Dates:
Tuesday 06. September 2022
Wednesday 07. September 2022
Speaker: Philippe De Ryck
Location:
Abstract
Securing modern web applications is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities in both frontend apps and APIs. Common failures result in data extraction or complete system compromise.
In this training, we take a look at cutting-edge security techniques you can use to boost the security of your applications. We explore common vulnerabilities in modern applications and their recommended defenses. Additionally, we dive into coding guidelines and defense-in-depth strategies that allow you to increase the security of your applications.
Concretely, we will cover the following topics in this hands-on training:
Who should attend?
This security training specifically targets developers and architects building modern web frontends / APIs. Anyone involved in building, testing, and designing modern applications should be here. This training course gives you an up-to-date and in-depth look at current security best practices. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Prerequisites
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful but not required. The training will include Angular / React / NodeJS / Java Spring examples but is just as relevant for other frameworks and technologies.
Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
Dates:
Tuesday 06. September 2022
Wednesday 07. September 2022
Speaker: Clint Gibler, Claudio Merloni
Location:
You want to ship new features quickly, but you also want your code to be robust. And fast. And secure. This can be tough to do within one team, let alone companies with many teams and hundreds to thousands of developers.
In this workshop, we’ll do a deep dive into Semgrep, an open source, lightweight static analysis tool, that’s like a Swiss Army Knife for finding bad code. Semgrep supports 15+ programming languages, infrastructure as code (e.g. Terraform), YAML and more. Learn once, use everywhere. It can scan millions of lines of code in minutes, and it ships with over 1,600 open source rules covering the OWASP Top 10 and other security vulnerabilities, as well as performance, correctness and robustness checks as well.
The workshop will primarily be hands-on exercises, including:
You’ll leave this workshop with the knowledge, skills, and tools to immediately start improving your company’s code quality and security at scale.
Date:
Tuesday 06. September 2022
Speaker: sec4dev Pubquiz
Location:
TU the Sky
Join us for our sec4dev Pub Quiz on Tuesday evening. Enjoy the great view over Vienna at the TUtheSky and of course snacks & drinks.
Schedule
17:30 Arrival
18:00 Beginning of Pub Quiz
Date:
Wednesday 07. September 2022
Speaker: Tanya Janca
Location:
In this workshop we will build from scratch or add onto your existing application security program / secure system development life cycle (SSDLC). This workshop will consist of lecture, discussion, and written assignments, and you will walk away with an extensive plan for your new security program. Topics covered: all types of application security activities and tools, policies, standards and guidelines (with several samples to get you started), how to scale your security program and team, developer advocacy and education, and important metrics to gather and how. Time-permitting we will also cover incident response and prevention.
Dates:
Tuesday 06. September 2022
Wednesday 07. September 2022
Speaker: Philippe De Ryck
Location:
Abstract
Securing modern web applications is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities in both frontend apps and APIs. Common failures result in data extraction or complete system compromise.
In this training, we take a look at cutting-edge security techniques you can use to boost the security of your applications. We explore common vulnerabilities in modern applications and their recommended defenses. Additionally, we dive into coding guidelines and defense-in-depth strategies that allow you to increase the security of your applications.
Concretely, we will cover the following topics in this hands-on training:
Who should attend?
This security training specifically targets developers and architects building modern web frontends / APIs. Anyone involved in building, testing, and designing modern applications should be here. This training course gives you an up-to-date and in-depth look at current security best practices. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
Prerequisites
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful but not required. The training will include Angular / React / NodeJS / Java Spring examples but is just as relevant for other frameworks and technologies.
Computer setup
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
Dates:
Tuesday 06. September 2022
Wednesday 07. September 2022
Speaker: Clint Gibler, Claudio Merloni
Location:
You want to ship new features quickly, but you also want your code to be robust. And fast. And secure. This can be tough to do within one team, let alone companies with many teams and hundreds to thousands of developers.
In this workshop, we’ll do a deep dive into Semgrep, an open source, lightweight static analysis tool, that’s like a Swiss Army Knife for finding bad code. Semgrep supports 15+ programming languages, infrastructure as code (e.g. Terraform), YAML and more. Learn once, use everywhere. It can scan millions of lines of code in minutes, and it ships with over 1,600 open source rules covering the OWASP Top 10 and other security vulnerabilities, as well as performance, correctness and robustness checks as well.
The workshop will primarily be hands-on exercises, including:
You’ll leave this workshop with the knowledge, skills, and tools to immediately start improving your company’s code quality and security at scale.
