Full schedule for SecAppDev 2024

How well we adapt continues to influence our security strategies, our creativity, and our culture, in our companies and in our industry. It seems starting with ourselves is a natural place to begin.

Key takeaway: What the evolution of the security practitioner, and leader, will look in the future in winning the daily battles in cybersecurity.

This session explores Zero Trust Application Access (ZTAA), a security model emphasizing "never trust, always verify". It'll cover the basics of ZTAA and important points for building and deploying applications within this strategy.

Key takeaway: You'll learn how to deploy Zero Trust Application Access (ZTAA) in small and large businesses and how to build applications according to ZTAA.

An update on the most important cryptographic algorithms and a status on the migration towards post-quantum security.

Key takeaway: Which cryptographic algorithms to use for which tasks.

Unpack AI security: business impacts, ethics, LLM challenges, privacy, and regulations like the EU AI Act. Essential for secure AI deployment.

Key takeaway: Secure and ethical AI deployment requires understanding risks, regulations, and best practices in technology and governance.

In this session, we will look at the history of the itsme® app and highlight how at every step security was at the forefront of the development. From the initial design to adding new features, the focus on security was never lost.

Key takeaway: The itsme® use case demonstrates how to keep security at the core of application development throughout its evolution.

This session introduces the OWASP SAMM framework and gives you a clear overview of the application security landscape. It will also help you understand how organizations should deal with software security at scale.

Key takeaway: Learn about the full scope of application security, and how activities such as secure design, coding, pen testing, DevOps fit in this view.

We discuss the status of NIST's PQC competition, IETF standards and national agencies' recommendations. We conclude with performance benchmarks and crypto agility challenges.

Key takeaway: Post-quantum standards are on their way. Implications will be increased complexity and communication and storage overhead. Crypto agility is hard.

Discover how to apply OAuth 2.0 in high-security scenarios, exploring its latest security enhancements. Learn about advanced features like Resource Indicators, JAR, PAR, and DPoP, gaining the knowledge to implement OAuth 2.0 securely.

Key takeaway: OAuth 2.0 offers various new security enhancements, including Resource Indicators, JAR, PAR, DPoP, designed for high-security environments

This talk presents a summary of 30 years of crypto wars including the key escrow controversy, client-side scanning, and EU's digital identity initiatives.

Key takeaway: Technology developments create a growing tension between government mass surveillance and privacy; the resulting debate shifts shapes but continues.

This session explores passkeys as a replacement for complex multi-factor authentication, covering user and developer perspectives and the technical details of passkeys.

Key takeaway: Passkeys offer strong user authentication across platforms, with a fully integrated browser UI.

A deep dive into the workings of Macaroons, a novel authorization technique developed by Google. Learn the unique capabilities of this exciting new technology and how it is being deployed by multiple companies to secure the cloud.

Key takeaway: Learn when to use Macaroons vs other technologies for authentication tokens.

In this keynote we will look at how appsec has been changing over the last 10 years and discuss what might come in the future.

Key takeaway: Overview of appsec as a field and where it's going

The OWASP ModSecurity WAF engine and it's rule set counterpart OWASP CRS is the dominant team in the WAF world. Most commercial products are based on CRS and very often also ModSecurity. The key characteristic is the high detection rate and the transparency of the rule set. The generic nature of the rule set also comes with a painful downside: false positives.

In this one day workshop, we will look into the configuration of the WAF, we will write a few rules and we will namely fight false positives. The workshop is all you need to understand the basics and to get you started with WAF.

Learning goal: This workshop aims to equip participants with the skills to perform basic WAF configuration, write and read simple ModSecurity rules, and handle false positives.

This hands-on, interactive training will teach participants how their applications can benefit from external authorization and how they can implement this using Open Policy Agent (OPA), a modern solution to realize the PIP-PAP-PEP-PDP model and an accessible alternative to XACML-based solutions. OPA is application agnostic and allows writing policies as code in the Rego policy language. Through this policy engine, participants will learn how to manage access away from their applications, which will help them to address the current number one risk of the OWASP Top 10: Broken Access Control.

Learning goal: Participants will understand the benefits of externalizing authorization and will be able to do so in practice, while at the same time understanding the limitations of such an architecture.