Lecture sessions at SecAppDev 2022
SecAppDev 2022 offers a 22 in-depth lectures and 4 one-day workshops, organized in a dual-track program.
SecAppDev lectures are 90 minutes each, allowing our expert faculty members to take a deep-dive into their topics. Throughout the lectures and the course, there is ample time to ask questions or discuss scenarios with our faculty members.
The list below gives a detailed overview of the lectures at SecAppDev 2022. The full schedule provides an overview of all sessions and workshops for the entire week.
The (bright) future of API Security
Lecture by Isabelle Mauny
What are the key API-based integration patterns and their security implications? Which strategies can we adopt to protect APIs now and in the future? How can we do better and attack the security issues from design time?
Key takeaway: The inherent risks of exposing APIs and what we can do today and tomorrow to address them.
Web and API security Tuesday June 14, 16:00 - 17:30
Solid foundation for a secure future
Lecture by Jaya Baloo
How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.
Key takeaway: An honest look at the security challenges we are facing in the future
Security processes Wednesday June 15, 16:00 - 17:15
Privacy and ethics in secondary use of sensitive data
Lecture by Griet Verhenneman
Anonymisation versus pseudonymisation, public interest versus commercial interest, opt-in versus opt-out, and the pull versus push approach to transparency. This session explores the limitations, but also provides solutions.
Key takeaway: Transparency, pseudonymisation and, depending on the context, the right to opt-out should be your keys to the (re)use of personal health-related data.
Privacy, safety & ethics Monday June 13, 09:00 - 10:30
Everything-as-Code - Ideas for a new world of AppSec
Lecture by Abhay Bhargav
Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.
Key takeaway: Understanding decoupled security controls for microservice stacks and various approaches to implement security-as-code
Security processes Tuesday June 14, 11:00 - 12:30
Fantastic API Vulnerabilities and where to find them
Lecture by Abhay Bhargav
Learn about the unique nature of API compromises, nuanced SSRF attack patterns, webhook boomerang attacks, JWT implementation vulnerabilities, and authorization flaws
Key takeaway: Web application security and API security are fundamentally different, as illustrated by attacks against webhooks, different types of SSRF attacks, and various access control flaws.
Web and API security Wednesday June 15, 14:00 - 15:30
Trusted Execution and how far you can trust it
Lecture by Jan Tobias Muehlberg
Modern processors provide Trusted Execution Environments that allow you to protect software components even from an untrusted operating system. Learn when and how to use them!
Key takeaway: Learn how and when to rely on technologies such as Intel SGX, and understand what security guarantees these technologies can provide.
IoT and low-level security Tuesday June 14, 09:00 - 10:30
Security of WebAssembly applications
Lecture by Quentin StiƩvenart
WebAssembly enables near-native performance for web applications. We will dive deep into the world of WebAssembly, with a focus on the security concerns that need to be addressed when developing WebAssembly applications.
Key takeaway: Despite WebAssembly having been developed with security in mind, it is important to be aware of the security limitations of this platform.
Web and API security Wednesday June 15, 09:00 - 10:30
Enterprise security architecture and app development
Lecture by Stefaan Van daele
Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.
Key takeaway: How Enterprise Security Architecture could help to improve the security posture of the applications developed for your organisation.
Security processes Monday June 13, 11:00 - 12:30
Implementing GDPR in software projects
Lecture by Mykyta Petik
This sessions aims to provide a general overview of how to implement GDPR in SDLC and ensure compliance with privacy and personal data protection rules
Key takeaway: Learn about key GDPR requirements to consider in their software projects as well as how to involve DPOs and lawyers in SDLC process
Privacy, safety & ethics Monday June 13, 14:00 - 15:30
Introduction to OAuth 2.0 and OpenID Connect
Lecture by Philippe De Ryck
OAuth 2.0 and OIDC are confusing, which often results in confusion and implementation mistakes. In this session, we explore the purpose of these technologies and the current best practices of using them.
Key takeaway: A solid understanding of OAuth 2.0/OIDC best practices and how to effectively use these technologies in your applications.
Identity and access management Monday June 13, 09:00 - 10:30
Securing OAuth 2.0 and OpenID Connect in Frontends
Lecture by Philippe De Ryck
Learn why SPAs as OAuth 2.0 clients are inherently insecure, and how moving responsibilities to a lightweight backend with the BFF pattern can offer a solution.
