Security Day

For the second year, Øredev and TrueSec invites you to a dedicated security day at Øredev - a day full of practical and eye-opening sessions aiming to make you develop more secure code.

We've gathered the absolute elite among security experts and they will teach you all about the latest security threats that developers must know about, and how to avoid introducing security flaws in your code.

Date: November 3rd

Venue: Slagthuset, Malmö

 

 

Register here

 

Schedule

09.00-09.40 Hacking Modern Cars - How to do it and How to Stop it

Modern cars are typically equipped with multiple wireless interfaces and through features such as telematics and in-car mobile handset connectivity they are quickly becoming Internet-connected devices. As such the threat landscape for automotive systems has changed dramatically – organised crime and hackers now have many different potential attack vectors against vehicles, whether they wish to attempt to break into or steal a vehicle or to remotely cause it to perform actions beyond the control of the driver, thereby impacting on vehicle and driver safety.

This session will walk through NCC Group’s research of the modern car attack. We will show delegates real-world examples of the risks that modern cars are facing. The session will also present a high-level methodology for testing the end-to-end security of connected cars and will discuss realistic mitigations that can be achieve through secure development life cycles.

 
Matt Lewis


10.00-10.40 The Jurassic web attack

Oops - you clicked on a link and unwittingly reconfigured your router, changed your tax refund account number and revealed your browsing history! How did this happen? Shortly after your bank went online, attackers discovered the joy of Cross Site Request Forgery (CSRF). Some twenty years later it's still one of the most common web vulnerabilities. In this session we'll discuss what CSRF is, why it works, and how to protect your web application against it. We'll look at actual attacks and different flavors of CSRF. We'll discuss what kind of protection works and what doesn't, and why you must learn to love that same-origin policy thing that otherwise only seems to get in your way. Heck, there will even be some slides about 1995 and Netscape!


Andreas Hallberg


11.00-11.40 Hackers toolkit

Kali, Backbox, Metasploit, BeEF. All tools in an arsenal that exist to break through your security defences. This talk introduces the tools available and shows how they can be used to get through your defences. It is more a massive demo than a talk and is an exploration of the tools and what they do. At end of this talk, you will have better understanding how to defend against them and spot the problems. We will go through recon, exploitation and maintenance of exploits. This is geared at developers, it pros and those with an interest in learning more about security tools and practices. No previous knowledge is required, the less you know the more WTFs you will utter!


Niall Merrigan


12.00-13.00 Lunch


13.00-13.40 Security threats and mitigations for iOS developers

From an architecture perspective iOS is one of the most secure mobile platforms available today. But there are examples of malware that have successfully targeted iOS despite the mandatory code signing, app review process, sandboxing, encryption, and lack of side-loading support.

This talk will explain built-in security mechanisms in iOS, common security issues that affect iOS developers and attack examples against iOS devices. We’ll cover XARA (cross-app resource attacks), masque attacks, SSL/TLS security, reverse engineering and how attackers try to circumvent the security rules enforced by the operating system. For each attack mentioned, we'll also discuss mitigation strategies.

 
Emil Kvarnhammar


14.00-14.40 HTTP/2 is a faster and safer HTTP

The web has already slowly started to switch to HTTP/2. Daniel explains what problems HTTP/2 is here to address and how it does that. What makes it faster and safer? What is the status right now and how much traffic is on HTTP/2 already?


Daniel Stenberg


15.00-15.40 What's up with XXE?

XML External Entity (XXE) attacks are not new, but we find them more and more often nowadays during our penetration tests. What's up with that? Lack of awareness among developers is the most likely reason.XXE attacks are fun. In this demo-based session we will see what attackers can do with it, from exfiltrating files to targeting internal servers.At the end of this session, you should have a pretty good overview of the risks involved with XML parsing, and you'll be able to prevent XXE attacks.Let's stop this XXE thing before it becomes the new SQL injection!


Fabio Viggiani


16.00-16.40 A Live hacking experience!

In this session Marcus Murray will demonstrate the latest and greatest methods and tools used by hackers in order to break into your systems.An awareness session you don't want to miss.You will learn how hackers target endpoint and applications. How they circumvent anti-virus and how they can compromise an entire enterprise without ever getting caught.

 
Marcus Murray


 

 

 

 

Brought to you in partnership with