The objective of the session is to provide an overview of "privacy research" within computer science and the way in which this research is instrumental for privacy engineering today.
Abstract For many developers, privacy is not a separate concept. It is often considered to be equivalent to security, or the responsibility of the legal department. The General Data Protection Regulation (GDPR) explicitly requires data protection by design. However, GDPR lacks detailed guidance on how to fulfill this requirement in applications. Thankfully, in the last decade, computer scientists have embarked upon research to develop technical privacy solutions to help fill this gap.
The objective of this talk is to provide an overview of "privacy research" within computer science. We explore how this research plays an instrumental role in privacy engineering today. Concretely, this talk highlights different concepts of privacy and demonstrates ways to address different pieces of the privacy problem through technical design. In particular, I will introduce three dominant research paradigms on privacy that are fundamental to building applications that attend to the privacy requirements of different stakeholders. Using this knowledge, you will be better positioned to build privacy-sensitive applications.
This session is intended for anyone building, designing or maintaining applications.
Novel safe systems programming languages and new hardware extensions can significantly improve the security of software.
Abstract The war between attackers and defenders in low-level languages has been ongoing for decades. Software written in C-like languages suffers from a set of specialized attacks. Consequentially, such software needs dedicated defenses to counter such attacks. This session highlights interesting new trends with game-changing potential.
New safe systems programming languages improve the current landscape. A language such as Mozilla's Rust helps prevent the introduction of memory safety vulnerabilities. At the same time, it also helps prevent data races in multi-threaded code. Complementary, the revival of hardware support for capabilities significantly changes the landscape. Such hardware makes it possible to provide safety guarantees for legacy C code efficiently. It supports the compartmentalization of software so that a vulnerability in one part of the code can be contained. This session gives an overview of these exciting and promising new technologies.
This session is intended for software developers using C or a related programming language, and anyone interested in fundamental new developments in software security.
The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.
Abstract The web has undergone a dramatic transformation since the first static HTML documents. However, the underlying security model remains mostly unchanged. Its flaws have resulted in nefarious security vulnerabilities. But to be fair, the security model is also the foundation of many modern defenses. And in today's client-side applications, the web's security model is an essential cornerstone.
In this session, we make this underlying security model explicit. We show that the Same-Origin Policy is too liberal. As a result, we suffer from attacks such as Cross-Site Request Forgery, cross-site scripting, and more. We also explore how you can leverage the security model for better security. You will learn how to leverage concepts such as domain separation and origin isolation. Overall, this session offers the foundation for other web security topics here at SecAppDev.
This session is intended for anyone building, designing or securing web applications.
Despite proclamations of the obsolescence of passwords, they remain an essential component of user authentication. Many long-accepted tenets of password-based authentication need to be reexamined.
Abstract Passwords have been around for a long time. They are by far the widest-deployed way of authenticating users. Passwords suffer from many well-known and well-researched weaknesses. Nonetheless, numerous applications still rely on passwords, even in a security-sensitive context. Passwords even remain the most commonly used first factor in multi-factor authentication systems. Regardless of their popularity, many voices call for discarding passwords altogether. After all, would it not be better to have a stronger and more usable authentication mechanism?
In this session, we take a closer look at password-based authentication. We investigate many commonly-made implementation mistakes and better alternatives. We investigate how to make security work for your users, instead of working against them. In the end, you will walk away with a modern set of best practices for handling password-based authentication. Both your application and your users will benefit from these new insights.
This session is intended for anyone designing or implementing password-based user authenticationanyone building, designing or securing web applications
DevOps is dramatically changing the way software is being built and delivered. This talk aims to give you practical advice on how to use DevOps as an advantage in your application security program.
Abstract The way that software is being deployed is undergoing a massive transformation. As a result, security teams are at a point where they must adapt or be left in the dust. Traditional application security used to be heavyweight and human-driven. Tasks are more often than not mostly manual efforts. Time-consuming security testing often breaks down in an automated world. Dynamic vulnerability scanning and manual code reviews are incompatible with a world where code changes are automatically being pushed to production hundreds of times per day.
