PROGRAM
TOPICS and SPEAKERS
STATIC ANALYSIS - THE WORKHORSE OF A END-TO-END SECURITY TESTING STRATEGY
Achim Brucker (SAP SE, Karlsruhe, Germany)
CYBER ATTACKS AND CYBER DEFENSES
Sandro Etalle (Technical University of Eindhoven, The Netherlands)
END-TO-END SECURE DEVELOPMENT IN PRACTICE
Cédric Heber (SAP, Sophia Antipolis, France)
WEB APPLICATION SECURITY
Davide Balzarotti (Eurecom, France)
DATA PRIVACY IN THE 21st CENTURY
Günter Karjoth (Lucerne University of Applied Sciences)
STATIC PROGRAM ANALYSIS
Anders Møller (Aarhus University, Denmark)
APPSEC INDUSTRY DIRECTIONS: OPPORTUNITIES AND HURDLES. AN OVERVIEW OVER TIME AND SPACE FROM AN INSIGHT ANGLE
Stefano Di Paola (Application Security Consultant & Founder and CTO of MindedSecurity)
Sessions will be organized for participants who intend to take advantage of the audience for presenting their current research/tool in the area.
STATIC ANALYSIS - THE WORKHORSE OF A END-TO-END SECURITY TESTING STRATEGY
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development" and "offering the product to customers."
Learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated, as early as possible, into the daily development activities. The fact that static analysis can be deployed as soon as the first line of code is written, makes static analysis the right workhorse to start security testing activities.
In this lecture, I will present a risk-based security testing strategy that is used at a large European software vendor. While this security testing strategy combines static and dynamic security testing techniques, I will focus on static analysis. This lecture provides a introduction to the foundations of static analysis as well as insights into the challenges and solutions of rolling out static analysis to more than 20000 developers, distributed across the whole world.
Dr. Achim D. Brucker
Dr. Achim D. Brucker is a Research Expert (Architect), Security Testing Strategist, and Project Lead at SAP SE. He received his master's degree in computer science from University Freiburg, Germany and his Ph.D. from ETH Zurich, Switzerland.
He is part of the global Security Team of SAP and responsible for the Security Testing Strategy at SAP. His research interests include information security, software engineering, security engineering, and formal methods. In particular,
he is interested in tools and methods for modelling, building and validating secure and reliable systems. He also participates in the OCL standardisation process of the OMG. Further information can be found on his website: http://www.brucker.ch
CYBER ATTACKS AND CYBER DEFENSES
Computer-based attacks have become a standard weapon in the arsenal of criminals, but also of business organizations and government agencies. In this course we are fisrt going to illustrate how cyber attacks work. Then, we are going to discuss what are the technologies for defending from them. The focus will be on network-based monitoring.
Sandro Etalle
Sandro Etalle is full professor and head of the Security group at the Eindhoven Technical University. He holds an MSc in Mathematics from the University of Padova and a PhD in Computer Science from the University of Amsterdam. After working at the University of Genova (Italy), Amsterdam, and Maastricht, in 2001 he moved as Assistant Professor the University of Twente (UT). Etalle lead the UT-wide Strategic Research Orientation and Spearhead Program on Computer Security. While at the UT, he was one of the initiators, founder and manager of the Kerckhoffs Institute, a cooperative effort between the UT, the Radboud University of Nijmegen and the Technical University of Eindhoven (TU/e) which provides an MSc in computer security. After a year as visiting professor at the University of Trento, in 2007 Etalle
END-TO-END SECURE DEVELOPMENT IN PRACTICE
In this course, we shall visit the concepts of the secure development life-cycle and how they can be applied in practice. We shall apply threat modeling, code scanning and penetration testing on a realistic application example, as well as address real-life concerns of architects and developers in applying security when working under heavy workload and short deadlines.
Cédric Hebert
Cédric HEBERT is this guy convinced that security can be made simple. As a certified infosec expert of the SAP Security Research team, his work ranges from secure design to offensive security. Some of his current and past projects include the security review of the SAP Business ByDesign architecture, the kickoff of SAP’s Enterprise Threat Detection solution and the development of security tools supporting developers in writing secure code.
WEB APPLICATION SECURITY
The World Wide Web was initially proposed in 1990 by Tim Berners-Lee and Robert Cailliau as a distributed "web" of interconnected hypertext documents. In few years, this initially simple idea evolved far beyond imagination. In particular, the majority of web sites are nowadays complex distributed applications, with part of their code running on the server side (to dynamically construct the pages content, typically based on information stored in a backend database) and part running in the user browser (to implement the user interface and fetch content on demand from the server). As a result, according to HttpArchive, today almost 50% of the web pages require more than 30 separate connections to fetch all the required elements.
