Loading…
Attending this event?
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Web security [clear filter]
Monday, February 18
 

11:00

The security model of the web
The web still depends on the same security model as it did 20 years ago. Even if somewhat flawed, that security model is essential for building secure applications.


Abstract
The web has undergone a dramatic transformation since the first static HTML documents. However, the underlying security model remains mostly unchanged. Its flaws have resulted in nefarious security vulnerabilities. But to be fair, the security model is also the foundation of many modern defenses. And in today's client-side applications, the web's security model is an essential cornerstone.

In this session, we make this underlying security model explicit. We show that the Same-Origin Policy is too liberal. As a result, we suffer from attacks such as Cross-Site Request Forgery, cross-site scripting, and more. We also explore how you can leverage the security model for better security. You will learn how to leverage concepts such as domain separation and origin isolation. Overall, this session offers the foundation for other web security topics here at SecAppDev.


This session is intended for anyone building, designing or securing web applications.

Speakers
PD

Philippe De Ryck

Founder, Pragmatic Web Security


Monday February 18, 2019 11:00 - 12:30
Main building (room Lemaire)

16:00

OWASP's top 10 proactive controls
The OWASP top ten of proactive controls is a list of security techniques that should be included in every software development project. This session covers the 2017 top 10 of proactive controls.


Abstract
Software developers are the foundation of any application. But building secure software requires a security mindset. Unfortunately, obtaining such a mindset involves a lot of learning from a developer.

The OWASP top 10 of proactive controls aims to lower this learning curve. It covers ten essential security controls in virtually every application. This session gives an overview of 10 common security problems, and how to address them. We will go over numerous security anti-patterns and their secure counterparts. Throughout the session, you will get a good overview of common security issues. In the end, you walk away with a set of practical guidelines to build more secure software.


This session is intended for anyone building, designing or securing applications.

Speakers
JM

Jim Manico

CEO, Manicode Security


Monday February 18, 2019 16:00 - 17:30
Main building (room Lemaire)
 
Tuesday, February 19
 

09:00

Live Hack - Exploiting and fixing common vulnerabilities in your Java web application
This session shows by example how attackers exploit common vulnerabilities. For each issue, we cover the cause, the impact, and – most importantly – ways to avoid or mitigate the vulnerability.


Abstract
Today, almost all software heavily relies on the use of third-party dependencies. While open source modules are undoubtedly awesome, they also represent an undeniable and massive risk. You’re introducing someone else’s code into your system, often with little or no scrutiny. Including the wrong package can introduce severe vulnerabilities, exposing your application and your user's data.

In this session, we will demonstrate common vulnerabilities in our sample application, Goof. This application uses vulnerable libraries, just like many applications out there. For each issue, we explore why it happened, show its impact, and – most importantly – see how to avoid or fix it. Example vulnerabilities are the infamous Struts vulnerability, credited for the Equifax hack, Spring Break, and others.


This session is intended for anyone building (Java) web applications.

Speakers
BV

Brian Vermeer

Developer Advocate, Snyk


Tuesday February 19, 2019 09:00 - 10:30
West wing (room Lemaître)

09:00

Building secure web & web service applications (workshop)
Abstract
The major cause of web service and web application insecurity is insecure software development practices. This highly intensive and interactive 1-day bootcamp provides essential application security training for web application and web service developers and architects.

This workshop is intended for web and API developers

Speakers
JM

Jim Manico

CEO, Manicode Security


Tuesday February 19, 2019 09:00 - 17:30
Main building (room Bisschopskamer)
 
Thursday, February 21
 

09:00

Detecting and preventing domain name abuse in the .eu TLD
To operate their malicious activities, cybercriminals register a constant flux of domain names. In this talk, we explore their modus operandi and discuss mitigations at the registry level.


Abstract
This session reports on an extensive analysis of 14 months of domain registration in the .eu TLD. In particular, we investigate domain names that are registered for malicious purposes (such as spam, phishing, botnets C&C, ...). The goal of our research is to understand and identify large-scale malicious campaigns and to detect and prevent malicious registrations early.

We explore the ecosystem and modus operandi of elaborate cyber criminal entities that recurrently register large amounts of domains for single, malicious use. We further report on insights in the operational aspects of this business and observe, for instance, that their processes are only partially automated.

Finally, we present our automatic prediction system, that classifies at registration time whether a domain name will be used maliciously or benign. As such, malicious domain registrations can effectively be prevented from doing any harm. As part of the talk, we discuss the first results of this prediction system, which currently runs in production at EURid, the registry of the .eu TLD.