Date:
Wednesday 07. September 2022
Speaker: Abdessamad Temmar
Location:
If you're looking to get some hands-on experience with the tools and techniques used for breaking mobile application, this is the class for you. From exploiting old-school misconfiguration issues using automated tools (Objection, Drozer, etc) to the very latest exploits to simulate malicious applications and complex attacking scenarios, we have got it all covered ! Detailled outline : For each platform (Android/iOS) we start by a brief introduction on its internal security mechanisms, and then we continue with a set of hands-on exercises on the most common issues. Each exercise item is structured as follow : • A brief overview on the mobile component involved in the issue ; • A case study of the issue on a real world application, and the technical steps to reproduce it ; • CTF-based exercise to test the gained skill (Please refer to the attached docuement to this submission which provide an example of this structure). Each lab item using different technics : from basic static analysis, to dynamic and runtime advanced checks. Participants will get a web-based access to a pre-configured pentesting environment that includes : • A virtual machine with set of tools to use directly. • An access to a cloud-based virtual device for each platform (Android and iOS) to install and test vulnerable apps No material requirements, or annoying VPN setup is required : a Web browser is the only thing you need to jump right on the hands-on labs. PS : student will get also an offline version of the lab tools in case they want to use it later. |
Date:
Wednesday 07. September 2022
Speaker: Ulrich Bayer
Location:
This is a completely free 3-hour training on the basics of secure coding. Although the examples will only be in one programming language each, most concepts can be applied to any language and type of software. You'll get a good overview of the following aspects of secure coding:
Ideally, you have some experience in software development, no matter what language. But even if you are just getting started with developing software, this is fine as well. There will definitely something to take away for you.
This session is free for everyone.
Date: Wednesday, September 7, 2022
Time: 13:00 -16:00
Getreidemarkt 9, 1060 Wien, BA Gebäude, 2.UG - GM 5 Praktikum Hörsaal
There will be signs & sec4dev staff to guide you to the Auditorium
Date:
Wednesday 07. September 2022
Speaker: Tanya Janca, Ronke Babajide, Antje Enzi, Elke Oberhuber, Maria Geir, Linda Mohamed
Location:
Taking female experts to the top!
Are you ready for a large portion of female power? We are beyond excited to bring to you inspiring women and their stories. Above the rooftops of Vienna we talk about the way to the top.
< Agenda >
16:00 Welcome
Stephanie Jakoubi (Co-founder sec4dev)
16:10 "We Are Here to Stay!" Stories of 200 Women in IT, their Passion & Impostor Syndrome
16:20 Discussion: Perspectives on - Education and Learning - Challenges in Work Life - Leadership
16:55 Break
17:05 Workshops
18:35 Break
18:45 Interview on Stage
Tanya Janca (Founder of We Hack Purple and author of "Alice and Bob Learn Application Security")
19:05 Wine and Networking
< Workshops >
#IamRemarkable
#IamRemarkable is a Google initiative empowering women and other underrepresented groups to celebrate their achievements in the workplace and beyond.
During the 90 minute workshop, you will learn the importance of self-promotion in your personal and professional life and be equipped with tools to develop this skill. Participants will be invited to challenge the social perception around self-promotion.
Goals
1. Improve the self promotion motivation and skills of women and underrepresented groups
2. Challenge the social perception around self promotion
Mental Requirements Engineering
Learn how to own the backlog of your life to actively shape your future!
Working in IT, you are all very likely to have dealt with requirements specifications before. But have you ever thought about engineering the requirements for your own mental health, professional ambitions and work-life balance?
Goal
Learn how design thinking, user stories and other agile techniques can help you to create your own blueprint to more balance, visibility and success.
< Location >
TUtheSky (Campus Getreidemarkt)
This session is free for all women+ & women+ only.
Please note that this is an event for women-only event that intends an inclusive definition of women. We are welcoming and respectful of women, including amab transgender persons and those that are nonbinary, gender non-conforming, and any others who identify as a woman in a way that is significant to them.
In Cooperation with
Dates:
Thursday 08. September 2022
Friday 09. September 2022
Location:
Audimax
Audimax
Date:
Thursday 08. September 2022
Speaker: Clint Gibler
Location:
Audimax
Over the past decade, how software is written has changed drastically, with widespread adoption of Agile, DevOps, and cloud providers, among other shifts.
These changes have required security teams to adapt. I believe we’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time.
One key shift is that modern application security teams are deemphasizing trying to Find All The Bugs, and instead are focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks can enable organizations to solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole.
This talk will explore the power of secure defaults and how to embrace them in your company. We’ll also discuss how this same approach and mindset can be used to raise code quality (e.g. performance, robustness, correctness) and code standards across your org, help onboard new developers more quickly, and more.
Lastly, as good working relationships are more important than ever, we’ll also cover how security teams can take a customer-centric approach to supporting their engineering colleagues, and how developers can effectively work with their colleagues in security.
