Important notice about SecAppDev 2020

Due to the current situation with COVID-19 (Corona), with deep regret, we feel bound to postpone SecAppDev 2020 indefinitely. While there have been no official instructions to postpone events such as ours or reduce travel, both attendees and speakers have informed us that they are unable to attend SecAppDev.

We hope everyone in SecAppDev stays healthy, and wish everyone the best for the coming months.

Lecture sessions at SecAppDev 2020

SecAppDev 2020 offers a 38 in-depth lectures, organized in a dual-track program.

SecAppDev lectures are 90 minutes each, allowing our expert faculty members to take a deep-dive into their topics. Throughout the lectures and the course, there is ample time to ask questions or discuss scenarios with our faculty members.

Next to lecture sessions, SecAppDev offers three one-day workshops.

The list below gives a detailed overview of the lectures at SecAppDev 2020. The full schedule provides an overview of all sessions and workshops for the entire week.

The GDPR and doing really cool stuff with personal data!

Lecture by Bavo Van den Heuvel

The impression that the GDPR prevents innovative uses of personal data is mistaken. In this session, we explore GPDR compliance for interesting use cases, such as biometrics, tracking, intelligent camera's, IoT at home, sensors for behavioral evaluation.

Key takeaway: You will learn about the GDPR boundaries and be triggered to start thinking about new privacy compliant uses of personal data.

Privacy, safety & ethics Monday March 9, 09:15 - 10:30

How Rust helps us make safer and more secure code

Lecture by Jake Goulding

Rust promises to help us write better, safer code, but how exactly does it do so? Marketing can only convince us of so much. Join us to learn about the details for yourself.

Key takeaway: Programming in languages like C or C++ is fraught with peril, but we are no longer restricted by a handful of weak choices; we have better options.

Low-level security Tuesday March 10, 14:00 - 15:30

Rust - A Language for the Next 40 Years

Lecture by Carol Nichols

This session provides a high-level overview of the safety and stability of the Rust programming language in its historical context.

Key takeaway: Rust is a language attempting to solve several common software mistakes that often lead to security problems.

Low-level security Friday March 13, 11:00 - 12:30

Securing web apps with modern platform features

Lecture by Lukas Weichselbaum

Web applications have historically been plagued by vulnerabilities which allow attackers to compromise the session of a logged-in user. Luckily, new security mechanisms in web browsers offer ways for developers to protect their applications

Key takeaway: Understand how to defend your web applications with new web platform features.

Web security Thursday March 12, 09:00 - 10:30

The ultimate guide to Content Security Policy

Lecture by Lukas Weichselbaum

Even with hardened frameworks and thorough security reviews, there's no guarantee that an application is free of XSS. In this session, I'll present different flavors of CSP, which can serve as a robust defense-in-depth mechanism against XSS.

Key takeaway: Understand how to use CSP as a robust defense-in-depth mechanism against XSS.

Web security Wednesday March 11, 14:00 - 15:30

OAuth 2.0 Security Reinforced

Lecture by Dr. Torsten Lodderstedt

OAuth 2.0 has become the standard for API authorization. Practical experience and security research have shown a need for updated security guidelines that will be presented in this session.

Key takeaway: Understand the do's and don'ts of OAuth 2.0

Identity and access management Wednesday March 11, 16:00 - 17:30

Advanced OAuth for security-sensitive applications

Lecture by Dr. Torsten Lodderstedt

OAuth has become the standard for API authorization because of its simplicity and versatility. This talk will present battle-proven patterns and OAuth extensions that should be used when building security-sensitive applications.

Key takeaway: Understand the patterns and extensions required to build security-sensitive applications with OAuth

Identity and access management Thursday March 12, 14:00 - 15:30

A practical introduction to OIDC (and OAuth 2.0)

Lecture by Dominick Baier

OIDC and OAuth 2.0 have become the de facto standard to implement authentication and authorization in modern applications. This session introduces their features, such as authentication, sessions, and protocol flows.

Key takeaway: The purpose and role of OIDC and OAuth 2.0 for securing modern applications

Identity and access management Wednesday March 11, 11:00 - 12:30

OIDC and OAuth 2.0 – Tips from the trenches

Lecture by Dominick Baier

Building an API-based system with OIDC and OAuth 2.0 raises quite a few questions. In this session, we answer these questions using common patterns and anti-patterns derived from real-world scenarios.

Key takeaway: Advice on designing token-based authentication and authorization using OIDC and OAuth 2.0.

Identity and access management Thursday March 12, 11:00 - 12:30

Trusted Execution and how far you can trust it

Lecture by Jan Tobias Muehlberg

Modern processors provide Trusted Execution Environments that allow you to protect software components even from an untrusted operating system. Learn when and how to use them!

Key takeaway: Learn how and when to rely on technologies such as Intel SGX, and understand what security guarantees these technologies can provide.

Low-level security Wednesday March 11, 09:00 - 10:30

Automated software testing and verification

Lecture by Jan Tobias Muehlberg

Discover a technology stack that allows us to construct distributed software systems with well-defined security guarantees. We will address testing, formal verification, and runtime isolation.

