SecAppDev 2023 - Architecture

User authentication is a critical component in almost every application. In this workshop, we explore user authentication and investigate which mechanisms are available in modern applications, along with their security properties, pros, and cons. You will learn about state-of-the-art passwordless authentication mechanisms, including the Web Authentication API and the newly-introduced PassKey mechanism. Additionally, we explore multi-factor authentication mechanisms and their security properties.

This workshop consists of a mix between lectures, demos, interactive quizzes, and hands-on labs.

Learning goal: In-depth understanding of the security properties provided by modern authentication mechanisms, along with the technical knowledge to implement these mechanisms in modern web applications.

Threat Modeling is a structured methodology to efficiently analyze complex systems. This can help you identify weaknesses and prioritize appropriate countermeasures. But to maximize its effect, this must be an ongoing practice, not just a one-time activity, so we also introduce a more lightweight "value driven" approach for security-minded developers.

The threat modeling techniques taught in this workshop will guide you in contributing to your product's security, focusing on security features, and designing a secure product architecture.

Learning goal: How to design a secure product with threat modeling. Share useful models to evoke insight and communicate with others. Inspire and convince others to collaborate on threat modeling in a continuous workflow.

We discuss the principles of zero trust and explain how it can be implemented. We also discuss how we can build up trust in devices, software and hardware components.

Key takeaway: Understand whether zero trust is useful for your organization or system. Reflect on which products and services you trust and why

This session highlights challenges in securing distributed applications and suggests field-tested solutions to tackle this emerging issue.

Key takeaway: Understand and address the challenges of securing a distributed application composed of hundreds of micro-services.

This session dives into software supply-chain vulnerabilities, defense strategies, and risk mitigation. Attendees will gain insights and tools to build resilient supply chains and protect organizations from evolving threats.

Key takeaway: A comprehensive understanding of the current state of software supply-chain vulnerabilities and comprehensive defensive strategies

Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.

Key takeaway: Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks

In this session, we explore what OAuth 2.0 and OpenID Connect have to offer. We also investigate how to leverage these technologies to build a modern and secure application architecture.

Key takeaway: Understanding the fundamentals of OAuth 2.0 and OpenID Connect, and how to use these building blocks to design modern application architectures

Only 50% of software security defects are bugs. The other half are flaws in the design. This session builds on work from IEEE, Google, Twitter, Harvard, & others to present the top 10 security flaws along with guidelines to avoid them.

Key takeaway: A security top 10, but not as you know it. In this session, we explore the top 10 design flaws, along with guidelines on avoiding them in your applications.

Having control over who can access what within an organization has become a cornerstone of modern cybersecurity. This session provides a deep dive into the challenges and best practices of both access control and identity and access management.

Key takeaway: Understanding access control & Identity and Access Management (IAM), including challenges & best practices for effective implementation.