This talk will share lessons learned from helping teams of all sizes and maturity levels with their transformation to a DevSecOps model where security goes from being a blocker to an enabler. Specifically, we will cover some of the tools and processes you can start using right now. These tools allow you to start adding real value to your organization through enhanced visibility, vulnerability discovery, and feedback loops. It is time to adapt and embrace a new era of security.
This session is intended for anyone involved in the development or deployment of secure applications and infrastructure.
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The talk will cover real use cases covering the different stages of threat modeling.
Abstract Threat modeling is the primary security analysis performed during the software design stage. It is a structured activity for identifying and evaluating application threats and vulnerabilities. The activities in the threat modeling stage help you find design flaws in your application and its supporting architecture. You can use these identified vulnerabilities to help shape your design and direct and scope your security testing.
Unfortunately, there is a gap between academic knowledge of threat modeling and the real world. In this session, we aim to minimize this gap through a set of practical use cases. These use cases are derived from real-world projects. This session explains a 4 step threat modeling approach covering four main questions:
(1) What are we building? (2) What can go wrong? (3) What are we doing to mitigate this? (4) How do we follow-up on our threat model?
Additionally, we cover the integration of threat modeling in traditional, agile and DevOps activities.
This session is intended for Software developers, architects, system managers and security professionals.
The OWASP top ten of proactive controls is a list of security techniques that should be included in every software development project. This session covers the 2017 top 10 of proactive controls.
Abstract Software developers are the foundation of any application. But building secure software requires a security mindset. Unfortunately, obtaining such a mindset involves a lot of learning from a developer.
The OWASP top 10 of proactive controls aims to lower this learning curve. It covers ten essential security controls in virtually every application. This session gives an overview of 10 common security problems, and how to address them. We will go over numerous security anti-patterns and their secure counterparts. Throughout the session, you will get a good overview of common security issues. In the end, you walk away with a set of practical guidelines to build more secure software.
This session is intended for anyone building, designing or securing applications.
In recent years, Google has made significant changes to WebViews. While the security behavior of a WebView has improved, its introduction remains a significant change to the threat model.
Abstract The (Android) WebView is an embeddable component that powers the majority of internet-enabled of apps. WebViews are popular because they are flexible – offering cross-platform code reuse. However, Webviews transport problems of the Web model into the app and then add some new problems.
In this session, we explore some WebView-related problems. First, we focus on traditional web attacks, such as connection hijacking and XSS. Next, we focus on the underlying model of web-enabled mobile apps. The bundling of local resources and web-based content rendered in the same container has a significant impact. In this security model, a Same Origin Policy bypass extends to accessing the device file-system and stealing juicy user data. Even worse, such an attack may even remotely target other applications by using the WebView as a proxy. Finally, WebViews present a security management problem that is just as important to understand: which risks do I not control?
This session is intended for app testers and developers using WebViews.
This session shows by example how attackers exploit common vulnerabilities. For each issue, we cover the cause, the impact, and – most importantly – ways to avoid or mitigate the vulnerability.
Abstract Today, almost all software heavily relies on the use of third-party dependencies. While open source modules are undoubtedly awesome, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. Including the wrong package can introduce severe vulnerabilities, exposing your application and your user's data.
In this session, we will demonstrate common vulnerabilities in our sample application, Goof. This application uses vulnerable libraries, just like many applications out there. For each issue, we explore why it happened, show its impact, and – most importantly – see how to avoid or fix it. Example vulnerabilities are the infamous Struts vulnerability, credited for the Equifax hack, Spring Break, and others.
This session is intended for anyone building (Java) web applications.
Abstract The major cause of web service and web application insecurity is insecure software development practices. This highly intensive and interactive 1-day bootcamp provides essential application security training for web application and web service developers and architects.
This workshop is intended for web and API developers
OAuth 2.0 and OpenID Connect are complex protocols to enable delegation and authentication. This session covers their meaning and highlights some potential security pitfalls you want to avoid.
