Lectures at SecAppDev 2024

An update on the most important cryptographic algorithms and a status on the migration towards post-quantum security.

Key takeaway: Which cryptographic algorithms to use for which tasks.

Learn how to translate cryptography know-how into robust working code that is easy to review. Avoid common implementation pitfalls by learning how to use the modern Tink cryptographic library.

Key takeaway: Learn how to use Tink to implement cryptographic features and protocols in a robust manner.

Unpack AI security: business impacts, ethics, LLM challenges, privacy, and regulations like the EU AI Act. Essential for secure AI deployment.

Key takeaway: Secure and ethical AI deployment requires understanding risks, regulations, and best practices in technology and governance.

Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the knowledge to implement OAuth 2.0 securely.

Key takeaway: OAuth 2.0 offers various new security enhancements, including Resource Indicators, JAR, PAR, DPoP, designed for high-security environments

Ethereum is a programmable blockchain, a "world computer" powering decentralized applications. Find out how software for this "world computer" - smart contracts - are written using the Solidity language.

Key takeaway: Learn what programmable blockchains like Ethereum are all about, what kinds of applications they enable and what common pitfalls developers face.

In this session, we will look at the history of the itsme® app and highlight how at every step security was at the forefront of the development. From the initial design to adding new features, the focus on security was never lost.

Key takeaway: The itsme® use case demonstrates how to keep security at the core of application development throughout its evolution.

In this session, we explore how to leverage the fundamental security model of the web for security. We also explore how to build a secure foundation for your web and API-based applications.

Key takeaway: Understand how the browser reasons about web security, and how you can leverage browser security mechanisms to secure your applications

A deep dive into the workings of Macaroons, a novel authorization technique developed by Google. Learn the unique capabilities of this exciting new technology and how it is being deployed by multiple companies to secure the cloud.

Key takeaway: Learn when to use Macaroons vs other technologies for authentication tokens.

Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that are available to help contain third-party dependencies.

Key takeaway: Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.

Learn to secure ReactJS apps against XSS, data leaks, and more. Dive into props, dangerouslySetInnerHTML, CSS, JSON, XSS protections, and SSR. Essential for safer development.

Key takeaway: Component dynamics, unescaped props, dangerouslySetInnerHTML, JavaScript URLs, CSS, JSON, XSS defenses, lazy loading, template injection, SSR.

Learn about Security Signals, a data-driven framework to scale web security, provide insights into security stance, and unique capabilities to manage security mitigations and remediations with high coverage, precision, and recall.

Key takeaway: Understand how and why security web infrastructure is built, used, and maintained at scale, also learn its components and capabilities it’s providing.

Explore the evolution of CSRF and Cross-Origin Request Forgery, their impact on modern API-based applications, and how to effectively use defenses like SameSite cookies and Cross-Origin Resource Sharing.

Key takeaway: Gain a deep understanding of CSRF attacks, the conditions that lead to vulnerability, and how to implement best practice defenses to safeguard your applications.

Learn how to write more secure code by using a set of constructs that makes it easier to get things right.

Key takeaway: How we can write more secure code with less flaws by making changes to how we constructs the code.

This talk presents a summary of 30 years of crypto wars including the key escrow controversy, client-side scanning, and EU's digital identity initiatives.

Key takeaway: Technology developments create a growing tension between government mass surveillance and privacy; the resulting debate shifts shapes but continues.