Lectures at SecAppDev 2024
SecAppDev 2024 offers three days of in-depth lectures and two days of workshops, organized in a dual-track program.
SecAppDev lectures are 90 minutes each, allowing our expert faculty members to take a deep-dive into their topics. Throughout the lectures and the course, there is ample time to ask questions or discuss scenarios with our faculty members.
Subscribe to our mailing list to stay up to date on future editions of SecAppDev.
Winning the war in cyber
Keynote lecture by Jessica Robinson in room Lemaire
Monday June 3rd, 09:15 - 10:30
How well we adapt continues to influence our security strategies, our creativity, and our culture, in our companies and in our industry. It seems starting with ourselves is a natural place to begin.
Key takeaway: What the evolution of the security practitioner, and leader, will look in the future in winning the daily battles in cybersecurity.
AppSec is changing
Keynote lecture by Erlend Oftedal in room Lemaire
Wednesday June 5th, 16:00 - 17:15
In this keynote we will look at how appsec has been changing over the last 10 years and discuss what might come in the future.
Key takeaway: Overview of appsec as a field and where it's going
Cryptographic algorithms update
Deep-dive lecture by Bart Preneel in room Lemaire
Monday June 3rd, 14:00 - 15:30
An update on the most important cryptographic algorithms and a status on the migration towards post-quantum security.
Key takeaway: Which cryptographic algorithms to use for which tasks.
Practical cryptography with Tink
Deep-dive lecture by Neil Madden in room West Wing
Monday June 3rd, 16:00 - 17:30
Learn how to translate cryptography know-how into robust working code that is easy to review. Avoid common implementation pitfalls by learning how to use the modern Tink cryptographic library.
Key takeaway: Learn how to use Tink to implement cryptographic features and protocols in a robust manner.
Supercharging OAuth 2.0 security
Advanced lecture by Philippe De Ryck in room Lemaire
Tuesday June 4th, 16:00 - 17:30
Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the knowledge to implement OAuth 2.0 securely.
Key takeaway: OAuth 2.0 offers various new security enhancements, including Resource Indicators, JAR, PAR, DPoP, designed for high-security environments
AI Security: Essentials to Advanced
Introductory lecture by Jim Manico in room Lemaire
Monday June 3rd, 16:00 - 17:30
Unpack AI security: business impacts, ethics, LLM challenges, privacy, and regulations like the EU AI Act. Essential for secure AI deployment.
Key takeaway: Secure and ethical AI deployment requires understanding risks, regulations, and best practices in technology and governance.
Vulnerabilities of Large Language Model Applications
Deep-dive lecture by Vera Rimmer in room West Wing
Wednesday June 5th, 11:00 - 12:30
The session will start with a quick primer on data-driven AI and the key mechanisms behind LLMs. Then we will explore the general threat landscape, including academic attacks and more practical threats (OWASP Top 10 for LLMs).
Key takeaway: LLMs are a vulnerable intermediary between users and information. Increasing autonomy, complexity and integration of AI amplifies all existing risks.
A gentle intro to Ethereum and "smart contracts"
Introductory lecture by Tom Van Cutsem in room West Wing
Wednesday June 5th, 14:00 - 15:30
Ethereum is a programmable blockchain, a "world computer" powering decentralized applications. Find out how software for this "world computer" - smart contracts - are written using the Solidity language.
Key takeaway: Learn what programmable blockchains like Ethereum are all about, what kinds of applications they enable and what common pitfalls developers face.
Security-centric app development: the itsme® use case
Introductory lecture by Steve Mihy and Eric Bariaux in room Lemaire
Tuesday June 4th, 09:00 - 10:30
In this session, we will look at the history of the itsme® app and highlight how at every step security was at the forefront of the development. From the initial design to adding new features, the focus on security was never lost.
Key takeaway: The itsme® use case demonstrates how to keep security at the core of application development throughout its evolution.
A complete view of application security with OWASP SAMM
Introductory lecture by Aram Hovsepyan in room Lemaire
Tuesday June 4th, 11:00 - 12:30
This session introduces the OWASP SAMM framework and gives you a clear overview of the application security landscape. It will also help you understand how organizations should deal with software security at scale.
Key takeaway: Learn about the full scope of application security, and how activities such as secure design, coding, pen testing, DevOps fit in this view.
The Quantum threat and Post-Quantum Cryptography (PQC)
Deep-dive lecture by Bart Preneel in room Lemaire
Tuesday June 4th, 14:00 - 15:30
We discuss the status of NIST's PQC competition, IETF standards and national agencies' recommendations. We conclude with performance benchmarks and crypto agility challenges.