Abstract OAuth 2.0 is likely one of the most complex aspects of modern web applications. It is often mistakenly assumed that OAuth 2.0 offers authentication and authorization. Instead, OAuth 2.0 only offers delegation. To make matters more complicated, there are at least six different OAuth 2.0 flows, each for a particular purpose. On top of that, OpenID Connect (OIDC) redefines some of these flows to enable authentication explicitly.
In this talk, we will clear up the confusion about OAuth 2.0 and OIDC. We will explain the purpose and properties of most relevant flows. We explore how to use OAuth 2.0’s delegation mechanism to enable authorization on a backend. Finally, we will look at using OIDC for end-user authentication with a third-party provider. At the end of this talk, you will have a solid understanding of OAuth 2.0/OIDC and how to use it in your applications.
This session is intended for anyone dealing with authentication and API access in web and mobile applications.
Building secure applications involves much more than writing secure code statements. Only when you understand this, your organization will become effective in this.
Abstract Modern software is expected to meet basic security and privacy properties. Unfortunately, many organizations struggle to build software that meets these properties. Security always seems to conflict with other business interests, often making it an unfavorable task.
This session investigates how to address the problem in a structured manner. We look at the typical elements that occur in a secure development lifecycle. We discuss different perspectives and illustrate how various activities contribute to software security. Additionally, we explore the relationship between an SDLC and maturity models. Together, these tools allow you to map out your security strategy. In essence, this session provides you with the necessary structure to frame the rest of the course.
This session is intended for all stakeholders involved in software construction.
Passwords alone are limited in the security they can provide. Wider deployment of effective multi-factor authentication is needed to improve security in the presence of higher-risk applications and more advanced threats.
Abstract In today's web, it is fair to say that threats against authentication are worse than ever before. We urgently need to increase the security of our applications by deploying multi-factor authentication. However, there is a myriad of different mechanisms. Some of these provide little more than a false sense of security. Others, in turn, provide excellent protection against a comprehensive range of threats. How can you tell these mechanisms apart? And which one is right for your application?
In this session, we discuss a variety of ways to tackle authentication. For each mechanism, we dive into the threats it can and cannot address. By tying these mechanisms together, we show how to build a comprehensive authentication solution. Additionally, we discuss account recovery and biometric authentication methods.
This session is intended for anyone designing or implementing authentication for moderate- and high-risk applications.
Discover a technology stack that allows us to construct distributed software systems with well-defined security guarantees. We will address testing, formal verification, and runtime isolation.
Abstract Software vulnerabilities occur when a system can be abused in ways not anticipated by the designers, developers or testers. However, the current approach to finding vulnerabilities resembles the search for a needle in a haystack. Modern testing techniques promise to systematize this search. Complementary, formal verification provides convincing arguments for the absence of vulnerabilities. But these arguments often overlook that the verified software does not run in an isolated environment.
This talk focuses on modern approaches to automated testing, formal software analysis, and verification. Many of these tools and techniques integrate efficiently with current approaches to secure software development and security testing. Furthermore, we explore how to integrate a verified component in an untrusted infrastructure. Learn what is possible today through a couple of industrial cases and large-scale verification efforts!
This session is intended for architects, developers, testers, software security, and verification engineers.
Cryptographic algorithms include stream/block ciphers, hash functions, MAC algorithms, authenticated/public key encryption schemes, and digital signatures. This session focuses on their properties, and on what they can and cannot do for you.
Abstract The cryptographic algorithm zoo includes stream ciphers, block ciphers, hash functions, MAC algorithms, authenticated encryption schemes, public key encryption, and digital signature schemes. These cryptographic building blocks can be used to offer strong security properties. However, each of these algorithms has different security properties and serves a specific purpose. To avoid creating vulnerabilities, a good understanding of these algorithms is essential.
In this session, we zoom in on each of these algorithm types. We will investigate their properties, what they can and cannot do for you, and how to use them correctly. In the end, you will be able to select the right algorithm for the challenges you're trying to solve. In essence, you will be able to find your way in the algorithm zoo.
This session is intended for anyone building, designing or securing applications.
The OWASP SAMM maturity model allows you to assess your current security activities. It also helps you set out a strategy to improve the practices within your organization.
