Dealing with IT security threats in development

Øredev and TrueSec invites you to a dedicated Security Day at Øredev - a jam-packed day of technical sessions about security for developers.

We've gathered the absolute elite among security experts and they will teach you ALL about the latest security threats that developers must know about, and how to avoid introducing security flaws in your code.

TrueSec’s experts, who works with security reviews and penetration tests on a daily basis, will perform live hacks, describing how attackers exploit security vulnerabilities in applications and systems, and (of course) show you plenty of cool live demos. Most importantly, based on this new knowledge, explain how you as a developer should build secure systems.

Date: November 4th

Venue: Slagthuset, Malmö

Register here

 

 

 

 

Schedule

09.15-10.00 Coding in a world of cyber crime, cyber threats and espionage
Internationally recognized security experts Marcus Murray and Emil Kvarnhammar of the TrueSec Security Team will share their insights in the world of cyber security. In this session you will learn about the latest and greatest security breaches, the trends and how the threats landscape is changing in a way that concerns developers more than ever. Vulnerabilities in code is one of the key reasons why organizations get hacked today. Your ability to write secure code will define the future!
 
Marcus Murray, Emil Kvarnhammar


10.20-11.00 Security in web apps
Did you know that cybercriminals out there can compromise your web applications and servers with nothing more than a web browser and a few publically available tools? In this demo-oriented web hacking and secure development session, Fabio Viggiani, leading web-application and pen test expert, will show you how hackers exploit vulnerabilities in web apps today, the possible consequences of a breach, and he will point you towards the right solutions and the proper mindset to prevent cyber attacks.

Fabio Viggiani


11.20-12.00 Protecting your app data from attackers
Is your app dealing with sensitive or even confidential data? Your secure app needs to handle many possible attack vectors like network eavesdropping/MiTM, data extraction from backups, storage access through trojans, heap dumps, unauthorised access to server data etc. This session presents secure practices in app development. We use iOS and Android as reference platforms during our demos, however most of the practices could be applied to any platform.

Sebastian Olsson, Emil Kvarnhammar


12.00-13.00 LUNCH

 

13.00-13.40 Secure coding patterns
What is "secure code"? This session will introduce you to a safe mindset when developing applications. You'll learn how to make the concept of "trust" a first class citizen in your code, and know what to look for when reviewing code for security vulnerabilities. Secure coding patterns will make your code cleaner, more robust and less likely to cause your application's user table to be uploaded to Flashback.

Philip Åkesson, Andreas Hallberg


14.00-14.40 Making zombies
Although most client platforms provide built-in basic security mechanisms like sandboxing and code signing, platform vulnerabilities can be exploited to gain control over an existing app - and sometimes the entire system. Some want to gain control over a specific device or app. Some just want to control as many client devices as possible (e.g. for botnets). Some just want to watch the world burn. In this session, we'll explain these vulnerabilities and show several demos of how the attacks are made.

Emil Kvarnhammar


15.00-15.40 Where and how do we build our app
Many modern application developers make use of third party dependencies and build servers during development before finally signing their applications to be published. How do you know that the third party code is secure and that you are in fact running the code you actually intended to?

Sebastian Olsson, Philip Åkesson


16.00-16.40 File upload - Inviting the Vampires
There's something rotten in the state of file upload. We routinely find vulnerabilities in third-party components and customers' file upload code. In this session we show you the common mistakes, how hackers can bypass seemingly rock-hard file-upload defenses, and how to properly secure your snazzy file upload component.

Andreas Hallberg, Stefan Ivarsson


17.00 - 17.40 Not Go Quietly: Surprising Strategies & Allies to Adapt & Overcome
Cynicism is a choice. We will not go quietly... Nearly every aspect of our job as defenders has gotten more difficult and more complex: escalating threat, massive IT change, burdensome compliance reporting, all with stagnant security budgets and headcount. Rather than surrender, it’s now time to fight back. Don’t be a hero; assemble your team of avengers from unlikely allies. This session will provide new approaches to finding financial and operational support for information security across the organization. Case studies and actual victories will be explored.

Joshua Corman