Key takeaway: The best approach to secure a Single Page Application with OAuth 2.0 is by using a Backend-For-Frontend
Identity and access management Monday June 13, 16:00 - 17:30
Analyzing the security of OAuth 2.0 implementations
Lecture by Pieter Philippaerts
In this presentation, we introduce a tool to test and analyze the security of OAuth 2.0 authorization servers. We also present a summary of the results of our OAuth ecosystem analysis, and identify some lessons learned.
Key takeaway: Securely implementing and configuring OAuth services is difficult. Follow the OAuth Security Best Current Practices to properly mitigate threats.
Identity and access management Wednesday June 15, 11:00 - 12:30
Level up your threat modeling practice
Lecture by Sebastien Deleersnyder
We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.
Key takeaway: Understand how to build and improve a threat modeling practice to level up your product security.
Security processes Tuesday June 14, 14:00 - 15:30
Cryptocurrencies and blockchains
Lecture by Bart Preneel
This lecture offers a perspective on the building blocks and concepts of blockchain technologies. It will go beyond the hype and look at the underlying technologies and their strengths and weaknesses.
Key takeaway: Cryptocurrencies are here to stay. Blockchain can bring innovation through novel ecosystems and cool cryptography.
Crypto Monday June 13, 14:00 - 15:30
New developments in cryptography land
Lecture by Bart Preneel
This lecture discusses developments in cryptography that will impact applications in the next years, such as authenticated encryption, post-quantum cryptography, multi-party computation and (somewhat) fully homomorphic encryption.
Key takeaway: Cryptography keeps changing. More effort is needed on cryptographic algorithm agility and new applications are opening up.
Crypto Tuesday June 14, 11:00 - 12:30
Privacy-friendly proximity and presence tracing
Lecture by Bart Preneel
During the corona pandemic, privacy-friendly protocols for proximity and presence tracing have been widely deployed in a very short time. Even if these technologies were overhyped, they have delivered valuable contributions.
Key takeaway: Against all odds, it is possible to achieve proximity and presence tracing at a large scale while respecting the privacy requirements of the users.
Privacy, safety & ethics Monday June 13, 16:00 - 17:30
The OWASP Top Ten 2021-2022 release
Lecture by Jim Manico
The OWASP Top 10 represents a broad consensus about the most critical security risks to web applications. In this session, we explore how developers can mitigate these threats in modern web applications.
Key takeaway: Current best practice defenses to counter the OWASP top 10 risks against web applications
Web and API security Tuesday June 14, 09:00 - 10:30
Web request forgery - SSRF, CSRF and clickjacking
Lecture by Jim Manico
The web is full of request forgery attacks, such as CSRF, SSRF, and Clickjacking. In this session, we provide actionable guidance on mitigating these issues in modern applications.
Key takeaway: Learn how to prevent forgery attacks such as CSRF, SSRF, and Clickjacking
Web and API security Wednesday June 15, 11:00 - 12:30
Security of embedded devices - an introduction
Lecture by Lennert Wouters
This session provides an introduction to the field of hardware security, and will be guided by real-world case studies and vulnerabilities. We discuss the embedded attacker, their tools and techniques and their influence on threat models.
Key takeaway: Physical attackers are a major threat to IoT security, allowing everyone to hack embedded devices
IoT and low-level security Monday June 13, 11:00 - 12:30
Persona-based security and threat-modeling
Lecture by Deepak Subramanian
The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.
Key takeaway: The details of the meaning of "personas", how to work with them in a security context and apply them for example in threat modeling
Security processes Wednesday June 15, 14:00 - 15:30
OAuth for security critical applications
Lecture by Dr. Torsten Lodderstedt
This session discuss the challenges one faces when protecting security critical and large scale APIs with OAuth and present design options modern OAuth provides us with.
Key takeaway: OAuth 2 has the necessary features and flexibility to both properly protect security critical APIs while building scalable and performant systems.
Identity and access management Tuesday June 14, 14:00 - 15:30
Recent developments in OAuth
Lecture by Dr. Torsten Lodderstedt
This session will introduce the audience to a couple of extensions to the OAuth standard that that help to build more secure systems in an easier and more interoperable way.
Key takeaway: OAuth 2 was improved and simplified a lot in the last years.
Identity and access management Wednesday June 15, 09:00 - 10:30