Full schedule for SecAppDev 2023

How can the adoption of machine learning introduce systematic risk into our applications? This session discusses the results of applying architectural risk analysis to identify the top risks in engineering ML systems.

Key takeaway: The results of an architectural risk analysis (sometimes called a threat model) of ML systems, including the top five (of 78 known) ML security risks

In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.

Key takeaway: Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications

Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.

Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.

In this session, you will learn about the security properties of various cryptographic building blocks, such as stream & block ciphers, hash functions, MAC algorithms, authenticated encryption schemes, public key encryption, and digital signatures.

Key takeaway: Understanding which algorithm to choose for which application

This session dives into software supply-chain vulnerabilities, defense strategies, and risk mitigation. Attendees will gain insights and tools to build resilient supply chains and protect organizations from evolving threats.

Key takeaway: A comprehensive understanding of the current state of software supply-chain vulnerabilities and comprehensive defensive strategies

Only 50% of software security defects are bugs. The other half are flaws in the design. This session builds on work from IEEE, Google, Twitter, Harvard, & others to present the top 10 security flaws along with guidelines to avoid them.

Key takeaway: A security top 10, but not as you know it. In this session, we explore the top 10 design flaws, along with guidelines on avoiding them in your applications.

This session highlights challenges in securing distributed applications and suggests field-tested solutions to tackle this emerging issue.

Key takeaway: Understand and address the challenges of securing a distributed application composed of hundreds of micro-services.

Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.

Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC

We discuss the principles of zero trust and explain how it can be implemented. We also discuss how we can build up trust in devices, software and hardware components.

Key takeaway: Understand whether zero trust is useful for your organization or system. Reflect on which products and services you trust and why

This session explains the principles of entity authentication, authenticated key establishment and Public Key Infrastructure. The lecture is illustrated with the protocols used in 3G, SSH, TLS, and Signal.

Key takeaway: This session will explain how entity authentication and authenticated key establishment protocols work and will help you to choose the right protocol

Learn about new web platform security mechanisms available in web browsers that enable developers to protect their web applications from common and new web attacks.

Key takeaway: Learn how to use new web security features such as CSP3, Trusted Types, Fetch Metadata and COOP to prevent classes of prevalent & emerging web attacks

This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.

Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.

Threat Modeling is a structured methodology to efficiently analyze complex systems. This can help you identify weaknesses and prioritize appropriate countermeasures. But to maximize its effect, this must be an ongoing practice, not just a one-time activity, so we also introduce a more lightweight "value driven" approach for security-minded developers.

The threat modeling techniques taught in this workshop will guide you in contributing to your product's security, focusing on security features, and designing a secure product architecture.

Learning goal: How to design a secure product with threat modeling. Share useful models to evoke insight and communicate with others. Inspire and convince others to collaborate on threat modeling in a continuous workflow.

The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.

In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.

Learning goal: Why the current approach to software security is not working. How to automate code review to free up your time for higher impact work. Best practices in rolling out continuous code scanning, and how to write custom Semgrep rules.