SecAppDev 2023 lecture details
Analysis of authentication: deciding on "good enough"
In this session, we start by threat modeling an authentication system. We analyze the risks of secret-based authentication and guide you in building usable password policies. We'll dive into the math, and investigate secure password storage.
Tuesday June 13th, 09:00 - 10:30
Room West Wing
Download handoutsAbstract
There are many different ways to implement user authentication. Typically we would want multiple factors of strong authentication, but how do we know if it's strong enough? And are there any disadvantages of making authentication too strong?
In this session, we dive into the most common form of user authentication: passwords. We will answer the question of "good enough" by investigating how passwords are broken, misused, and abused. We also explore how password-based authentication should be implemented, and provide actionable advice on balancing the trade-off between security and usability.
Key takeaway
Analyze the security of user authentication, make the right trade-offs, and strengthen the security of password-based authentication
Content level
Deep-dive
Target audience
Developers, dev leads, appsec engineers, security champions
Prerequisites
Experience with using passwords
Avi Douglen
CEO, Bounce Security
Expertise: Product security, security processes, security tools, and threat modeling
Related lectures
Building a secure Software Development Lifecycle
Introductory lecture by Avi Douglen in room West Wing
Monday June 12th, 11:00 - 12:30
How does an SDLC become a secure SDLC? In this session, we use real-world stories to identify and overcome challenges to integrate security into a development lifecycle. You will learn how to build and implement a high-value AppSec program.
Key takeaway: Learn how to initiate a software security program, manage the program on ongoing basis, keep it sustainable, and build stakeholder engagement and buy-in
Third-party library security management
Deep-dive lecture by Jim Manico in room West Wing
Wednesday June 14th, 14:00 - 15:30
Managing third party library dependence is one of the most difficult challenges in software development and requires significant process and technical discipline. This session offers actionable advice on getting this challenge under control.
Key takeaway: To handle third-party dependencies securely, you need to reduce the amount of libraries you use, vet the ones you use, and keep them up to date
OpenAPI: the common language of APIs
Deep-dive lecture by Isabelle Mauny in room Lemaire
Monday June 12th, 14:00 - 15:30
Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.
Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.