Agenda

• 13:30 - 13:45: Welcome
  
• 13:45 - 14:30: Security Challenges of Breaking A Monolith (Reinhard Kugler)
• 14:30 - 15:15: Securing Frontend Applications with Trusted Types (Philippe De Ryck)
• 15:15 - 15:30: Break
• 15:30 - 16:15: Enhancing Workload Security in Kubernetes (Dimitrij Klesev, Andreas Zeissner)
• 16:15 - 17:00: Building Security Champions (Tanya Janca)
• 17:00 - 17:45: Panel Discussion - Climate vs. Weather: How Do We Sustainably Make Software More Secure?
• 17:45 - 18:30: Raffle - Giveaways, sec4dev 2022 Teaser, Beer & Chat

Security Challenges of Breaking A Monolith
Reinhard Kugler, Principal Information Security Consultant, SBA Research

We try to break an existing application into microservices, but encounter one security problem after another. It seems that we do not only scale the application, we also scale the vulnerabilities with it:

• We publish an interface – how do we ensure authentication?
• We distribute the application to several nodes – how can they communicate securely?
• We use different technologies on frontend and backend –are the components vulnerable?

What are the issues as we go further and do our solution patterns work? In this talk we go through the different steps, identify the weak spots and discuss solutions.

Securing Frontend Applications with Trusted Types
Philippe De Ryck, Web Security Expert, Founder of Pragmatic Web Security

Cross-Site Scripting is game over! We've been hearing this for a while now. Unfortunately, it is still more than relevant in the world of JS-based frontends. While frameworks offer built-in protections, much is still left to developers, aptly illustrated by numerous XSS vulnerabilities discovered in frontend apps.

No more. In this session, we look at Trusted Types, a platform-based defense that will eradicate XSS vulnerabilities in frontends. We investigate how Trusted Types can stop typical XSS attacks. Additionally, we explore how to configure Trusted Types for your entire application. You will walk away with a solid knowledge of Trusted Types and actionable advice to get started with Trusted Types.

Enhancing Workload Security in Kubernetes
Dimitrij Klesev, DevOps & Cloud Engineer at WhizUs
Andreas Zeissner, DevOps Engineer at WhizUs

Running single Kubernetes clusters is easy, running them at scale brings different requirements. At WhizUs, Dimi's and Andi's day-by-day work is to bring customer's workloads securely and fastly to their audience. One part of this work is to create environments that are not only possible to scale, but also safe to expose and to use.

A proper security setup consists of multiple layers which can be hardened in different ways in a Kubernetes environment. One tool to harden a Kubernetes cluster's security is the Security Profiles Operator (https://github.com/kubernetes-sigs/security-profiles-operator). This operator leverages the Kubernetes securityContext and helps you manage and apply security profiles for SELinux, seccomp and AppArmor through your clusters' workload. The Security Profiles Operator was developed with increasing user adoption for security configurations in Kubernetes clusters and simple usage in mind. Dimi and Andi will give you a deep dive into the Kubernetes securityContext and show you how to rollout cluster-wide security configurations.

Building Security Champions
Tanya Janca, Founder of We Hack Purple and author of "Alice and Bob Learn Application Security"

With Security teams being vastly outnumbered many organizations have responded to this challenge with different program scaling methods, including building security champions programs. Which leads us to questions; How does a security champions program work? How do you select your champions? And once you have them, what do you DO with them?

Climate vs. Weather: How Do We Sustainably Make Software More Secure?
Panel Discussion

Panelists: Erik Auer (Whizus), Evelyn Haslinger (Symflower), Magno Logan (Trend Micro), Pascal Schulz (Intigriti), Philippe De Ryck (Pragmatic Web Security), Tanya Janca (We hack purple), Thomas Konrad (SBA Research)

How do we build secure software? What does "secure" even mean? How much is enough? How can security keep pace with agile development models and ever-changing requirements? How do we deal with specialized staff shortage? Does every developer need security skills? Shall we trade initial velocity in software engineering for sustained velocity? When should we throw software away?

There are way more questions than answers on how to ensure a solid and sustainable security level in software nowadays. In this panel discussion, we try to shine some light on what we can do apart from coding in order to justify trust in the security of the software we're building.

This event was powered by