Date:
Thursday 08. September 2022
Speaker: Philipp Reisinger
Location:
Audimax
Does Software age like milk or wine? While the quality of good wine improves over time milk turns sour. It has long been recognized that as it ages most software resembles milk – its quality deteriorates as it becomes difficult to maintain and starts to rot.
In this talk we will discuss some software engineering best practices that enable the creation of software which is (more) sustainable and which supports necessary changes over its lifetime.
Date:
Thursday 08. September 2022
Speaker: Jelena Milosevic
Location:
AI-based systems are already widespread and highly influential for many aspects of our life. Only some of the domains already fully reshaped with AI are: automotive industry, retail, e-commerce, banking and financial services. In the last few years, we have also witnessed how AI has found many applications within the computer security domain, and it is one of the driving technologies behind malware detection and classification, phishing detection, and is enabling using biometrics for authentication purposes. Some of the main reasons we use AI in the security domain are its ability to analyze huge amounts of data and to automatically discover complex patterns which would otherwise go undetected.
While AI remains an excellent tool for coping with many security problems, with more widespread adoption of it, we should also be more aware of potential problems, intrinsic properties of AI systems, and in general good and bad practices when working with them.
In this talk, these common problems with machine learning for security will be shared, together with specifics of machine learning methods for security and recommendations on best practices.
Date:
Thursday 08. September 2022
Speaker: Joseph Katsioloudes
Location:
Audimax
Security as Code (SaC) is the methodology of codifying security tests, scans, and policies. Security is implemented directly into the CI/CD pipeline to automatically and continuously detect security vulnerabilities. Adopting SaC tightly couples application development with security and vulnerability management, while simultaneously enabling developers to focus on core features and functionality. More importantly, it improves the collaboration between Development and Security teams and helps nurture a culture of security across the organization. In this session, we will review lessons learned from DevOps to implement a successful DevSecOps culture, in particular how we can make developers contribute security checks with the SaC approach. We will introduce CodeQL, a language that allows us to implement security checks with code, and will demo how we can code queries for vulnerabilities and misconfigurations so they can be identified as soon as they hit your CI/CD pipeline. |
Date:
Thursday 08. September 2022
Speaker: Tanya Janca
Location:
Audimax
With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?
This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program
Date:
Thursday 08. September 2022
Speaker: Sebastian Schrittwieser
Location:
Audimax
Date:
Thursday 08. September 2022
Location:
Breakout Session - Application Security
https://sec4dev.io/sessions/br...
Experts on stage: Philippe De Ryck (Web Security Expert, Founder of Pragmatic Web Security), Ulrich Bayer (Lead of the Software Security Group, SBA Research) and Barbara Schachner (Team Lead Security Architecture & Testing, Dynatrace)
Room: Audimax
Breakout Session - Security Testing & Automation
https://sec4dev.io/sessions/br...
Experts on stage: Joseph Katsioloudes (Developer Advocate, GitHub Security Lab), Martin Grottenthaler (Information Security Consultant at SBA Research) and Molka Elleuch (Cybersecurity Solutions Engineer, Synopsys)
Room: BA02B
Date:
Thursday 08. September 2022
Speaker: Philippe De Ryck
Location:
Audimax
If you’ve ever looked at OAuth 2.0, you may be less than excited to hear about yet another OAuth version. Fortunately, OAuth 2.1 is a logical progression from OAuth 2.0, which significantly reduces the complexity of the OAuth ecosystem.
In this session, you will learn about the differences between OAuth 2.0 and OAuth 2.1. We dive into concrete scenarios supported by OAuth 2.1 and how you can leverage them in your applications. By the end of this session, you will have a clear idea of what OAuth 2.1 entails and how to follow current best practices to build a secure application architecture.
Buses will bring us directly from TU Wien to the traditional Austrian tavern Fuhrgassl-Huber.
Date:
Thursday 08. September 2022
Speaker: Conference Dinner
Location:
In the spirit of sec4dev, we are inviting you to enjoy traditional Austrian food and sparkling wine at the typical Austrian tavern Fuhrgassl-Huber in the beautiful 19th district of Vienna, known for its vineyards.
Address: Neustift am Walde 68, A-1190 Wien
We are very happy and proud that this event is sponsored by the City of Vienna - Presidential Department and that a mayor representative will welcome you in our city at this event.
Dates:
Thursday 08. September 2022
Friday 09. September 2022
Location:
Audimax
Audimax
Date:
Friday 09. September 2022
Speaker: Lukas Weichselbaum
Location:
Audimax
Abstract:
Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about – often the hard way! In addition the lack of true web isolation has led to new problems like XS-Leaks and transient execution vulnerabilities such as Spectre and Meltdown which broke the illusion that the web is immune to CPU-level bugs.
