What's the topic?
-
In this workshop we will build from scratch or add onto your existing application security program / secure system development life cycle (SSDLC). This workshop will consist of lecture, discussion, and written assignments, and you will walk away with an extensive plan for your new security program. Topics covered: all types of application security activities and tools, policies, standards and guidelines (with several samples to get you started), how to scale your security program and team, developer advocacy and education, and important metrics to gather and how. Time-permitting we will also cover incident response and prevention.
-
With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?
This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program -
Bootcamp B: Cutting-edge Security for Modern Web Applications
Date:
Speaker: Philippe De Ryck
Location:
Abstract
Securing modern web applications is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities in both frontend apps and APIs. Common failures result in data extraction or complete system compromise.
In this training, we take a look at cutting-edge security techniques you can use to boost the security of your applications. We explore common vulnerabilities in modern applications and their recommended defenses. Additionally, we dive into coding guidelines and defense-in-depth strategies that allow you to increase the security of your applications.
Concretely, we will cover the following topics in this hands-on training:
- The security model of modern web applications
- Cross-Site Scripting problems in modern frontends
- Deploying Content Security Policy in modern applications
- Using Trusted Types to eradicate XSS vulnerabilities
- JWT security failures in modern applications
- API security testing to avoid common misconfigurations
- Server-Side Request Forgery (SSRF) attacks and defenses
- Q & A throughout the workshop
Who should attend?
This security training specifically targets developers and architects building modern web frontends / APIs. Anyone involved in building, testing, and designing modern applications should be here. This training course gives you an up-to-date and in-depth look at current security best practices. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Prerequisites
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful but not required. The training will include Angular / React / NodeJS / Java Spring examples but is just as relevant for other frameworks and technologies.
Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
-
Car hacking is very much a thing. From taking full control of the car whilst sitting on your couch, to understanding how they have become mobile data collection devices with a fast engine. This talk will shed some light on what exactly is possible, from a hacking perspective and also give you ideas on what you can do with your own car, from a tinkering and explorative perspective.
-
Over the past decade, how software is written has changed drastically, with widespread adoption of Agile, DevOps, and cloud providers, among other shifts.
These changes have required security teams to adapt. I believe we’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time.
One key shift is that modern application security teams are deemphasizing trying to Find All The Bugs, and instead are focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks can enable organizations to solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole.
This talk will explore the power of secure defaults and how to embrace them in your company. We’ll also discuss how this same approach and mindset can be used to raise code quality (e.g. performance, robustness, correctness) and code standards across your org, help onboard new developers more quickly, and more.
Lastly, as good working relationships are more important than ever, we’ll also cover how security teams can take a customer-centric approach to supporting their engineering colleagues, and how developers can effectively work with their colleagues in security.
-
Securing Web Applications with Modern Web Platform Security Features
Date:
Speaker: Lukas Weichselbaum
Location:
Abstract:
Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about – often the hard way! In addition the lack of true web isolation has led to new problems like XS-Leaks and transient execution vulnerabilities such as Spectre and Meltdown which broke the illusion that the web is immune to CPU-level bugs.Luckily, new security mechanisms available in web browsers offer exciting features which allow developers to protect their applications. In this talk, I'll introduce these features and explain how to use them most effectively.
We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We’ll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, followed by Fetch Metadata request headers and CORP/COOP to protect from vulnerabilities like CSRF or Spectre that arise from insufficient isolation in the web platform. -
Ready for a large portion of female power? We are beyond excited to bring to you a bunch of inspiring women and their stories.
Join us for "Women in IT - we are here to stay"
Wednesday, September 07, 2022 from 17:30 - 20:00
Location: TUtheSky (Campus Getreidemarkt)
This session is free for all women.
Women only. -
Part of the reason security matters is that it's often impossible to regain control of information that is exposed through a security breach. At the same time, we know that no security is perfect and that to some degree, breaches and/or data loss are inevitable.
Drawing on concepts from disaster recovery and harm reduction, this talk will explore the practical implications of considering the aftermath of a security incident during the software development process. From technical approaches like encryption and authentication to more design and policy-oriented strategies like data minimization, the goal of this talk is to empower developers to have meaningful conversations with stakeholders about what it means to take a fully-scoped approach to security for real-world applications.
-
Bootcamp C: How to Scale Software Quality and Security Using Open Source Tools
Date:
Speaker: Clint Gibler
Location:
You want to ship new features quickly, but you also want your code to be robust. And fast. And secure. This can be tough to do within one team, let alone companies with many teams and hundreds to thousands of developers.
In this workshop, we’ll do a deep dive into Semgrep, an open source, lightweight static analysis tool, that’s like a Swiss Army Knife for finding bad code. Semgrep supports 15+ programming languages, infrastructure as code (e.g. Terraform), YAML and more. Learn once, use everywhere. It can scan millions of lines of code in minutes, and it ships with over 1,600 open source rules covering the OWASP Top 10 and other security vulnerabilities, as well as performance, correctness and robustness checks as well.
The workshop will primarily be hands-on exercises, including:
- How to start continuously scanning every pull request in CI in minutes.
- How to automate the repetitive parts of code review: automate the comments you always make to free up your time for higher impact work. Automate your company’s internal code review guidelines.
- Best practices in rolling out continuous code scanning - what to focus on, what to ignore, and how to maintain high development velocity without sacrificing security.
- How to use this scanning to enforce secure defaults across your org, or prevent variants of known vulnerabilities or bugs from re-entering your code.
- How to write custom Semgrep rules - find anti-patterns and enforce security best practices unique to your organization.
- Advanced mode: we’ll also show how Semgrep can be used for a variety of purposes - alerting you whenever a new route is added (new attack surface), when new dependencies are added or Dockerfiles are modified (detect potential supply chain risk), or when generally sensitive files are modified, such as core authorization logic or secret management.
You’ll leave this workshop with the knowledge, skills, and tools to immediately start improving your company’s code quality and security at scale.
-
sec4dev Special Meetup
Date:
Speaker: Philippe De Ryck, Reinhard Kugler, Dimitrij Klesev, Tanya Janca
Location:
All Infos here: