In this workshop we will build from scratch or add onto your existing application security program / secure system development life cycle (SSDLC). This workshop will consist of lecture, discussion, and written assignments, and you will walk away with an extensive plan for your new security program. Topics covered: all types of application security activities and tools, policies, standards and guidelines (with several samples to get you started), how to scale your security program and team, developer advocacy and education, and important metrics to gather and how. Time-permitting we will also cover incident response and prevention.
With security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?
This session will teach you;
• How to attract the right people to your program
• What and how to train them
• How to engage them, and turn them into security advocates
• What do delegate and what NOT to delegate
• What to communicate, how often and to who
• How to motivate them
• How to build an AMAZING security champion program
Speaker: Philippe De Ryck
Securing modern web applications is hard, really hard. Not only do you have to make the right architectural security decisions, but you also have to be aware of various implementation vulnerabilities in both frontend apps and APIs. Common failures result in data extraction or complete system compromise.
In this training, we take a look at cutting-edge security techniques you can use to boost the security of your applications. We explore common vulnerabilities in modern applications and their recommended defenses. Additionally, we dive into coding guidelines and defense-in-depth strategies that allow you to increase the security of your applications.
Concretely, we will cover the following topics in this hands-on training:
Who should attend?
This security training specifically targets developers and architects building modern web frontends / APIs. Anyone involved in building, testing, and designing modern applications should be here. This training course gives you an up-to-date and in-depth look at current security best practices. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.
To participate in this training, you should have development experience with web applications and APIs. Familiarity with the basics of security is helpful but not required. The training will include Angular / React / NodeJS / Java Spring examples but is just as relevant for other frameworks and technologies.
To participate in the lab sessions, participants need a computer with a full-featured modern browser installed (E.g., Chrome, Firefox).
Car hacking is very much a thing. From taking full control of the car whilst sitting on your couch, to understanding how they have become mobile data collection devices with a fast engine. This talk will shed some light on what exactly is possible, from a hacking perspective and also give you ideas on what you can do with your own car, from a tinkering and explorative perspective.
Over the past decade, how software is written has changed drastically, with widespread adoption of Agile, DevOps, and cloud providers, among other shifts.
These changes have required security teams to adapt. I believe we’re in the middle of a significant shift in how security teams operate and prioritize their limited budget and person-time.
One key shift is that modern application security teams are deemphasizing trying to Find All The Bugs, and instead are focusing on providing developers with frameworks and services with secure defaults (“guard rails”) so that developers can build features quickly and securely. When done correctly, combining secure defaults and lightweight checks can enable organizations to solve *classes* of vulnerabilities by construction, preventing bug whack-a-mole.
This talk will explore the power of secure defaults and how to embrace them in your company. We’ll also discuss how this same approach and mindset can be used to raise code quality (e.g. performance, robustness, correctness) and code standards across your org, help onboard new developers more quickly, and more.
Lastly, as good working relationships are more important than ever, we’ll also cover how security teams can take a customer-centric approach to supporting their engineering colleagues, and how developers can effectively work with their colleagues in security.
Speaker: Lukas Weichselbaum
Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user: XSS, CSRF, clickjacking and related issues are common problems that most developers learn about – often the hard way! In addition the lack of true web isolation has led to new problems like XS-Leaks and transient execution vulnerabilities such as Spectre and Meltdown which broke the illusion that the web is immune to CPU-level bugs.
Luckily, new security mechanisms available in web browsers offer exciting features which allow developers to protect their applications. In this talk, I'll introduce these features and explain how to use them most effectively.
We’ll start by reviewing major threats based on an analysis of thousands of vulnerability reports Google receives each year under our Vulnerability Reward Program. We will find common themes between bugs which appear unrelated and focus our attention on the most frequent high-risk problems.
We’ll then turn our attention to protective mechanisms implemented in modern browsers, which address entire classes of security problems. This includes CSP3 and Trusted Types to prevent XSS, followed by Fetch Metadata request headers and CORP/COOP to protect from vulnerabilities like CSRF or Spectre that arise from insufficient isolation in the web platform.
Speaker: Magno Logan
The term Software Composition Analysis (SCA) is relatively new to the security world. However, similar approaches have been used since the early 2000s to indicate security verifications on open source components. SCA has become an evolution of that. It is the process of identifying and listing all the components and versions present in the code and checking each specific service and looking for outdated or vulnerable libraries that may impose security risks to the application. These tools can also check for legal issues regarding the use of open-source software with different licensing terms and conditions. Nevertheless, how do those SCA tools work, and how can they help identify and remediate open source libraries used in a codebase? This talk aims to focus on and explain to the audience how these tools work and the main pieces of information that these tools rely on, such as the application manifest, vulnerability data sources, and dependency metadata.
Speaker: Thomas Konrad
Did you ever wonder what it takes to ensure holistic and manageable software security? Would you like to be compliant to laws and regulations that demand action in that area, maybe via your customers? Or do you simply want to drive software quality through security and make it visible? Then this fundamental training is for you. In this training, you will be guided through the world of secure software development from different perspectives, ranging from governance topics to technological aspects like design, coding, testing, and operations. The training outline is based on OWASP SAMM, an open-source assurance maturity model for software security. Use this training to kick-start your secure development lifecycle, to reach the next level of software security, and to demonstrate the endeavor to your stakeholders.
The following topics are covered:
We approach each domain (governance, design, implementation, verification, operations) in the following way:
Ideally, you have some experience in software development or in managing a software development team. But even if you are just getting started with it, there will be insights for you to take away and to apply in your future work.