This complex architecture is advertised as a platform for the masses -- that even people with little to no experience in software design can use to quickly develop new web sites and applications with advanced and customizable user interfaces. The result was a large number of web sites created by web designers, experts in customizing the visual look-and-feel of an application, but often unaware of the complexity and risks of the technology they were using.
In this lecture we will study the security of web applications, starting from the point of view of the attackers (how they locate their targets, how they run the attacks, and what they are after) and moving then to the analysis of server-side code - discussing both known and less known classes of vulnerabilities.
Davide Balzarotti
Davide Balzarotti, is an Assistant Professor at EURECOM, where he is leading (together with Aurélien Francillon) the software and system security group. His research interests include most aspects of system security and in particular the areas of intrusion detection and prevention, binary and malware analysis, reverse engineering, and web security. Davide co-authored more than 60 international publications and he regularly serves as part of the technical program committees of all the top security conferences. He was program chair of RAID 2012 and Eurosec 2014. Before joining EURECOM, Davide spent almost two years in Santa Barbara as a postdoctoral researcher in the Department of Computer Science at UCSB, working in the Computer Security Lab with professor Giovanni Vigna and professor Richard Kemmerer. In 2007 he participated in the red team involved in testing the capability and security of the voting machines certified for use in the State of Ohio (Project Everest) and in the red team involved in the top-to-bottom review of the electronic voting machines certified for use in California. He received his PhD in Computer Engineering from Politecnico di Milano in 2006 with a dissertation on "Testing Network Intrusion Detection Systems".
DATA PRIVACY IN THE 21st CENTURY
The following topics will be covered during the lecture:
- Laws & Regulations
- Privacy by Design / PIA / …
- Privacy Policies
- Consent Management
- Web tracking
- Anonymization
Günter Karjoth
Günter Karjoth studied computer science at the University of Stuttgart (Germany) followed by a doctorate. Prior to joining the Lucerne University of Applied Sciences and Arts (School of Business) in 2013, he worked at IBM Research – Zurich. Over the past thirty-five years, his research interest ranged from identity and access management, enterprise privacy, middleware and mobile agent security to protocol engineering. Dr. Karjoth has published over 70 scientific papers and 15 patents. Over the years he has been engaged in different positions at leading conferences, journals and standardization committees. He taught at the ETH Zurich between 2005 and 2013 on “Privacy in the Electronic Society”. He is an ACM Distinguished Scientist (2013) and received IBM Outstanding Achievement Awards for his work on Privacy for RFID (2006) and on the Enterprise Privacy Architecture (2005).
STATIC PROGRAM ANALYSIS
Static program analysis is the art of reasoning about the behavior of computer programs without actually running them. This is useful not only in optimizing compilers for producing efficient code but also for automatic error detection and other tools that can help programmers.
This lecture will present essential principles and algorithms for static program analysis. We take a constraint-based approach where suitable constraint systems conceptually divide analysis into a front-end that generates constraints from program code and a back-end that solves the constraints to produce the analysis results. The lecture will be accompanied by theoretical exercises and by practical exercises based on a Scala implementation of the algorithms. The participants are assumed to be familiar with advanced programming language concepts and the basics of compiler construction.
The last part of the lecture will present an overview of recent results towards obtaining sound and effective static analysis techniques for JavaScript web applications. JavaScript supports a powerful mix of object-oriented and functional programming, which provides flexibility for the programmers but also causes complications for static analysis. Among the challenges is how to handle the dynamic language features, such as 'eval', and the complex programming patterns that are found in widely used libraries, such as jQuery, without losing critical precision.
Anders Møller
Anders Møller is associate professor at Aarhus University and head of Center for Advanced Software Analysis (http://casa.au.dk/). His research interests are in programming languages and software engineering, currently focusing on program analysis for web and mobile applications. He has received an ERC Consolidator Grant on "Automated Program Analysis for Advanced Web Applications", research awards from IBM and Google, and several ACM SIGSOFT Distinguished Paper awards.
APPSEC INDUSTRY DIRECTIONS: OPPORTUNITIES AND HURDLES. AN OVERVIEW OVER TIME AND SPACE FROM AN INSIGHT ANGLE.
The talk will bring some insight about how the appsec industry works, going through some of the personal experiences acquired during the work as CTO of Minded Security, side by side with large enterprises, big and medium companies, dealing with problems and challenges.
Stefano Di Paola
Stefano Di Paola is the CTO and cofounder of Minded Security, where he is Chief Scientist. In the last years Stefano presented several cutting edge research topics, such as DOM based XSS runtime taint analysis, Expression Language Injection, Http Parameter Pollution, ActionScript Security, which led him to be in the Top Ten Web Hacking Techniques initiative for 5 consecutive years (2007-2011). He also published several security advisories and open source security tools and contributed to the OWASP testing guide. Stefano is Research & Development Director of OWASP Italian Chapter.