Abstract A modern Secure Software Development Lifecycle (SDLC) consists of numerous activities. Blindly adopting certain security activities is unlikely to yield the expected results. Instead, improving software security should be a deliberate action, following a well-defined plan. Unfortunately, building such a plan requires a lot of knowledge and expertise.
In this session, we will explore the OWASP SAMM maturity model. This model bundles a lot of knowledge and expertise around building secure software. Using SAMM, you can measure your current security practices regarding software development. It frames those practices in an organizational context. Furthermore, it helps you define a roadmap towards future improvements. Through group discussions and experience sharing, you will learn how to apply SAMM in your organization. If you are serious about improving secure development, this session is for you!
This session is intended for all stakeholders involved in software construction.
Entity authentication goes further than verifying passwords. This session focuses on the properties of various authentication factors and protocols, including securely establishing cryptographic keys.
Abstract Entity authentication is about providing proof related to an identity. The most straightforward example of entity authentication is a password. Passwords are a vulnerable, but cheap and convenient way of authenticating an entity. However, in today’s reality, passwords on their own are not enough.
That's where authentication protocols and key establishment protocols come into the picture. In this session, we dive deep into entity authentication. We discuss common authentication factors, such as smart cards, tokens or biometrics. These authentication factors play an important role in deploying multifactor authentication schemes. We investigate the use of authentication servers and authentication protocols. Finally, we analyze the challenges faced by key establishment protocols.
This session is intended for anyone building, designing or securing applications.
We are moving more sensitive data into mobile applications than ever before. However, at what cost to security? This talk provides an overview of how mobile apps are being attacked and what defenses exist.
Abstract As we surpass 2.5 billion smartphones in use worldwide, mobile application security is no longer a theoretical discussion. Mobile applications are suffering from major data breaches at a staggering rate. Mobile applications present a different set of challenges than traditional web apps. As such, we must prepare accordingly.
This talk is an introduction to attack and defense methods for both builder and breakers of Android and iOS applications. We will explore a number of topics that will better arm you to assess and improve the security of mobile applications. We will talk about the system security of Android and iOS. We will cover common security issues in mobile applications. You will learn about the available mobile application security controls. Finally, we also give an overview of how to test for security issues in mobile applications.
This session is intended for anyone involved in the development of mobile applications.
Abstract Toreon proposes an action-packed 1 day Threat Modeling workshop as taught at OWASP, Black Hat USA and O’Reilly Security conferences. In groups of 3 to 4, participants are challenged to threat model two real-life use cases: a REST-based web application and an on-site IoT deployment.
This workshop is intended for software developers, architects, system managers or security professionals
Containerized deployments have a significant impact on security. Here, we explore the challenges and investigate how Istio's security mechanisms can be used to increase security.
Abstract Container-based deployments are on the rise. A container-based deployment model is mostly independent of an environment and provider. As a result, many organizations start using them to achieve a higher degree of flexibility. Unfortunately, a containerized world brings new threats and challenges into the world.
In this session, we will investigate some threats in containerized applications. The container system itself handles some of these challenges. Others need to be handled elsewhere. One way to address these is handling them in the application. Another is using additional isolation mechanisms. Concretely, we will investigate Istio. You will learn what Istio is and how it works. More importantly, we will explore how Istio can help us solve some of the security issues generically.
This session is intended for anyone deploying their applications in containers.
Fingerprints sensors on Android devices provide a significant usability benefit. However, it relies on many cooperating parts which if implemented or used incorrectly puts the device user at risk.
Abstract Many smartphones and computers today contain a fingerprint sensor. Fingerprints are convenient for quick authentication and authorization decisions. But what security properties do fingerprint mechanisms provide? Moreover, are implementations of this technology actually secure?
In this session, we look at research-based data on the Android Fingerprint mechanism. We report the results of reversing and testing actual implementations from device manufacturers. We compare those against a reference model to describe the security elements that a real implementation should meet. This threat model makes a distinction between a "normal world" and a "secure world". In practice, the former corresponds to apps, and the latter to Android system processes, such as the kernel and the Trusted Execution Environment. Finally, we look at actual attacks against these systems using real-world (anonymized) examples.
