Much of the existing application security & secure development curriculum show security issues in a vacuum, or in the simplest example setting. On the other hand, public bug bounty reports inherently show bugs in real world context. Sometimes that context is unbelievably trivial, other times it is intricate and pointedly specific to the vulnerable site. Both of these extremes provide important nuances that help developers and testers understand how to identify and remediate security issues. This walking tour of common vulnerabilities, as well as more pragmatic “dirty” hacks, bridges the theory/practice divide with illustrative examples drawn from real-world bug bounty [...]
These days, having a build pipeline is common. We build pipelines for testing, packaging, containerizing, and all sorts of things that help us ensure that things won't fall to pieces when we press the big red deploy button. The problem is that we often forget to add security checks to our build process. Join Aaron as he walks through the various tools and techniques we can add to our build. You will learn how to approach static analysis, dependency analysis, container analysis, and specialized security test suites in an automated fashion that will provide actionable feedback before it's too late.
The best way to build secure systems is to stop writing security-related code on a daily basis. Developers have their hands full with complex systems, confusing business rules, technical edge cases, responsive UIs, etc. Security requirements, when they even exist, are repetitive to implement, hard to test, and often get crowded out by other demands. When developers handle security on a feature-by-feature basis, the result is a wildly inconsistent mess of security holes. In this session developers and architects will learn real-world techniques for designing security into the application framework itself, rather than leaving it up to individual features. You’ll [...]