Luckily, new security mechanisms available in web browsers offer exciting features which allow developers to protect their applications. In this talk, I'll introduce these features and explain how to use them most effectively.
We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We’ll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, followed by Fetch Metadata request headers and CORP/COOP to protect from vulnerabilities like CSRF or Spectre that arise from insufficient isolation in the web platform.
Date:
Friday 09. September 2022
Speaker: Johannes Bär
Location:
Audimax
Have you ever wondered how your applications deployment in a Kubernetes cluster looks like securitywise in contrast to a more traditional deployment? Are you worried about what you are running there is at least as secure as a "normal" deployment? If that speaks to you or you are just interested in Kubernetes and its security aspects, you have come to the right place. This talk will feature the most important aspects of security in a Kubernetes managed container environment. We will talk about the attack surface of containers managed by Kubernetes, the security features Kubernetes is offering its users and the secure configuration of the cluster peripheria themselves.
Date:
Friday 09. September 2022
Speaker: Michael Koppmann
Location:
Audimax
Types in programming languages protect us from doing mistakes. It depends on the chosen language how strict and often these type checks are performed. One code smell you may have heard of is called “Primitive Obsession.” It occurs when you are relying too much on built-in data types like integers and strings. Type systems gained a lot of power over the last decades. Many programming languages allow us to embed business rules and security properties directly into types. This enables the compiler to statically enforce these rules. Preventing mistakes and vulnerabilities by design is our goal.
In this talk I will show you a couple of examples how to encode business work flows and constraints into types. The examples will be in a variety of programming language, demonstrating the wide applicability of this approach.
Date:
Friday 09. September 2022
Speaker: Rudolf Mayer, Tanja Šarčević
Location:
Audimax
Outsourcing and shifting complex Machine Learning (ML) models to cloud services witnessed a great growth over the past years as the costs of producing, maintaining, and processing data can be decreased this way. However, training ML models usually requires vast amount of data and computational resources. Because of this, ML models are considered valuable assets and sharing them entails potential intellectual property theft.
Watermarking and fingerprinting are approaches for protecting ownership of various types of digital property, including those relevant in ML process - various types of data and ML models. By embedding a mark into a digital object these methods enable the owners to share these objects in their full form while enabling ownership claim and/or tracing recipients. One of the most important requirements for such techniques is robustness, i. e. the marks should not be easily altered and removed by malicious attacks or benign alteration of the digital object. Secondly the perceptibility of marks should be minimized to reduce the success of the attacks and to maximize the utility of these digital objects.
In this talk you will learn about state-of-the-art methods for watermarking and fingerprinting ML models, their vulnerabilities and challenges in protecting ownership of digital content in ML process.”
Date:
Friday 09. September 2022
Speaker: Robbe Van Roey
Location:
Audimax
The Content Security Policy (CSP), the one-size-fits-all protection against XSS? No! Let’s bypass that CSP in all kinds of ways. The only limit is your creativity!
Date:
Friday 09. September 2022
Speaker: Thomas Kerbl
Location:
Audimax
The OWASP Application Security Verification Standard is understood by many as a simple test catalog for penetration testing and code reviews. However, I would like to showcase how to fully integrate this security treasure chest in your secure software development lifecycle.
Here’s what’s on the menu:
* An introduction to ASVS for those who have never seen it before
* How to fully integrate the ASVS in key activities of your secure software development process
* Preparation and procedure for certification according to the ASVS
* A speculative outlook into the future of the ASVS
Breakout Session - Cloud & Container Security
https://sec4dev.io/sessions/br...
Experts on stage: Johannes Bär (Security Analyst / Penetration Tester, Condignum GmbH), Martin Gegenleitner (Presales Consultant, Thales) and Bernhard Waldecker (Senior Systems Engineer, NTS).
Room: Audimax
Breakout Session - Secure SDLC
https://sec4dev.io/sessions/br...
Experts on stage: Thomas Kerbl (Team Lead / Principal Security Consultant, SEC Consult), Thomas Konrad (Software Security Architect, Dynatrace) and Patrick Münch (CISO, Mondoo).
Room: BA02B (2. Floor)
Date:
Friday 09. September 2022
Speaker: Susan McGregor
Location:
Audimax
Part of the reason security matters is that it's often impossible to regain control of information that is exposed through a security breach. At the same time, we know that no security is perfect and that to some degree, breaches and/or data loss are inevitable.
Drawing on concepts from disaster recovery and harm reduction, this talk will explore the practical implications of considering the aftermath of a security incident during the software development process. From technical approaches like encryption and authentication to more design and policy-oriented strategies like data minimization, the goal of this talk is to empower developers to have meaningful conversations with stakeholders about what it means to take a fully-scoped approach to security for real-world applications.