Track: Trust, Safety & Security

Location: Pacific DEKJ

Day of week: Wednesday

It comes to no surprise, that any microservice, any security control you use to build applications, will eventually be broken (or fail). Under certain pressure, some components will fail together.  

The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if a database server is misconfigured. Security engineers know that failure of single security control is a question of time, failure of security system is a question of design.  

This track is about building secure, yet usable, systems: security architecture, security engineering, cryptography.

Track Host: Anastasiia Voitova

Product Engineer in Security and Cryptography @CossackLabs

Anastasiia is a software engineer with a wide background, she started her career as a mobile developer, then deepen into security engineering. Now she has focused on cryptography/applied security, she helps companies to build secure yet usable systems (oh yes, it takes efforts).  

Anastasiia maintains open-source cryptographic library Themis, conducts secure software development training, often speaks at international conferences, co-organizes cyber-security events and leads security chapter at WomenWhoCode Kyiv.

10:35am - 11:25am

Exploiting Common iOS Apps’ Vulnerabilities

Many mobile developers still believe that it’s not possible to extract information embedded inside the application bundle. However, it's not true.  

My area of interest is the reverse engineering of mobile apps. In this talk, I'll walk through some of the most common vulnerabilities on iOS apps and show how to exploit them. All these vulnerabilities have been found on real production apps of companies that have (or don't have) bug bounty program. This talk is useful for those connected with mobile app development or those who do use mobile apps to work with sensitive data.

Ivan Rodriguez, Software Engineer @Google

11:50am - 12:40pm

How to Use Encryption for Defense in Depth in Native and Browser Apps

Encryption is one of the most effective technical security measures. It massively reduces the impact and cost of a data breach. But encryption is typically focused on “infrastructure-level” elements like TLS and full-disk encryption. These are important tools, but they rely on assumptions about the infrastructure instead of the application code.    

As developers, infrastructure isn’t our strength, and sometimes it’s not even our job, so encryption takes a back seat to application-level features. But adding encryption to the application itself can insulate our systems from infrastructure-level failures, adding an important element of defense in depth.  

In this talk, we will discuss the pros and cons of application-level and end-to-end encryption. Since browsers are a nearly unavoidable element of modern application development, we will also cover the attack surface of application-level encryption in the browser, how it is very different from native clients, and how WebAssembly and WebCrypto help.

Isaac Potoczny-Jones, Founder @Tozny & Authentication and Privacy Specialist

1:40pm - 2:30pm

Security Culture: Why You Need One and How to Create It

Strong cultures permeate people’s mentality and the way that they behave, their receptiveness to new ideas and thoughts, and their motivation to do security tasks.  Organizations with a positive security culture have immense capability to build resilient products and reduce security debt.    

Every organization has a security culture, either good or bad, even if a security team or company has never invested in it. It is the underlying driver of why people choose to do what they do around security. This is exactly why security teams and their organizations need to take ownership and proactively shape the culture into a direction that supports the security well-being of the organization.    

This talk will go into understanding how to measure your organization's current security culture and how to define where you want to go. From there we will look into techniques and cases studies of how to begin to shape your organization’s security culture to become more resilient and enable people-powered security.

Masha Sedova, Co-Founder @hello_Elevate

2:55pm - 3:45pm

Small Is Beautiful: How to Improve Security by Maintaining Less Code

Project Zero has reported over 1500 vulnerabilities in commonly used software, including Windows, Android, iOS, browsers and may others. A common factor in many of these vulnerabilities is unnecessary attack surface. This presentation explains several causes of unnecessary attack surface and how to avoid them. It includes examples of vulnerabilities reported by Project Zero and explains how developers can prevent similar bugs.

Natalie Silvanovich, Security Researcher @Google

4:10pm - 5:00pm

Designing Secure Architectures Modern Way

This talk aims to attack two typical conflicts many security architects are well familiar with:

1. Most of the design thinking for preventing security incidents is focused on avoiding known risks in a known way. However, most of the time this approach leads to cost-efficient systems that are prone to unexpected security/reliability failures that are harder to mitigate. 
2. Most of risk treatment choices for security risks focus on "this stack is able to do <security_control> in a certain way and no other way around, so we better build around that": the capabilities within each technological stack to cope with risks it's facing is limited by pre-defined feature set.

Real world, unfortunately, shows that both of these constraints are driven by the same causes and provide the same outcomes: a short-term feeling of safety ("we turned SSL on so it's definitely going to be fine") and job-well-done until someone breaks your systems in an unexpected to you, but obvious to them, way. 

The solution? It's the security utility and combination of controls around sensitive assets that matters, not just the checkboxes available. And assessing these assets, understanding their lifecycle first, then consciously designing defenses around this lifecycle leads to cost-efficient solutions that don't break the technological stack. 

This talk came out of speaker's experiences of implementing sophisticated defenses in constrained environments - ranging from protecting huge power grid SCADA telemetry to improving end-to-end encryption in small mobile applications in tricky use-cases - and how just changing the point of attention in initial stages of security efforts saved money, enabled systems to be more resilient to real risks... without re-engineering most of the stack.

Eugene Pilyankevich, CTO @cossacklabs, Building Applied Cryptographic / Data Security Tooling


Monday, 11 November

Tuesday, 12 November

Wednesday, 13 November