09:00 - 09:15
09:15 - 10:00 - Check out the streaming feed!
In this talk, attendees will get an overview of Pieter de Cremer’s paved path methodology, wherein Pieter has built a vision to make software security a shared responsibility between the security team and developers.
What does this methodology look like in practice? The security team would not force security testing on developers, but instead gradually build a paved path for developers to follow. The discussed practices in this talk make it easier for developers to produce secure code and fix existing vulnerabilities in a scalable way, without harming their productivity.
To support the paved path methodology, better education and tools should be provided that are more human-centered and keep the developer experience in mind. Pieter will teach attendees how to select more role-specific and user-friendly training and tools for developers, backed by his extensive research and subsequent findings.
Don’t miss this session if you’d like to know more about:
• Why the current approach to software security is not working to reduce vulnerabilities
• Why developers should be considered early and often in the SDLC
• How a paved security path for developers can create a higher standard of secure code, without compromising speed of delivery
• A developer-led approach to selecting and implementing the security tech stack.
Pieter De Cremer, a long-time security enthusiast, joined Secure Code Warrior as part of an internship in 2015. Over the next two years, he wrote more than 100 rules for Sensei, their flagship IDE security plugin, and was closely involved in the early designs of this tool.
After graduating with a Master in Computer Science Engineering at UGent in 2017, he decided to pursue a Ph.D. Backed by a personal Baekeland mandaat from VLAIO he started his research at SCW and UGent, with the aim of contributing to a new era of software security, one that considered developers from the beginning.
Over the next four years, he built his vision of collaboration between developers and the security team. He designed, implemented, and evaluated innovative improvements for both the training and tools provided by SCW. During this time, he published three papers and built a portfolio of three patents related to his work.
In his spare time, Pieter enjoys hitting the security conference circuit to engage with other enthusiasts around the world, his afternoon coffee ritual, and an Apex Legends battle or two.
10:00 - 10:45 - Check out the streaming feed!
Security is about resilience. React on what happens is always needed to recover. Reacting on what you do not know, the famous unknown unknowns is the holy grail we call antifragile.
Edzo will provide a summary of the current body of knowledge which has a practical and theoretical basis. This summary is validated in the domain of organisation design by 30 experts. His summary, the EAAL model, appears to be also applicable not just to organisation design.
To keep it concrete we will discuss and see how to apply the EAAL in achieving secure public cloud usage.
The ecosystem of people researching and practising on antifragility and resilience is increasing due to effects of CORONA and also by universities adopting this topic. The next few years we are going to see much more on the topic of resilience and the impact on business, IT and security since this is what security is all about.
Edzo Botjes is Antifragility Architect at Xebia and in IT since 1991.
He published his Master Thesis titled "Defining Antifragility and the Application on Organisation Design" in 2020 as open access under CC BY-SA 4.0 at the Antwerp Management School, and as an IEEE published paper.
Edzo will be researching the intersection between information security, organisational learning and resilience in the coming years in a PhD track at the Open University. His mission is to keep on sharing and the lessons learned from applying research.
11:00 - 11:45 - Check out the streaming feed!
Race conditions are not an issue of the past nor a scenario that people can find themself in only when deciding to develop a multithreading architecture. In our day-to-day programming sessions, we probably deal with multithreading more than one may think. What about that simple Controller you wrote with just few lines of code? Could it be leaking customer data?
MVC Controllers methods are, by default, executed in a multithreaded environment where it is crucial to understand when a variable will be accessed and how to synchronize access to shared resources. Failing to do so can have an impact on the security of your application and lead to issues that are difficult to reproduce.
Here we will demonstrate a race condition on MVC controller and j2EE Servlet as introduction to a live coding session; we will discuss strategies that can be applied to mitigate the issue and conclude with a summary of how these methods can have an impact on the application’s performance and some other possible alternative.
Giuseppe has always been fascinated by many aspects of Information Security and chose to focus on software security when he joined Veracode in 2014. He has spent his time building stuff, helping developers with the identification of compensating controls and providing support for threat analysis and modelling, as well as breaking stuff performing penetration tests and playing with reverse engineering. He currently lives in London but he is a proud Sicilian, born on a sunny slope of Mount Etna.
11:45 - 12:30 - Check out the streaming feed!
During our work as penetration testers we found that there are a lot of vulnerabilities being introduced in applications that could have been prevented in an early stage of development.
We can see the latest trend in integrating security tooling into CI/CD pipelines. However, security tooling integrated in your security pipe-lines will not cover the whole attack surface. This is because the tooling can never understand the full context of the applications functions and logic. On the other hand, resources in the form of manual verification can often be scarce and expensive.
