitoring
• Attacking the cloud

While tailored toward the Amazon Web Services (AWS), the largest public cloud provider of today's market, most of the concepts and lessons can be extrapolated to other providers like Azure, Google Cloud Platform or the AliBaba Cloud.

Target Group

Everyone interesting in using cloud services

• Developer
• Admins
• DevOps
• CTO
• Software Architects
• Security Champions

Prerequisites and Requirements

This course should contain valuable to lessons for everyone, even those without prior cloud usage experience. Since the hands-on exercises make use of AWS, some basic working knowledge with using standard cloud services from the management console and the CLI (command line interface), preferably from AWS (e.g. creating a EC2 instance or S3 bucket) is required to participate in the exercises.

To participate in the hands-on exercises, participants will need a laptop with a current version of a modern browser (e.g. Firefox, Chrome). Optionally, we recommend to install the following software:

• The AWS CLI with the Session Manager plugin
• An SSH client

Although OAuth 2.0 and OpenID Connect are standards for Authorization and Authentication, in practice a lot of developers failed to implement them correctly, paving the way for severe security flaws. One reason could be the diversity of documents that are published later to introduce new mechanisms, functionalities for the OAuth/OpenID Connect core standards. In this talk, we firstly dive into the latest BCPs that are needed to be considered by developers to secure their implementations against known threats for web apps, mobile apps, and SPAs. Then, in the second part of the talk, we mainly focus on the mobile native apps and highlight the common wrong implementation choices based on my experience on Google Play Store application analysis.

Threat modeling and risk assessments are powerful tools to focus security efforts in the right places. The author co-designed the Rapid Risk Assessment framework at Mozilla in 2013 and spent years using it to review the designs of new and existing projects. In this talk, we will present the RRA framework, discuss how to use it, and demonstrate how it helps creates a cohesive security culture across the organization.

DevOps and Continuous Delivery has changed how technology operates and how business is run, but security continues to struggle to catch-up with the velocity of change in this new world : it’s almost a cat-and-mouse game when it comes to spot security holes into code before delivering to production, and traditional manual security assessment just continue to be untenable as a way of working with modern agile teams.
The concept of DevSecOps can be the ultimate answer, but unfortunately most articles and vendor pitches about this subject are incredibly superficial, and it’s all about dumping existing/traditional security tools on developers, which adds more complexity and frustration without solving the real problem.

“Modern problems require modern solutions” : this talk explains the evolution of security tooling over the last years, and how they must change (or has changed) to match the macro trends and keep up with the shifting threat.

As an example, this talk demonstrates how modern “lightweight” code analysis techniques, when combined with secure-by-default frameworks/patterns, can be used to easily detect potential holes within a code base, and provide accurate/fast feedbacks to developers.

We measure so that we can improve and report. Reporting is for our bosses and job security. Improvement is for us. As an outnumbered security professional you will never, ever have enough time, money and resources to add every layer of defence you wish you could, which means we need to work smarter. Learn about which metrics truly matter, and which vanity metrics you can learn to safely ignore, so that you can work the most effectively at protecting your organization.

The microservice architecture is being increasingly used for designing and implementing application systems in both cloud-based and on-premise infrastructures. There are many security challenges need to be addressed in the application design and implementation phases, e.g.:threat modeling and enforcement of the principle of least privilege, data leakage analysis and attack surface analysis.In order to address some security challenges it is necessity to collect security-specific information on application architecture, but in most cases existing application architecture documentation is not suitable for AppSec engineers. The goal of this research was to provide a concrete proposal of approach to collect microservice-based architecture information to securing application. Research results were contributed to the OWASP community – please see “Microservices based Security Arch Doc” cheat-sheet in OWASP Cheat Sheet Series.

Application developers tend to focus on features first with security being an afterthought to those features. Instead of rolling your own security, this talk will show how to integrate seccomp into your self written applications. We will take a look at the different possibilities of how to add a seccomp policy to your application. We will also take a look at different programming languages to show, that it is easy in many programming languages to add this kind of feature. Lastly, we will also show how to monitor and detect seccomp violations using Elasticsearch, Kibana and auditbeat.

The goal of this talk is make sure that any developer in the room does absolutely have zero excuses to not use seccomp to secure their application.

Modern container orchestrators like Kubernetes, Docker or LXC work like magic. We run a simple command or submit a declaration file and the system pops up the requested application - but what is happening behind the curtains? What Linux features are leveraged to create something we call a container? This is a hands on session in which we create a simple, but (hopefully) secure container. We discuss the moving parts like namespaces, capabilities and cgroups as we dodge upcoming pitfalls and challenges. Jump in and create your first container by hand!

This presentation aims to talk about different attack scenarios leveraging Kubernetes clusters. We'll dig deeper into a real world attack scenario using real world applications to demonstrate different ways attackers and malicious users can use to exploit your cluster and the applications running on it. After that we'll provide some best practices to securing your cluster based on the scenarios and on the CIS Benchmarks for Kubernetes. We'll show how to use RBAC, to enable audit logs for better visibility, and we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers.

Join the breakout sessions with our experts where you can ask questions regarding the respective topic! There are three such sessions. Join the respective session in Hopin. Link: https://hopin.com/events/sec4d...
Go to "sessions" on the left sidebar and select the breakout session you would like to join.

Secure SDLC

Experts: Jan Wienand (Micro Focus), Timon Kopp (Micro Focus), Thomas Konrad (SBA Research)
Session sponsored by: Micro Focus

Expert topics include:

• Secure software development lifecycle
• Secure architecture
• Scaling of automated tools
• Integration of tooling into the day-to-day work
• Secure coding education
• Vulnerability management
• Software supply chain security
• Software security management

Security Automation

Experts: Artem Bychkov (Huawei), Mitun Zavery (Sonatype), Michael Koppmann (SBA Research)
Session sponsored by: Sonatype

Expert topics include:

• Application security testing
• Automation: SAST, DAST, IAST, SCA
• Integration in CI/CD pipelines
• On-premise tools vs. cloud-based tools
• Handling false positives
• Handling findings in general

Cloud Security

Experts: Juarez Barbosa Junior (Microsoft), Edwin Sturrus (KPMG), Reinhard Kugler (SBA Research)
Session sponsored by: Microsoft and KPMG

• Cloud security
• Shared responsibility models
• Identity and access management
• Infrastructure as code
• Logging and monitoring in the cloud
• Typical vulnerabilities and how to avoid them
• Hybrid environments (multi-cloud and cloud-on-premise)
• Blockchain in the cloud
• DevSecOps in the cloud
• Deploy DevOps in the cloud

It’s been 12 years since DevOps was introduced. But recent studies show that security is still often viewed as a bottleneck. Alyssa Miller dives into the key issues that keep security shut out of the DevOps Pipeline. She’ll provide insights from her recent research that indicate organizations are still failing to mature and achieve a shared responsibility culture. She shares practical actions that security practitioners can take to successfully enable security practices within the pipeline.