Key takeaway: Understand the interplay of testing, verification, and runtime support to secure software systems.

Security activities Thursday March 12, 16:00 - 17:30

Intro to trust & safety - Identifying abuse vectors

Lecture by Lexi Galantino

Trust & safety is all about how bad actors can exploit application design vulnerabilities to abuse other users. Here, you’ll learn how to identify these vulnerabilities so that you can prevent or close them in your applications.

Key takeaway: Attendees will learn how to identify trust & safety application vulnerabilities so that they can prevent or close them in their applications.

Privacy, safety & ethics Tuesday March 10, 14:00 - 15:30

Trust & safety II - Best practices & current topics

Lecture by Lexi Galantino

Following “Intro to trust & safety”, this session will concern more advanced trust & safety design problems. We’ll also look at the current edge of research and recent product experiments and discuss their implications.

Key takeaway: Trust & safety is an evolving field with active research. Attendees will get a tour of the current state and consider some advanced user stories.

Privacy, safety & ethics Thursday March 12, 09:00 - 10:30

Trust Management in SCONE

Lecture by Christof Fetzer

This session presents SCONE, a platform that uses Trusted Execution Environments (TEEs) to enable the delegation of operations to an untrusted provider while guaranteeing data confidentiality.

Key takeaway: Learn how to leverage Trusted Execution Environments (TEEs) to ensure data confidentiality in untrusted cloud environments.

DevOps Security Friday March 13, 14:00 - 15:30

Cryptographic algorithms

Lecture by Bart Preneel

In this session, you will learn about various cryptographic building blocks and their security properties. With that knowledge, you can select the right algorithm for the challenge you are facing.

Key takeaway: Understanding different types of cryptographic algorithms, and the security properties they provide.

Crypto Monday March 9, 11:00 - 12:30

Public Key Infrastructure (PKI) fundamentals

Lecture by Bart Preneel

PKIs ensure the secure delivery and management of public keys. One example is the ecosystem supporting HTTPS, but PKIs are also used in payment systems (EMV) or intranets. This session covers how to manage keys, certificates, and revocation.

Key takeaway: Learn what you need to set up and maintain a PKI solution in your organization

Crypto Tuesday March 10, 09:00 - 10:30

Cryptography best practices

Lecture by Bart Preneel

Cryptography is often used in an incorrect or insecure fashion. This session outlines the current best practices, including an extensive list of recommended protocols and algorithms.

Key takeaway: Learn how to make informed and secure choices about cryptographic protocols.

Crypto Wednesday March 11, 11:00 - 12:30

Quantum computers, quantum crypto, and postquantum crypto

Lecture by Bart Preneel

Quantum computers are in their infancy, but they are expected to have a major impact on computing. This session will focus on the impact of quantum technologies on cryptography and secure communications.

Key takeaway: How to prepare for the migration towards post-quantum cryptography.

Crypto Wednesday March 11, 14:00 - 15:30

The never-ending crypto wars

Lecture by Bart Preneel

Law enforcement agencies complain that encryption impedes their work, hence they keep asking for bans, backdoors or access to keys. Many others argue that weakening encryption would undermine legitimate security interests of citizens and society. Is there a right decision and will this debate ever end?

Key takeaway: The crypto war is ongoing, but the focus on encryption may well be a diversion tactic.

Crypto Monday March 9, 14:00 - 15:30

The security model of the web

Lecture by Philippe De Ryck

The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.

Key takeaway: How to leverage the web's security model to build more secure applications

Web security Monday March 9, 16:00 - 17:30

Making smart choices from the authentication cookbook

Lecture by Philippe De Ryck

Modern applications need to authenticate users and services in various scenarios. This session focuses on helping architects and developers understand the different authentication mechanisms and their purpose.

Key takeaway: The ability to select the proper authentication mechanisms for modern applications.

Identity and access management Tuesday March 10, 11:00 - 12:30

A practical view of security toolchains in DevSecOps

Lecture by Abhay Bhargav

You wanted to know about DevSecOps Pipelines, but didnt know whom to ask? This anecdotal, demo-filled talk delves into DevSecOps with strategies for tool orchestration, vulnerability management and more. Best yet, you can do all this for $0

Key takeaway: Different DevSecOps pipelines, other than typical Jenkins variant(s), DAST tool integration and security regressions, vulnerability management

DevOps Security Wednesday March 11, 16:00 - 17:30

Story-driven threat modeling for the Agile-DevOps age

Lecture by Abhay Bhargav

Find that your Threat Modeling is outmoded, outdated and out of touch with your rapid-release app? Learn how you can change that with "story driven threat models" where you are threat modeling with your Agile Sprint and iterative SDLC

Key takeaway: Pratical story-driven threat modeling starting from user stories instead of systems is better suited for an automated DevOps world.

Security activities Thursday March 12, 14:00 - 15:30

The hitchhikers guide to secrets for cloud environments

Lecture by Abhay Bhargav

From API Keys to encryption keys, the number of secrets an average app requires is increasing. The talk will focus on secrets management for Kubernetes, AWS and Azure environments with some gotchas and implementation nuances

Key takeaway: How to handle encryption and secrets in Kubernetes environments, on Azure and on AWS.