This session is intended for anyone using or assessing the use of fingerprints for authentication and/or authorization.
PKIs ensure the secure delivery and management of public keys. One example is the ecosystem supporting HTTPS, but PKIs are also used in payment systems (EMV) or intranets. This session covers how to manage keys, certificates, and revocation.
Abstract The function of a Public Key Infrastructure (PKI) is to ensure secure delivery and management of public keys. The most widely used PKI is the ecosystem supporting HTTPS. This ecosystem heavily depends on certificate authorities to ensure the validity of a certificate, but alternative trust models exist as well. In fact, different trust models lead to different key architectures.
In this session, you will discover what is needed to build and deploy a PKI. At its core, a PKI is about publishing public keys using digitally signed certificates. However, when a private key may be compromised, you also need to be able to revoke a certificate. As history has shown us, revocation is harder than you may imagine. We explore a couple of alternatives, including Certificate Revocation Lists (CRL), and the Online Certificate Status Protocol (OCSP). In the end, you will understand how public PKIs work. You will also have a list of requirements and best practices for setting up a private PKI system.
This session is intended for anyone building, designing or securing applications.
In this opinionated live-coding session we show how to design and implement access control for APIs.
Abstract In this opinionated live-coding session we show how to design and implement access control for APIs. API keys are an easy and commonly used technique. However, the security guarantees afforded are minimal. JSON Web Tokens (JWT) are much more granular and need not rely on shared keys. Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed.
In this session, we implement the latter on a FaaS (Function as a Service) platform with an API Gateway acting as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture. We illustrate the use of an OAuth authorization server in combination with JWTs to secure API access from a Single Page Application (SPA).
This session is intended for anyone building, designing, securing, or consuming remote APIs.
"Cloud-native" is the hottest buzzword in the world of DevOps. This talk aims to break down the security implications around some of the most popular technologies such as Cloud, Kubernetes, and Docker.
Abstract The "cloud-apocalypse is already here. Don't be the one who missed the boat when it comes to security. This talk will discuss how cloud-native technologies have impacted security for better or worse. If carefully navigated, this new world can actually be a good place for all of us who care deeply about security and privacy.
We will discuss all things Cloud, containers, Kubernetes, and beyond as well as explore some frameworks for evaluating the security and readiness of these modern cloud-native technologies. We will also reminisce over some recent security war stories that these projects have endured to get where they are today.
This session is intended for developers, QA, Security Engineers, and anyone interested in how the cloud is transforming our security landscape.
Today, blockchain applications dominate the tech news. But what are the underlying security properties of these mechanisms? In this lecture, we look at the technology, its strengths, and its weaknesses.
Abstract The Bitcoin ecosystem had a bumpy start, but today, it dominates the news cycles. Next to financial applications, we also see the adoption of smart contract platforms, such as Ethereum. Overall, these technologies have inspired novel solutions to distributed trust based on blockchains (or distributed ledgers). But how do these technologies work in practice? Is every product based on the blockchain today useful?
This lecture, we take a look at the core principles behind cryptocurrencies and smart contracts. Additionally, we look at real-world use cases for these technologies. Additionally, we look at a more controlled form of a blockchain, known as a permissioned ledger. Rest assured, we will see past the hype and highlight the strengths and weaknesses of these approaches.
This session is intended for anyone building, designing or securing applications.
Modern processors provide Trusted Execution Environments that allow you to protect software components even from an untrusted operating system. Learn when and how to use them!
Abstract Imagine that you have developed the perfectly secure piece of software. You did your best engineering effort; you used safe programming languages; you tested it thoroughly; you even did a bit of formal verification for the most critical parts. Now you want to deploy it, and you realize that you can't really trust the client's PC, their software stack to be up-to-date, or even their operating system to not tamper with your software. How could you possibly protect your software from malicious low-level interactions?
In this session, you will learn how to leverage component isolation and remote software attestation as provided by modern Trusted Computing techniques. A number of processors provide different variants of these security primitives: Cloud providers allow you to run SGX enclaves, mobile devices feature TrustZone technology, and with Sancus there is even an emerging solution for light-weight embedded devices. The session will focus on using these platforms to build secure distributed applications.