Where do we find the right balance between security test automation and manual verification? Even more importantly, how do we train the developers to understand the metrics and make security part of their process and culture? This could be achieved by setting up an (S)SDLC, but what does a good (S)SDLC consist of?
This talk will guide everybody willing to take the maturity of their security in software development to a higher level.
As a coder, hacker, speaker, trainer and security chapter leader employed at ING Belgium Glenn has over 15 years experience in the field of security.
One of the founders of defensive development security trainings dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world.
Not only does Glenn train developers, he and his brother Riccardo also donated an entire knowledge framework solely dedicated to help developers make their code secure by design.
See:
SKF (Security knowledge framework) https://www.securityknowledgeframework.org
13:30 - 14:15 - Check out the streaming feed!
We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day.
Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels.
Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.
Dr. Christian Folini is a Swiss security engineer and open source enthusiast. He brings 15 years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling. Christian Folini is the author of the 2nd edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the “Swiss Cyber Storm” conference.
14:15 - 15:00 - Check out the streaming feed!
The OWASP Integration Standards project recently released openCRE.org: the content linking platform to unite all security standards. It now connects software security topics for Top 10, ASVS, Pro-active controls, Testing guide, Cheat sheets, CWE, NIST 53 and 63b. Key features of CRE are: interactive browsing of topics, text search and automatic maintenance of the links.
This session is to show you how you can benefit from the Common Requirement Enumeration by finding relevant information on subjects quickly: how to build security in, how to test it, how to understand it, how to procure it. And if you are involved in standard or guidelines yourself (eg, an OWASP project): how you can use CRE to make your work easy to find and to link to the wealth of available information out there, without dead links. Standard makers unite!
Rob van der Veer has a 30 year background in building secure software and running software businesses. Cyber security and privacy have been constant themes in his career, from hacking into the British RAF in 1986, to building AI solutions for national security. At the Software Improvement Group, Rob established and leads the security & privacy practice. He is also involved in several standardisation initiatives (e.g. OWASP SAMM, ENISA, IEEE, ISO/IEC, CIP), and co-leads the OWASP integration project, with openCRE.org as key result.
15:15 - 16:00 - Check out the streaming feed!
The OWASP Internet of Things Security Verification Standard (ISVS) is a community effort to establish an open standard of security requirements for Internet of Things (IoT) applications. The requirements provided by the ISVS can be used in many stages during the product development life cycle, including design, development, and testing of IoT applications. After months of gathering feedback and refining the first pre-release candidate, the ISVS is now close to the release of version 1.0.
In this talk, we’ll take a tour of the ISVS. We’ll start at the motivation for its creation, and then look at its structure and the rationale behind it. Then, we’ll dive deeper into its chapters and sections, and discuss how they can be used in real-life scenarios to guide IoT developers, integrators, and security testers. Finally, we’ll try to consider the ISVS’s future : the next big milestones, its potential impact in the industry, and how to contribute to that impact.
Théo Rigas is a cyber security expert at NVISO, where he helps customers secure their products’ ecosystems on a daily basis. He has performed numerous IoT and embedded security assessments in many sectors, on devices including industrial routers, ISP equipment, medical connected devices, and physical security products. Théo also supports NVISO R&D by doing research in IoT testing methodology and tools. As part of his research activities, he contributes regularly to the OWASP ISVS.
16:00 - 16:45 - Check out the streaming feed!
Cross-Site Scripting is game over! We've been hearing this for a while now. Unfortunately, it is still more than relevant in the world of React-based frontends. While React helps a bit, it still leaves too much to developers, aptly illustrated by numerous XSS vulnerabilities discovered in React apps. No more. In this session, we look at Trusted Types, a platform-based defense that will eradicate XSS vulnerabilities in frontends. We investigate how Trusted Types can stop typical React XSS attacks. Additionally, we explore how to configure Trusted Types for your entire application. You will walk away with a solid knowledge of Trusted Types and actionable advice to get started with Trusted Types.
Philippe De Ryck helps developers protect companies through better web security. His Ph.D. in web security from KU Leuven lies at the basis of his exceptional knowledge of the security landscape. As the founder of Pragmatic Web Security, Philippe delivers security training and security consulting to companies worldwide. His online course platform allows anyone to learn complex security topics at their own pace. Philippe is a Google Developer Expert and an Auth0 Ambassador for his community contributions on the security of web applications and APIs.
16:45 - 17:00