This session is intended for anyone interested organized cyber-crime, or in the use of data mining and machine learning for security.

Speakers
LD

Lieven Desmet

Senior research manager, KU Leuven


Thursday February 21, 2019 09:00 - 10:30
West wing (room Lemaître)

11:00

The ins and outs of client-side XSS
The talk session will provide a comprehensive overview on client-side Cross-site Scripting (aka DOM-based XSS), both from a offensive as well as form a defensive point of view.


Abstract
The term "Client-side Cross-site Scripting" describes a sub-class of XSS vulnerabilities, also known as DOM-based XSS. These vulnerabilities are caused by insecure JavaScript within the browser. These client-side vulnerabilities are as potent as their server-side counterparts. However, they have always remained in the shadow, mainly due to a perceived significantly smaller attack surface. But is that a correct assessment? What happens with the recent push towards client-side applications?

In this session, we provide a comprehensive overview of client-side XSS. We illustrate that approximately 10% of all websites suffer from this problem. We investigate why the problem is so hard to contain. We will take a deep-dive into one of the major issues on the web today: vulnerabilities in third-party code. In the end, you will have a solid understanding of the danger of client-side XSS. You will know how to identify these problems, and how to prevent them.


This session is intended for anyone building web and JavaScript applications.

Speakers
MJ

Martin Johns

Full professor, TU Braunschweig


Thursday February 21, 2019 11:00 - 12:30
West wing (room Lemaître)

14:00

Modern web application security vulnerabilities
This session explores some modern web application vulnerabilities, as often observed in bug bounty programs. We discuss the threat, as well as the available defenses.


Abstract
The highest ranking vulnerability in the OWASP top 10 is still SQL injection. Even today, SQL injection still poses a significant threat. However, the web security landscape has evolved significantly in the last decade. Today, we see new development paradigms appear. Think about the rise of Single Page Applications, APIs, and the use of technologies such as OAuth 2.0 and JWT. We also see a change in security programs, with bug bounty programs leading the way.

In this session, we explore the impact of bug bounty programs on security research. We go over a few concrete cases, highlighting new takes on old vulnerabilities, as well as new attacks. And most importantly, we look at how to defend your web application against these new types of attacks.


This session is intended for anyone designing, securing, breaking or developing web applications.

Speakers
EO

Erlend Oftedal

CTO, Blank AS


Thursday February 21, 2019 14:00 - 15:30
West wing (room Lemaître)
 
Friday, February 22
 

11:00

CSP in the age of Script Gadgets
Content Security Policy (CSP) is one of the most promising defenses against XSS vulnerabilities. Here, we revisit the history of CSP, discuss weaknesses and bypasses, and show how to build strong policies. 


Abstract
Content Security Policy (CSP) was first introduced in 2012. It should have been a silver-bullet defense against various injection attacks, including the rampant Cross-Site Scripting vulnerabilities. Unfortunately, modern development practices and legacy code bases proved to be substantial obstacles. New versions of CSP were released to address usability and compatibility for developers. Unfortunately, researchers discovered many bypasses and vulnerabilities in real-world CSP policies. The latest problem is known as script gadgets, where data is turned into code by legitimate functionality.

In this session, we will take a look at the problems you might encounter when deploying CSP. We start at CSP level 1 and work towards the latest level 3 version. We discuss CSP's features, potential bypasses, and pitfalls to avoid. In the end, you will have gained the knowledge to deploy a secure and effective CSP policy.


This session is intended for anyone building, designing or securing web-based applications.

Speakers
MJ

Martin Johns

Full professor, TU Braunschweig


Friday February 22, 2019 11:00 - 12:30
West wing (room Lemaître)

14:00

The parts of JWT security nobody talks about
At the surface, JWTs look simple. In this session, we dig deeper into the security properties of JWTs. We look at common misconceptions and mistakes. We also look at advanced features, such as encryption.

Abstract
JSON Web Tokens (JWT) have become the de facto standard to transfer application claims between the client and the server. By design, they incorporate the use of signatures to ensure the integrity of the data. However, merely signing the data alone is not enough to guarantee security.

In this talk, we zoom into the security properties of JWTs. After introducing the different signature schemes, we dive into the hard parts nobody talks about. How do you manage and identify the keys used for the signature? How do you handle key rotation? And what about encrypting JWTs? This talk answers all these questions. You will walk away with a set of best practices for adequately securing JWTs.

This session is intended for anyone building, designing or securing web applications

Speakers
PD

Philippe De Ryck

Founder, Pragmatic Web Security


Friday February 22, 2019 14:00 - 15:30
West wing (room Lemaître)