This session is intended for architects, developers, testers, software security, and verification engineers.
To operate their malicious activities, cybercriminals register a constant flux of domain names. In this talk, we explore their modus operandi and discuss mitigations at the registry level.
Abstract This session reports on an extensive analysis of 14 months of domain registration in the .eu TLD. In particular, we investigate domain names that are registered for malicious purposes (such as spam, phishing, botnets C&C, ...). The goal of our research is to understand and identify large-scale malicious campaigns and to detect and prevent malicious registrations early.
We explore the ecosystem and modus operandi of elaborate cyber criminal entities that recurrently register large amounts of domains for single, malicious use. We further report on insights in the operational aspects of this business and observe, for instance, that their processes are only partially automated.
Finally, we present our automatic prediction system, that classifies at registration time whether a domain name will be used maliciously or benign. As such, malicious domain registrations can effectively be prevented from doing any harm. As part of the talk, we discuss the first results of this prediction system, which currently runs in production at EURid, the registry of the .eu TLD.
This session is intended for anyone interested organized cyber-crime, or in the use of data mining and machine learning for security.
Abstract This technical course is geared towards defenders. It focuses on the ins and outs of taking containers from a developer’s laptop to production Kubernetes clusters. We cover numerous security 'gotchas' around building a modern cloud infrastructure. Each student will be provided with a production-ready Kubernetes cluster hosted in Google Container Engine (GKE) This workshop is intended for developers, system administrators, security testers, anyone working with or moving towards Kubernetes
Modern development environments using agile and/or DevOps approaches require a different approach. This session explores ways to approach security in a more automated and distributed approach.
Abstract Integrating security in a traditional, slow-paced software development process is already a challenge. Today, software development lifecycles are getting shorter. Extreme ecosystems have a deployment every few seconds. Integrating security activities in such an environment poses a significant challenge.
In this session, we zoom in on the challenges encountered in a modern development environment. We explore security in an agile environment. There, activities need to meet short development cycles, business-driven development, and low documentation practices. Additionally, we look at the impact of DevOps on security. Concretely, we cover Continuous Integration (CI) / Continuous Deployment (CD) and the need for automation. We will look at integrating security in such an automated build pipeline. In the end, you will have a good overview of how to approach security in a modern development environment.
This session is intended for all stakeholders involved in software construction.
The talk session will provide a comprehensive overview on client-side Cross-site Scripting (aka DOM-based XSS), both from a offensive as well as form a defensive point of view.
Abstract The term "Client-side Cross-site Scripting" describes a sub-class of XSS vulnerabilities, also known as DOM-based XSS. These vulnerabilities are caused by insecure JavaScript within the browser. These client-side vulnerabilities are as potent as their server-side counterparts. However, they have always remained in the shadow, mainly due to a perceived significantly smaller attack surface. But is that a correct assessment? What happens with the recent push towards client-side applications?
In this session, we provide a comprehensive overview of client-side XSS. We illustrate that approximately 10% of all websites suffer from this problem. We investigate why the problem is so hard to contain. We will take a deep-dive into one of the major issues on the web today: vulnerabilities in third-party code. In the end, you will have a solid understanding of the danger of client-side XSS. You will know how to identify these problems, and how to prevent them.
This session is intended for anyone building web and JavaScript applications.
Cryptography is often used in an incorrect or insecure fashion. This session outlines the current best practices, including an extensive list of recommended protocols and algorithms.
Abstract All too often, cryptography is misunderstood and misused. As a result, systems often suffer from complex and hard-to-find vulnerabilities. However, even when used correctly, selecting the right algorithm from a list of similar options is a hard task. To use cryptography well, application architects and developers need to make informed choices.
This session provides the proper information to make well-informed choices. Throughout this session, we will compile a set of best practices for using and deploying cryptographic algorithms. We cover topics such as cipher strength, key management, cryptographic libraries, and different PKI architectures. However, we also look at innovative ways of using cryptography, such as obfuscation and watermarking. In the end, you will walk away with a set of best practices for using modern cryptographic algorithms.
