SecAppDev 2023 workshop details
Building secure systems with threat modeling
Learning goal: How to design a secure product with threat modeling. Share useful models to evoke insight and communicate with others. Inspire and convince others to collaborate on threat modeling in a continuous workflow.
Thursday June 15th, 09:00 - 17:30
Room Lemaire
Abstract
Threat Modeling is a structured methodology to efficiently analyze complex systems. This can help you identify weaknesses and prioritize appropriate countermeasures. But to maximize its effect, this must be an ongoing practice, not just a one-time activity, so we also introduce a more lightweight "value driven" approach for security-minded developers.
The threat modeling techniques taught in this workshop will guide you in contributing to your product's security, focusing on security features, and designing a secure product architecture.
Content overview
- What is threat modeling? Why bother?
- Universal principles: a common framework for threat modeling, best practices, and anti-patterns
- Modeling basics: teaching you to draw diagrams!
- Application decomposition: using a diagram to find important details and identify assumptions
- Threat identification: recognize threats and other security issues that need attention.
- Countermeasures: effective mitigation strategies
- Retrospective: what signals to look for when reviewing a model
- Lightweight approaches: Value driven approach to lightweight threat modeling
Content level
Deep-dive
Target audience
Product security teams, software architects, senior developers, and security champions. Folks who lead security processes and are responsible for getting others to participate – and those that want to.
Prerequisites
Familiarity with modern application architecture and software development processes. Some coding experience (any language) preferred, but not required
Technical requirements
Creativity and skepticism! (No need for laptop, we’ll be deep with pen & paper, and whiteboard & markers.)
Avi Douglen
CEO, Bounce Security
Expertise: Product security, security processes, security tools, and threat modeling
Other workshops
Designing and building secure user authentication mechanisms
One-day workshop by Philippe De Ryck in room West Wing
Thursday June 15th, 09:00 - 17:30
User authentication is a critical component in almost every application. In this workshop, we explore user authentication and investigate which mechanisms are available in modern applications, along with their security properties, pros, and cons. You will learn about state-of-the-art passwordless authentication mechanisms, including the Web Authentication API and the newly-introduced PassKey mechanism. Additionally, we explore multi-factor authentication mechanisms and their security properties.
This workshop consists of a mix between lectures, demos, interactive quizzes, and hands-on labs.
Learning goal: In-depth understanding of the security properties provided by modern authentication mechanisms, along with the technical knowledge to implement these mechanisms in modern web applications.
Secure Coding with the OWASP Top Ten
One-day workshop by Jim Manico in room West Wing
Friday June 16th, 09:00 - 17:30
The OWASP Top 10 is a standard awareness document for web developers and web application security professionals. It represents a broad consensus about the most critical security risks to web applications. As software developers author code that makes up a web application, they need to embrace and practice various secure coding techniques. This training provides defensive instruction in relation to the OWASP Top Ten to aid developers in authoring secure software.
Learning goal: A thorough understanding of the risks listed in the OWASP top 10, along with best practice secure coding guidelines to mitigate these risks in web applications and APIs
How to scale software quality and security using the open source tool Semgrep
One-day workshop by Pieter De Cremer and Claudio Merloni in room Lemaire
Friday June 16th, 09:00 - 17:30
The software security industry is shifting left. Traditional security tools have failed to address the challenges of modern engineering teams as they often are too slow, overwhelm users with false positives, and do not provide sufficient remediation help. As a result, they do not ultimately raise a company’s security bar.
In this workshop we will focus on hands-on exercises, supported by research results to teach participants how to use Semgrep by taking a different approach to security, called paved road or secure defaults.
Learning goal: Why the current approach to software security is not working. How to automate code review to free up your time for higher impact work. Best practices in rolling out continuous code scanning, and how to write custom Semgrep rules.