SecAppDev 2023 - OWASP top 10

User authentication is a critical component in almost every application. In this workshop, we explore user authentication and investigate which mechanisms are available in modern applications, along with their security properties, pros, and cons. You will learn about state-of-the-art passwordless authentication mechanisms, including the Web Authentication API and the newly-introduced PassKey mechanism. Additionally, we explore multi-factor authentication mechanisms and their security properties.

This workshop consists of a mix between lectures, demos, interactive quizzes, and hands-on labs.

Learning goal: In-depth understanding of the security properties provided by modern authentication mechanisms, along with the technical knowledge to implement these mechanisms in modern web applications.

The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software.

Learning goal: A thorough understanding of the risks listed in the OWASP top 10, along with best practice secure coding guidelines to mitigate these risks in web applications and APIs

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Learning goal: Why the current approach to software security is not working. How to automate code review to free up your time for higher impact work. Best practices in rolling out continuous code scanning, and how to write custom Semgrep rules.

In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.

Key takeaway: Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications

This session dives into software supply-chain vulnerabilities, defense strategies, and risk mitigation. Attendees will gain insights and tools to build resilient supply chains and protect organizations from evolving threats.

Key takeaway: A comprehensive understanding of the current state of software supply-chain vulnerabilities and comprehensive defensive strategies

How does an SDLC become a secure SDLC? In this session, we use real-world stories to identify and overcome challenges to integrate security into a development lifecycle. You will learn how to build and implement a high-value AppSec program.

Key takeaway: Learn how to initiate a software security program, manage the program on ongoing basis, keep it sustainable, and build stakeholder engagement and buy-in

Managing third party library dependence is one of the most difficult challenges in software development and requires significant process and technical discipline. This session offers actionable advice on getting this challenge under control.

Key takeaway: To handle third-party dependencies securely, you need to reduce the amount of libraries you use, vet the ones you use, and keep them up to date

In this session, you will learn about the security properties of various cryptographic building blocks, such as stream & block ciphers, hash functions, MAC algorithms, authenticated encryption schemes, public key encryption, and digital signatures.

Key takeaway: Understanding which algorithm to choose for which application

Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.

Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.

This session covers 42 things about appsec. SIX software security zombies. TEN software security flaws. SEVEN software security myths. SEVEN startup lessons. FOUR CISO tribes. SEVEN things I learned in 21 years. Oh, and ONE BONUS THING.

Key takeaway: A treasure trove of advice based on the experience of a pioneer in the field of software security, or "42 things" in short

This session explains the principles of entity authentication, authenticated key establishment and Public Key Infrastructure. The lecture is illustrated with the protocols used in 3G, SSH, TLS, and Signal.

Key takeaway: This session will explain how entity authentication and authenticated key establishment protocols work and will help you to choose the right protocol

In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.

Key takeaway: Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication

We will go over the vision for secure defaults, and then discuss how we can improve processes, training and tools to support this approach. The advice in this session is backed by my research.

Key takeaway: Security is no longer just the responsibility of the expert. Security training and tools should be adapted to fit a developer audience

This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.

Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.

Having control over who can access what within an organization has become a cornerstone of modern cybersecurity. This session provides a deep dive into the challenges and best practices of both access control and identity and access management.

Key takeaway: Understanding access control & Identity and Access Management (IAM), including challenges & best practices for effective implementation.

This session covers supply chain risks in software development, techniques for managing them, and best practices for developers to mitigate risks and ensure secure and reliable software products. Where possible, we use live demos.

Key takeaway: Learn how to reduce supply chain risk adopting techniques used in the industry today.