This session is intended for anyone building, designing or securing applications.
This session explores some modern web application vulnerabilities, as often observed in bug bounty programs. We discuss the threat, as well as the available defenses.
Abstract The highest ranking vulnerability in the OWASP top 10 is still SQL injection. Even today, SQL injection still poses a significant threat. However, the web security landscape has evolved significantly in the last decade. Today, we see new development paradigms appear. Think about the rise of Single Page Applications, APIs, and the use of technologies such as OAuth 2.0 and JWT. We also see a change in security programs, with bug bounty programs leading the way.
In this session, we explore the impact of bug bounty programs on security research. We go over a few concrete cases, highlighting new takes on old vulnerabilities, as well as new attacks. And most importantly, we look at how to defend your web application against these new types of attacks.
This session is intended for anyone designing, securing, breaking or developing web applications.
In the last two decades, technology has had a significant impact on everyone's lives. In this lecture, we analyze how main information technology trends made their impact on the security and privacy of citizens.
Abstract If you are not doing anything wrong, you have nothing to hide. This argument is often used, but not always easy to counter. In the last two decades, technology has had a significant impact on everyone's lives. Some may argue that these changes are pushed upon us by major corporations. However, others argue that we bring all this technology in ourselves. Just look at the myriad of smart devices in a modern household.
In this lecture, we analyze a number of leading information technology trends. We investigate their impact on the security and privacy of citizens. Topics that are covered include the IoT, cloud and edge computing, big data and AI. We also look at the growing role of law enforcement, intelligence services and the military in cyberspace.
This session is intended for anyone building, designing or securing applications.
HTTPS and SSL/TLS have been under fire for years. In this session, we explore the impact of several attacks. We also discuss several new browser defenses to mitigate these attacks.
Abstract HTTPS/SSL/TLS has been under fire for years. FREAK, POODLE, BEAST, and CRIME represent practical cryptographic attacks. Add to that an inherently weak CA system, and you end up with a large number of insecure HTTPS deployments.
However, recent browser-based defenses significantly improve the security properties of HTTPS. This session dives deep into the security properties of the HTTPS protocol. We explore problems with legacy features and their impact. And most important, we will talk about new defenses to improve your HTTPS deployment. You will walk away with a set of best practices to offer your users the most secure HTTPS experience possible.
This session is intended for anyone working on network-based applications.
2018 was the year speculative execution vulnerabilities caused havoc in the IT industry. In this talk, we discuss the Foreshadow/L1TF vulnerability, its cause, its impact and how to mitigate it.
Abstract Today's societies rely heavily on isolation mechanisms provided by microprocessors. Unfortunately, this year it became clear that chip designers made serious security errors during the design of their processors. By exploiting subtle design flaws, attackers can break such fundamental isolation primitives.
Last August, we disclosed our Foreshadow attack after going through an 8-month coordinated disclosure process with Intel. This attack enables attackers to access any data present in the L1D cache, even across protection domains. This required both microcode patches as significant changes in the process and virtual machine scheduler. The total cost of these defenses runs in the billions of dollars. In this session, we will discuss how Foreshadow and related speculative execution attacks operate, how the vulnerabilities they exploit got introduced in the first place, and how they got mitigated. We will also discuss how the industry as a whole should prepare for any future attacks to come.
This session is intended for anyone interested in how low-level security architectures can be bypassed by speculative execution side-channels.
The GPDR imposes a number of privacy obligations and data protection requirements. In this session, we investigate how to address these requirements in your applications using technical design.
Abstract Almost everyone has heard of the General Data Protection Regulation (GDPR). But what does the GDPR mean for software developers? Which obligations does the GDPR stipulate? Which requirements does it impose for data protection? And most importantly, how do you address these obligations using technical design?
In this session, we start from the overview of the GDPR requirements. From there, we zoom in on state-of-the-art research addressing purpose limitation, transparency, sensitive data, accountability, risk management, and data subject rights. When possible, we look into recommendations for developers published by various data protection authorities. Additionally, we draw from ongoing disputes around (the lack of) data protection by design. In the end, you will have an overview of the requirements of the GDPR and how to address them technically.
