SecAppDev 2023 lecture details
The security model of the web
In this session, we explore how to leverage the fundamental security model of the web for security. We also explore complex attack patterns, such as CSRF, and how they impact even modern API-based applications.
Monday June 12th, 11:00 - 12:30
Room Lemaire
Download handoutsAbstract
Web security is messy, quirky, and often quite complicated. Without a solid understanding of the security model, navigating this tangled web and building secure applications is impossible.
In this session, we explore how the browser thinks about security and how we can leverage that to build more secure applications. We also look into complex attack patterns, such as Cross-Site Request Forgery, and what they mean for modern applications. The concepts covered in this session give you the necessary foundation for the other web-related topics at SecAppDev.
Key takeaway
Understand how the browser reasons about web security, and how you can leverage this fundamental security model to secure your applications
Content level
Introductory
Target audience
Anyone building applications that are exposed to the Internet
Prerequisites
None
Philippe De Ryck
Security Expert, Pragmatic Web Security
Expertise: Web security, API security, OAuth 2.0, OpenID Connect
Related lectures
OpenAPI: the common language of APIs
Deep-dive lecture by Isabelle Mauny in room Lemaire
Monday June 12th, 14:00 - 15:30
Understand how API contracts can be written in with the OpenAPI standard and leveraged across the API lifecycle, including for security.
Key takeaway: Learning about the power and extensibility of OpenAPI and its application across the API lifecycle.
Policy-as-Code: across the tech stack
Deep-dive lecture by Abhay Bhargav in room Lemaire
Tuesday June 13th, 16:00 - 17:30
Discover Policy-as-Code (PaC) for decoupled security across the stack, covering OPA for API gateways, Kyverno for Kubernetes, Tetragon & Tracee for eBPF, and Casbin & Oso for authorization. Learn how to enhance security and compliance with PaC tools.
Key takeaway: Using Open Policy Agent (OPA) for policy management, eBPF for security detection on containerized workloads, and authorization-as-code frameworks for RBAC
The unabridged history of application security
Keynote lecture by Jim Manico in room Lemaire
Wednesday June 14th, 16:00 - 17:15
This talk traces Application Security from its '60s origins marked by poor practices to today's advancements. We aim to inspire security professionals by highlighting the accelerated pace of positive changes over time.
Key takeaway: Exploring Application Security's history reveals an encouraging trend: continuous, accelerating improvement over time.