Lecture sessions at SecAppDev 2022

Lecture by Isabelle Mauny

What are the key API-based integration patterns and their security implications? Which strategies can we adopt to protect APIs now and in the future? How can we do better and attack the security issues from design time?

Key takeaway: The inherent risks of exposing APIs and what we can do today and tomorrow to address them.

Web and API security Tuesday June 14, 16:00 - 17:30

Lecture by Jaya Baloo

How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.

Key takeaway: An honest look at the security challenges we are facing in the future

Security processes Wednesday June 15, 16:00 - 17:15

Lecture by Griet Verhenneman

Anonymisation versus pseudonymisation, public interest versus commercial interest, opt-in versus opt-out, and the pull versus push approach to transparency. This session explores the limitations, but also provides solutions.

Key takeaway: Transparency, pseudonymisation and, depending on the context, the right to opt-out should be your keys to the (re)use of personal health-related data.

Privacy, safety & ethics Monday June 13, 09:00 - 10:30

Lecture by Abhay Bhargav

Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.

Key takeaway: Understanding decoupled security controls for microservice stacks and various approaches to implement security-as-code

Security processes Tuesday June 14, 11:00 - 12:30

Lecture by Abhay Bhargav

Learn about the unique nature of API compromises, nuanced SSRF attack patterns, webhook boomerang attacks, JWT implementation vulnerabilities, and authorization flaws

Key takeaway: Web application security and API security are fundamentally different, as illustrated by attacks against webhooks, different types of SSRF attacks, and various access control flaws.

Web and API security Wednesday June 15, 14:00 - 15:30

Lecture by Jan Tobias Muehlberg

Modern processors provide Trusted Execution Environments that allow you to protect software components even from an untrusted operating system. Learn when and how to use them!

Key takeaway: Learn how and when to rely on technologies such as Intel SGX, and understand what security guarantees these technologies can provide.

IoT and low-level security Tuesday June 14, 09:00 - 10:30

Lecture by Quentin Stiévenart

WebAssembly enables near-native performance for web applications. We will dive deep into the world of WebAssembly, with a focus on the security concerns that need to be addressed when developing WebAssembly applications.

Key takeaway: Despite WebAssembly having been developed with security in mind, it is important to be aware of the security limitations of this platform.

Web and API security Wednesday June 15, 09:00 - 10:30

Lecture by Stefaan Van daele

Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.

Key takeaway: How Enterprise Security Architecture could help to improve the security posture of the applications developed for your organisation.

Security processes Monday June 13, 11:00 - 12:30

Lecture by Mykyta Petik

This sessions aims to provide a general overview of how to implement GDPR in SDLC and ensure compliance with privacy and personal data protection rules

Key takeaway: Learn about key GDPR requirements to consider in their software projects as well as how to involve DPOs and lawyers in SDLC process

Privacy, safety & ethics Monday June 13, 14:00 - 15:30

Lecture by Philippe De Ryck

OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.

Key takeaway: A solid understanding of OAuth 2.0/OIDC best practices and how to effectively use these technologies in your applications.

Identity and access management Monday June 13, 09:00 - 10:30

Lecture by Philippe De Ryck

Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.

Key takeaway: The best approach to secure a Single Page Application with OAuth 2.0 is by using a Backend-For-Frontend

Identity and access management Monday June 13, 16:00 - 17:30

Lecture by Pieter Philippaerts

In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.

Key takeaway: Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.

Identity and access management Wednesday June 15, 11:00 - 12:30

Lecture by Sebastien Deleersnyder

We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.

Key takeaway: Understand how to build and improve a threat modeling practice to level up your product security.

Security processes Tuesday June 14, 14:00 - 15:30

Lecture by Bart Preneel

This lecture offers a perspective on the building blocks and concepts of blockchain technologies. It will go beyond the hype and look at the underlying technologies and their strengths and weaknesses.

Key takeaway: Cryptocurrencies are here to stay. Blockchain can bring innovation through novel ecosystems and cool cryptography.

Crypto Monday June 13, 14:00 - 15:30

Lecture by Bart Preneel

This lecture discusses developments in cryptography that will impact applications in the next years, such as authenticated encryption, post-quantum cryptography, multi-party computation and (somewhat) fully homomorphic encryption.

Key takeaway: Cryptography keeps changing. More effort is needed on cryptographic algorithm agility and new applications are opening up.

Crypto Tuesday June 14, 11:00 - 12:30

Lecture by Bart Preneel

During the corona pandemic, privacy-friendly protocols for proximity and presence tracing have been widely deployed in a very short time. Even if these technologies were overhyped, they have delivered valuable contributions.

Key takeaway: Against all odds, it is possible to achieve proximity and presence tracing at a large scale while respecting the privacy requirements of the users.

Privacy, safety & ethics Monday June 13, 16:00 - 17:30

Lecture by Jim Manico

The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. In this session, we explore how developers can mitigate these threats in modern web applications.

Key takeaway: Current best practice defenses to counter the OWASP top 10 risks against web applications

Web and API security Tuesday June 14, 09:00 - 10:30

Lecture by Jim Manico

The web is full of request forgery attacks, such as CSRF, SSRF, and Clickjacking. In this session, we provide actionable guidance on mitigating these issues in modern applications.

Key takeaway: Learn how to prevent forgery attacks such as CSRF, SSRF, and Clickjacking

Web and API security Wednesday June 15, 11:00 - 12:30

Lecture by Lennert Wouters

This session provides an introduction to the field of hardware security, and will be guided by real-world case studies and vulnerabilities. We discuss the embedded attacker, their tools and techniques and their influence on threat models.

Key takeaway: Physical attackers are a major threat to IoT security, allowing everyone to hack embedded devices

IoT and low-level security Monday June 13, 11:00 - 12:30

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Key takeaway: The details of the meaning of "personas", how to work with them in a security context and apply them for example in threat modeling

Security processes Wednesday June 15, 14:00 - 15:30

Lecture by Dr. Torsten Lodderstedt

This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.

Key takeaway: OAuth 2 has the necessary features and flexibility to both properly protect security critical APIs while building scalable and performant systems.

Identity and access management Tuesday June 14, 14:00 - 15:30

Lecture by Dr. Torsten Lodderstedt

This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.

Key takeaway: OAuth 2 was improved and simplified a lot in the last years.

Identity and access management Wednesday June 15, 09:00 - 10:30