This session is intended for anyone building, designing or maintaining applications
Content Security Policy (CSP) is one of the most promising defenses against XSS vulnerabilities. Here, we revisit the history of CSP, discuss weaknesses and bypasses, and show how to build strong policies.
Abstract Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.
In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.
This session is intended for anyone building, designing or securing web-based applications.
TLS is one of the most widespread secure communication protocol on the Internet. We present the formal guarantees that its latest iteration provides for its users.
Abstract The history of SSL/TLS goes all the way back to SSL 2.0. Since the original protocol, the standard for secure communication on the internet has seen many iterations. Currently, many systems run on TLS 1.2. Unfortunately, this evolution has been principally driven by a break-and-fix cycle. Often, the users of these protocols suffer the damaging consequences. In August 2018, the latest iteration, TLS 1.3 was released. This was the result of a long process which grouped the expertise of both engineering and security researchers.
In this session, we will look at the different formal guarantees that this new iteration provides. Concretely, we look at mutual authentication, forward secrecy or secure channels. We will make use of the building blocks of cryptography (public-key encryption, DH key exchange, AEAD, etc.) to explain which elements of the protocol help in providing the different guarantees. We show how TLS 1.3 brings significant improvements over older versions. In the end, you will be able to select the most appropriate security for your applications.
This session is intended for anyone wishing to approach TLS for research or deployment.
At the surface, JWTs look simple. In this session, we dig deeper into the security properties of JWTs. We look at common misconceptions and mistakes. We also look at advanced features, such as encryption.
Abstract JSON Web Tokens (JWT) have become the de facto standard to transfer application claims between the client and the server. By design, they incorporate the use of signatures to ensure the integrity of the data. However, merely signing the data alone is not enough to guarantee security.
In this talk, we zoom into the security properties of JWTs. After introducing the different signature schemes, we dive into the hard parts nobody talks about. How do you manage and identify the keys used for the signature? How do you handle key rotation? And what about encrypting JWTs? This talk answers all these questions. You will walk away with a set of best practices for adequately securing JWTs.
This session is intended for anyone building, designing or securing web applications
Cookies have been around for more than 20 years, and have a large impact on online security and privacy. We evaluate whether the implemented safeguards are always behaving as expected.
Abstract Nowadays, cookies are the most prominent mechanism to identify and authenticate users on the Internet. While not directly accessible across origins, cookies are present on all cross-site requests. These so-called third-party cookies enable both cross-site attacks and third-party tracking. To mitigate these nefarious consequences, various countermeasures have been developed. Some come in the form of browser extensions, while others are built into the browser. One well-known example is Safari's Intelligent Tracking Protection (IPT). Unfortunately, these mechanisms are not as effective as one might hope.
In this session, we explore the current landscape of cookie security policies. We show how to bypass many security mechanisms using novel attack techniques. Additionally, we illustrate how even built-in security mechanisms can be circumvented. You will walk away with a solid understanding of third-party cookies in the modern web. As a user, you will learn how to protect yourself better. As a developer, you will learn how to handle cookies more securely.
This session is intended for anyone with an interest in privacy on the web; anyone who want to securely make use of cookies
The OWASP ASVS lists over 150 security requirements for modern applications. In this session, we explore how to use the ASVS to drive various activities in your security program.
Abstract Some people are under the misconception that if they follow the OWASP top 10 that they will have secure applications. But in reality, the OWASP Top Ten (and other top ten lists) are just the bare minimum for the sake of entry-level awareness. They do not constitute a sustainable security program. Instead, a more comprehensive and structured understanding of application security is needed. The OWASP Application Security Verification Standard (ASVS) delivers precisely that.
This talk delivers an in-depth look at the OWASP ASVS. We start by comparing the ASVS to the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018. Next, we explore how to use the ASVS as a basis for a rigorous security program. We illustrate how to use the ASVS as a basis for development requirements or security testing. Finally, we compare the current ASVS version (3.1) to the upcoming 4.0 release.
This session is intended for anyone aiming to adopt secure-by-design development practices