Loading…
SecAppDev 2019 has ended

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Security activities [clear filter]
Monday, February 18
 

14:00

Zero to DevSecOps - security in a DevOps world
DevOps is dramatically changing the way software is being built and delivered. This talk aims to give you practical advice on how to use DevOps as an advantage in your application security program.


Abstract
The way that software is being deployed is undergoing a massive transformation. As a result, security teams are at a point where they must adapt or be left in the dust. Traditional application security used to be heavyweight and human-driven. Tasks are more often than not mostly manual efforts. Time-consuming security testing often breaks down in an automated world. Dynamic vulnerability scanning and manual code reviews are incompatible with a world where code changes are automatically being pushed to production hundreds of times per day.

This talk will share lessons learned from helping teams of all sizes and maturity levels with their transformation to a DevSecOps model where security goes from being a blocker to an enabler. Specifically, we will cover some of the tools and processes you can start using right now. These tools allow you to start adding real value to your organization through enhanced visibility, vulnerability discovery, and feedback loops. It is time to adapt and embrace a new era of security.


This session is intended for anyone involved in the development or deployment of secure applications and infrastructure.

Speakers
JM

Jimmy Mesta

CTO, Manicode Security


Monday February 18, 2019 14:00 - 15:30
West wing (room Lemaître)

16:00

Whiteboard hacking – aka hands-on threat modeling
Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The talk will cover real use cases covering the different stages of threat modeling.


Abstract
Threat modeling is the primary security analysis performed during the software design stage. It is a structured activity for identifying and evaluating application threats and vulnerabilities. The activities in the threat modeling stage help you find design flaws in your application and its supporting architecture. You can use these identified vulnerabilities to help shape your design and direct and scope your security testing.

Unfortunately, there is a gap between academic knowledge of threat modeling and the real world. In this session, we aim to minimize this gap through a set of practical use cases. These use cases are derived from real-world projects. This session explains a 4 step threat modeling approach covering four main questions:

(1) What are we building?
(2) What can go wrong?
(3) What are we doing to mitigate this?
(4) How do we follow-up on our threat model?

Additionally, we cover the integration of threat modeling in traditional, agile and DevOps activities.


This session is intended for Software developers, architects, system managers and security professionals.

Speakers
SD

Sebastien Deleersnyder

Application Security Lead, Toreon


Monday February 18, 2019 16:00 - 17:30
West wing (room Lemaître)
 
Tuesday, February 19
 

11:00

Positioning Secure Development Lifecycles (SDLC) and maturity models
Building secure applications involves much more than writing secure code statements. Only when you understand this, your organization will become effective in this.


Abstract
Modern software is expected to meet basic security and privacy properties. Unfortunately, many organizations struggle to build software that meets these properties. Security always seems to conflict with other business interests, often making it an unfavorable task.

This session investigates how to address the problem in a structured manner. We look at the typical elements that occur in a secure development lifecycle. We discuss different perspectives and illustrate how various activities contribute to software security. Additionally, we explore the relationship between an SDLC and maturity models. Together, these tools allow you to map out your security strategy. In essence, this session provides you with the necessary structure to frame the rest of the course.


This session is intended for all stakeholders involved in software construction.

Speakers
BD

Bart De Win

Director, PwC


Tuesday February 19, 2019 11:00 - 12:30
West wing (room Lemaître)

16:00

Driving security with maturity models
The OWASP SAMM maturity model allows you to assess your current security activities. It also helps you set out a strategy to improve the practices within your organization.


Abstract
A modern Secure Software Development Lifecycle (SDLC) consists of numerous activities. Blindly adopting certain security activities is unlikely to yield the expected results. Instead, improving software security should be a deliberate action, following a well-defined plan. Unfortunately, building such a plan requires a lot of knowledge and expertise.

In this session, we will explore the OWASP SAMM maturity model. This model bundles a lot of knowledge and expertise around building secure software. Using SAMM, you can measure your current security practices regarding software development. It frames those practices in an organizational context. Furthermore, it helps you define a roadmap towards future improvements. Through group discussions and experience sharing, you will learn how to apply SAMM in your organization. If you are serious about improving secure development, this session is for you!


This session is intended for all stakeholders involved in software construction.

Speakers
BD

Bart De Win

Director, PwC


Tuesday February 19, 2019 16:00 - 17:30
West wing (room Lemaître)
 
Wednesday, February 20
 

09:00

Whiteboard hacking (aka hands-on threat modeling) (workshop)
Abstract
Toreon proposes an action-packed 1 day Threat Modeling workshop as taught at OWASP, Black Hat USA and O’Reilly Security conferences. In groups of 3 to 4, participants are challenged to threat model two real-life use cases: a REST-based web application and an on-site IoT deployment.

This workshop is intended for software developers, architects, system managers or security professionals

Speakers
TH

Thomas Heyman

Senior Security Consultant, Toreon
SD

Sebastien Deleersnyder

Application Security Lead, Toreon


Wednesday February 20, 2019 09:00 - 17:30
Main building (room Bisschopskamer)
 
Thursday, February 21
 

11:00

Security in a fast-moving Agile/DevOps environment
Modern development environments using agile and/or DevOps approaches require a different approach. This session explores ways to approach security in a more automated and distributed approach.


Abstract
Integrating security in a traditional, slow-paced software development process is already a challenge. Today, software development lifecycles are getting shorter. Extreme ecosystems have a deployment every few seconds. Integrating security activities in such an environment poses a significant challenge.

In this session, we zoom in on the challenges encountered in a modern development environment. We explore security in an agile environment. There, activities need to meet short development cycles, business-driven development, and low documentation practices. Additionally, we look at the impact of DevOps on security. Concretely, we cover Continuous Integration (CI) / Continuous Deployment (CD) and the need for automation. We will look at integrating security in such an automated build pipeline. In the end, you will have a good overview of how to approach security in a modern development environment.


This session is intended for all stakeholders involved in software construction.

Speakers
BD

Bart De Win

Director, PwC


Thursday February 21, 2019 11:00 - 12:30
Main building (room Lemaire)
 
Friday, February 22
 

16:00

The OWASP ASVS as the basis for a security program
The OWASP ASVS lists over 150 security requirements for modern applications. In this session, we explore how to use the ASVS to drive various activities in your security program.

Abstract
Some people are under the misconception that if they follow the OWASP top 10 that they will have secure applications. But in reality, the OWASP Top Ten (and other top ten lists) are just the bare minimum for the sake of entry-level awareness. They do not constitute a sustainable security program. Instead, a more comprehensive and structured understanding of application security is needed. The OWASP Application Security Verification Standard (ASVS) delivers precisely that.

This talk delivers an in-depth look at the OWASP ASVS. We start by comparing the ASVS to the OWASP Top Ten 2017 and the OWASP Top Ten Proactive Controls 2018. Next, we explore how to use the ASVS as a basis for a rigorous security program. We illustrate how to use the ASVS as a basis for development requirements or security testing. Finally, we compare the current ASVS version (3.1) to the upcoming 4.0 release.

This session is intended for anyone aiming to adopt secure-by-design development practices

Speakers
JM

Jim Manico

CEO, Manicode Security


Friday February 22, 2019 16:00 - 17:15
Main building (room Lemaire)