Key takeaway: Post-quantum standards are on their way. Implications will be increased complexity and communication and storage overhead. Crypto agility is hard.
Security foundations for modern web applications
Introductory lecture by Philippe De Ryck in room West Wing
Monday June 3rd, 11:00 - 12:30
In this session, we explore how to leverage the fundamental security model of the web for security. We also explore how to build a secure foundation for your web and API-based applications.
Key takeaway: Understand how the browser reasons about web security, and how you can leverage browser security mechanisms to secure your applications
Introduction to Macaroons
Introductory lecture by Neil Madden in room Lemaire
Wednesday June 5th, 14:00 - 15:30
A deep dive into the workings of Macaroons, a novel authorization technique developed by Google. Learn the unique capabilities of this exciting new technology and how it is being deployed by multiple companies to secure the cloud.
Key takeaway: Learn when to use Macaroons vs other technologies for authentication tokens.
Designing “least-authority” JavaScript apps
Deep-dive lecture by Tom Van Cutsem in room West Wing
Monday June 3rd, 14:00 - 15:30
Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that are available to help contain third-party dependencies.
Key takeaway: Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.
Building Secure ReactJS Applications
Deep-dive lecture by Jim Manico in room West Wing
Tuesday June 4th, 09:00 - 10:30
Learn to secure ReactJS apps against XSS, data leaks, and more. Dive into props, dangerouslySetInnerHTML, CSS, JSON, XSS protections, and SSR. Essential for safer development.
Key takeaway: Component dynamics, unescaped props, dangerouslySetInnerHTML, JavaScript URLs, CSS, JSON, XSS defenses, lazy loading, template injection, SSR.
Security Signals - A framework to scale web security
Introductory lecture by Slawomir Goryczka in room West Wing
Tuesday June 4th, 14:00 - 15:30
Learn about Security Signals, a data-driven framework to scale web security, provide insights into security stance, and unique capabilities to manage security mitigations and remediations with high coverage, precision, and recall.
Key takeaway: Understand how and why security web infrastructure is built, used, and maintained at scale, also learn its components and capabilities it’s providing.
The Past, Present, and Future of CSRF/CORF
Deep-dive lecture by Philippe De Ryck in room West Wing
Tuesday June 4th, 11:00 - 12:30
Explore the evolution of CSRF and Cross-Origin Request Forgery, their impact on modern API-based applications, and how to effectively use defenses like SameSite cookies and Cross-Origin Resource Sharing.
Key takeaway: Gain a deep understanding of CSRF attacks, the conditions that lead to vulnerability, and how to implement best practice defenses to safeguard your applications.
Secure coding: Back to Basics
Deep-dive lecture by Erlend Oftedal in room West Wing
Tuesday June 4th, 16:00 - 17:30
Learn how to write more secure code by using a set of constructs that makes it easier to get things right.
Key takeaway: How we can write more secure code with less flaws by making changes to how we construct the code.
Crypto policy: from CSAM to eIDAS
Introductory lecture by Bart Preneel in room Lemaire
Wednesday June 5th, 09:00 - 10:30
This talk presents a summary of 30 years of crypto wars including the key escrow controversy, client-side scanning, and EU's digital identity initiatives.
Key takeaway: Technology developments create a growing tension between government mass surveillance and privacy; the resulting debate shifts shapes but continues.
Technical approach to Zero Trust Application Access
Introductory lecture by Gijs Van Laer in room Lemaire
Monday June 3rd, 11:00 - 12:30
This session explores Zero Trust Application Access (ZTAA), a security model emphasizing "never trust, always verify". It'll cover the basics of ZTAA and important points for building and deploying applications within this strategy.
Key takeaway: You'll learn how to deploy Zero Trust Application Access (ZTAA) in small and large businesses and how to build applications according to ZTAA.
Passkeys: the future of user authentication
Advanced lecture by Philippe De Ryck in room Lemaire
Wednesday June 5th, 11:00 - 12:30
This session explores passkeys as a replacement for complex multi-factor authentication, covering user and developer perspectives and the technical details of passkeys.
Key takeaway: Passkeys offer strong user authentication across platforms, with a fully integrated browser UI.
When network protocols meet new threat models
Introductory lecture by Mathy Vanhoef in room West Wing
Wednesday June 5th, 09:00 - 10:30
This presentation will argue that several past (wireless) protocol attacks were found by creatively thinking about threat models.
Key takeaway: Attacks only get better: either by finding new flaws or by introducing new threat models.