Lectures at SecAppDev 2023

How can the adoption of machine learning introduce systematic risk into our applications? This session discusses the results of applying architectural risk analysis to identify the top risks in engineering ML systems.

Key takeaway: The results of an architectural risk analysis (sometimes called a threat model) of ML systems, including the top five (of 78 known) ML security risks

In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.

Key takeaway: Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications

We discuss the principles of zero trust and explain how it can be implemented. We also discuss how we can build up trust in devices, software and hardware components.

Key takeaway: Understand whether zero trust is useful for your organization or system. Reflect on which products and services you trust and why

This session highlights challenges in securing distributed applications and suggests field-tested solutions to tackle this emerging issue.

Key takeaway: Understand and address the challenges of securing a distributed application composed of hundreds of micro-services.

This session dives into software supply-chain vulnerabilities, defense strategies, and risk mitigation. Attendees will gain insights and tools to build resilient supply chains and protect organizations from evolving threats.

Key takeaway: A comprehensive understanding of the current state of software supply-chain vulnerabilities and comprehensive defensive strategies

How does an SDLC become a secure SDLC? In this session, we use real-world stories to identify and overcome challenges to integrate security into a development lifecycle. You will learn how to build and implement a high-value AppSec program.

Key takeaway: Learn how to initiate a software security program, manage the program on ongoing basis, keep it sustainable, and build stakeholder engagement and buy-in

Managing third party library dependence is one of the most difficult challenges in software development and requires significant process and technical discipline. This session offers actionable advice on getting this challenge under control.

Key takeaway: To handle third-party dependencies securely, you need to reduce the amount of libraries you use, vet the ones you use, and keep them up to date

Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.

Key takeaway: Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks

In this session, you will learn about the security properties of various cryptographic building blocks, such as stream & block ciphers, hash functions, MAC algorithms, authenticated encryption schemes, public key encryption, and digital signatures.

Key takeaway: Understanding which algorithm to choose for which application

In this session, we explore what OAuth 2.0 and OpenID Connect have to offer. We also investigate how to leverage these technologies to build a modern and secure application architecture.

Key takeaway: Understanding the fundamentals of OAuth 2.0 and OpenID Connect, and how to use these building blocks to design modern application architectures

Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.

Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.

This session will explore various attacks against machine learning pipelines and their life cycle, present countermeasures and discuss best practices to make your ML models more robust in adversarial settings.

Key takeaway: ML adds value to applications but also increases the attack surface, imposing a holistic approach to secure the ML pipeline and lifecycle

This session covers 42 things about appsec. SIX software security zombies. TEN software security flaws. SEVEN software security myths. SEVEN startup lessons. FOUR CISO tribes. SEVEN things I learned in 21 years. Oh, and ONE BONUS THING.

Key takeaway: A treasure trove of advice based on the experience of a pioneer in the field of software security, or "42 things" in short

Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.

Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC

This session explains the principles of entity authentication, authenticated key establishment and Public Key Infrastructure. The lecture is illustrated with the protocols used in 3G, SSH, TLS, and Signal.

Key takeaway: This session will explain how entity authentication and authenticated key establishment protocols work and will help you to choose the right protocol

In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.

Key takeaway: Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication

We will go over the vision for secure defaults, and then discuss how we can improve processes, training and tools to support this approach. The advice in this session is backed by my research.

Key takeaway: Security is no longer just the responsibility of the expert. Security training and tools should be adapted to fit a developer audience

Only 50% of software security defects are bugs. The other half are flaws in the design. This session builds on work from IEEE, Google, Twitter, Harvard, & others to present the top 10 security flaws along with guidelines to avoid them.

Key takeaway: A security top 10, but not as you know it. In this session, we explore the top 10 design flaws, along with guidelines on avoiding them in your applications.

In this session, we identify do's and don'ts when building CSP policies for modern applications. We explore how to enable CSP with third-party content and offer a nuanced opinion on building secure CSP policies.

Key takeaway: Modern best practices for building secure CSP policies, along with guidelines for deploying CSP in single page applications

This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.

Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.

Having control over who can access what within an organization has become a cornerstone of modern cybersecurity. This session provides a deep dive into the challenges and best practices of both access control and identity and access management.

Key takeaway: Understanding access control & Identity and Access Management (IAM), including challenges & best practices for effective implementation.

This session covers supply chain risks in software development, techniques for managing them, and best practices for developers to mitigate risks and ensure secure and reliable software products. Where possible, we use live demos.

Key takeaway: Learn how to reduce supply chain risk adopting techniques used in the industry today.