February 26-28, 2025
Montreal, Canada

Security Conference

The list of presentations is subject to change without notice.
Security Do you use JWT access tokens to secure your web API? If you are, are you absolutely certain that your API only accepts access tokens issued by your service?

In this session, I’ll expose some shocking tricks that can bypass improperly configured token validation. You’ll see how easy it can be to fool your API. But don’t worry, I’ll also walk you through how to write tests that ensure your application is protected against these exploits.
Security Cloud providers have shifted some security patterns and mechanisms out of application code into cloud infrastructure configuration. This makes digging into cloud security details an endeavor worthier of investing time.

This session will present a selection of the most security friendly cloud architecture patterns, with highlights on quirks that could hinders security.
Security Most people struggle to access digital products. Basic tasks like sign-up, login, and password recovery frustrate and enrage users. People constantly fail at them. More security can make it harder for people to use our products. We must keep bad actors out, but we also want approachable products. And dev teams struggle with user experience. Teams can lessen user pain and help people get beyond the access barrier. I'll show you how to start.
Security Manage risks associated with your software dependencies through software supply chain security best practices and their automation across all SDLC phases. The growing ecosystem of tools such as in-toto, cosign, guac and grafeas allows us to envision a future where these threats can be addressed by organizations, regardless of their size and means.
We will demonstrate an end-to-end solution using such tools.
Security Un grand modèle de langage (en abrégé LLM) est un type de programme d'intelligence artificielle (IA) capable de reconnaître et de générer du texte. Avec le succès des grands modèles de langage et une utilisation de plus en plus importante, l’année 2024 a déjà montré bien des faiblesses en matière de sécurité.
Cette session aura pour but de vous aider à comprendre les endroits à protéger, classés en TOP 10. La sécurité de ces IA va vous concerner
Security La loi 25 est une législation adoptée au Québec en 2021 pour renforcer la protection des informations personnelles des utilisateurs. Elle force les entreprises à demeurer claires et transparentes sur la pratique de collection, utilisation et protections de ces données.

Est-ce que votre entreprise ou votre site web est conforme??
Security Explore how vlt, the next-gen JavaScript package manager built by the former npm team, tackles modern supply chain security threats. With features like a GUI for dependency graph visualization and the innovative Dependency Selector Syntax (DSS), vlt is designed to empower developers. Learn how deep insights from npm’s ecosystem, including security flaws like “manifest confusion,” influenced the creation of a safer, smarter package manager.
Security There's a deluge of new AI Agents coming online, especially in the realm of customer support. LLMs are powerful, but they are non-deterministic. How do ensure that they are trustworthy, especially as they get plugged into APIs?

I'll dismantle the myth that AI agents replace human agents, and I'll discuss the principle of end user in control in bot design. I'll also talk about a new standard proposed by the IETF that will solve this problem.
Security Penetration tests are a critical step in securing web services, but often much of their effort is wasted reporting simple things that can easily be fixed in advance. We will look at common security issues that are found in pentests at all levels in the deployment stack, concentrating on those that can be resolved quickly and easily in one place (in any language), and show how to fix them, freeing up expensive pentester resources.
Security The ways that we can deliver HTTP has improved in occasional leaps, from 1.0, 1.1, a big step to 2.0, and now 3.0. A big obstacle has been TCP, which isn't great for HTTP, but we are stuck with it – or are we? QUIC is a reimagining of TCP that runs over "the other protocol", UDP, and integrates HTTP/3 and TLS 1.3, giving us a step up in performance and security. Discover how it works, how to set up your servers and apps, and deploy it today.
Security The development of mobile applications needs to be agile, but it also needs to be secure. In this talk we’ll look at how to make application security scanning a part of the continuous delivery process to ensure your users will receive a secure product without compromising the delivery deadlines.
Security Join me in this talk where I will showcase how you can rely on Keycloack (open-source identity management solution) and the Eclipse MicroProfile API to simplify the security aspects of your applications by doing a live demonstration of securing enterprise Java Microservices under 40 minutes!

See a live demonstration of a small application that uses the Eclipse MicroProfile APIs to correctly integrate it with Keycloak with OpenIDConnect
Security Reproducibility is key to securing the JavaScript package ecosystem. In this talk, discover how `reproduce` will help you to verify a library’s build steps against it's published package counterpart, offering a practical alternative to theoretical SBOM & crypto-provenance security efforts. Learn then how reproducibility democratizes the verification & linking of source to artifacts, enhancing transparency & trust between disparate origins.
Security We keep hearing the mantra to shift left, to turn our developers into security experts, to reduce and eliminate vulnerabilities. Given the prevalence of old flaws being checked into new codebases, this approach clearly isn't working the way we want. What went wrong? Was the idea flawed? Let's talk about where we are, how we got here, and how we can shift left the right way.
Security But if C++ is unsafe and C/C++ are the foundation for everything else, then are we doomed? Maybe! But we do not have to be. Also C/C++ is memory safe today - if you want it to be - or do you believe in Santa Clause? In this talk I will analyze where we actually stand and whether anything beyond Rust can survive. That is I will deep dive into failure modes of the industry in general, rather than calling on a specific boogeyman.
Security Threat modeling is an unpopular process among security professionals and developers as it usually requires manual drawing of systems diagrams and can be perceived as abstract since it only identifies potential risks. In this presentation, a more tactical approach to threat modeling will be presented. You will learn how threat modeling can orient security tests based on potential threats and how automation can ease the analysis of complex systems.
Security Discover how CodeQL, a powerful static analysis engine, can scan your codebase for vulnerabilities. Learn how to integrate CodeQL into your CI pipeline for automated security checks. We'll compare CodeQL to Semgrep and LLM-based engines, highlighting strengths and weaknesses. Get hands-on experience with CodeQL and take away best practices for implementing it in your development workflow. Improve your code security and reduce risk with CodeQL.

Explore all 190 sessions

Montreal 2025 sponsored by

Become a sponsor