DevOps Security Friday March 13, 11:00 - 12:30

GDPR and research, how to comply?

Lecture by Griet Verhenneman

In a risk-based approach, health-related data should get your attention.

Key takeaway: Transparency and pseudonymisation are of uttermost importance when (re)using personal health-related data.

Privacy, safety & ethics Friday March 13, 09:00 - 10:30

Blueprint for secure JavaScript development

Lecture by Marcin Hoppe

The Web runs on JavaScript. This session introduces patterns, tools, and processes for building secure applications in this important but often misunderstood and abused programming language.

Key takeaway: The right approach to JavaScript application development helps prevent vulnerabilities, both in the browser and on the backend.

Web security Thursday March 12, 11:00 - 12:30

Lessons from the Node.js ecosystem bug bounty

Lecture by Marcin Hoppe

The Node.js ecosystem bug bounty program allows us to dive deep into the most prevalent JavaScript vulnerabilities, take a look at the state of open source security research, and learn about responsible disclosure at scale.

Key takeaway: Several case studies of vulnerabilities in popular JavaScript libraries, from discovery, through handling, remediation, all the way to disclosure.

DevOps Security Friday March 13, 14:00 - 15:30

Application security seen from an enterprise level

Lecture by Stefaan Van Daele

Developing secure code is a good start, what more could you do to improve security posture? The session puts secure application development in the context of an Enterprise Security Architecture model and how these two relate to each other.

Key takeaway: A secure application could do more to security by taking in account the context and security requirements at enterprise level.

Security activities Thursday March 12, 16:00 - 17:30

Security of embedded devices - an introduction

Lecture by Lennert Wouters

This session introduces the main components of the embedded device ecosystem and some of the common security pitfalls. We do this by looking at real world examples and by demonstrating easy to use techniques.

Key takeaway: Gain a basic understanding of the inner workings of an embedded device and how to asses its security.

Low-level security Friday March 13, 09:00 - 10:30

Introduction to low-level software security

Lecture by Frank Piessens

Learn about memory management vulnerabilities, the attack techniques to exploit them, and the countermeasures that can be taken to defend against them.

Key takeaway: The security risks of programming in languages like C/C++ and how to deal with these risks.

Low-level security Tuesday March 10, 11:00 - 12:30

From the OWASP Top Ten(s) to the OWASP ASVS

Lecture by Jim Manico

This talk will describe the importance of the OWASP Application Security Verification Standard and how to use if effectively in your organization or project for secure development.

Key takeaway: The participant will take away a usable strategy to apply the Application Security Verification Standard to their organizations secure development of web and API applications.

Security activities Monday March 9, 14:00 - 15:30

Modern access control policy enforcement

Lecture by Jim Manico

This talk will discuss security principles that will help developers build modern access control solutions that are flexible enough to satisfy almost any complex access control security requirement.

Key takeaway: It's well past time to migrate access control policy enforcement points in your code from roles to capabilities.

Identity and access management Wednesday March 11, 09:00 - 10:30

Persona-based security and threat-modeling

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Key takeaway: The details of the meaning of "personas", how to work with them in a security context and apply them for example in threat modeling

Security activities Tuesday March 10, 16:00 - 17:30

Privacy threat modeling using LINDDUN

Lecture by Kim Wuyts

Privacy by design is important. Learn about privacy threats and how to systematically identify them in software architectures.

Key takeaway: Key privacy issues and how to systematically identify them in a software architecture

Privacy, safety & ethics Monday March 9, 11:00 - 12:30

Paradigms of privacy research and privacy engineering

Lecture by Seda Gürses

Privacy and data protection are not the same thing. How do they differ and what does it mean in terms of technical designs? This talk will present a broad overview of theories of privacy and their translation into privacy designs and engineering practice.

Key takeaway: Privacy is more than data protection and requires thoughtful design in software systems

Privacy, safety & ethics Tuesday March 10, 09:00 - 10:30

Protective optimization technologies

Lecture by Seda Gürses

Businesses nowadays can design systems for "ideal" interactions and environments by optimizing systems using machine learning and AI. However, these strategies have costs and associated risks. We will talk about these risks and costs, and introduce Protective Optimization Technologies as a way to flag or mitigate them.

Key takeaway: Machine learning and AI have significant business advantages, but come with harms and risks that require thinking beyond privacy and security.

Privacy, safety & ethics Tuesday March 10, 16:00 - 17:30

Coping with data protection in legacy systems

Lecture by Bavo Van den Heuvel

Legacy systems are here to stay... but so is the GDPR. How can we cope with the inherent weaknesses in these systems to strive for compliance?

Key takeaway: The compliance pitfalls of legacy systems with data protection laws, along with concrete guidelines for a temporary solution for the issue

Privacy, safety & ethics Monday March 9, 16:00 - 17:30

How security affects the people behind the code

Lecture by Philippe De Ryck

This keynote reflects on several real-life security incidents and their impact on the people behind the code. From each incident, we will extract lessons learned and translate them into best practices for building secure software.

Key takeaway: As a community, we need to change the way we deal with software security and security incidents

Friday March 13, 16:00 - 17:00