March 13-15, 2019
Montreal, Canada

Security Conference

Security The concept of Cross-site Scripting (XSS) is over 20 years old, but the attack does not seem to go away. There is finally light at the end of the tunnel: Content Security Policy is a W3C standard that can effectively limit which JavaScript code a browser is allowed to run. In this session we will have a look at different features and versions of CSP, provide best practices for using this technology, and also analyze implementation strategies.
Security You’ve probably seen how a ASP.NET Core application works, but authentication and authorization are a different cup of tea. Microsoft completely re-did a large part of these security features in ASP.NET Core.
We'll look at the different case of doing authentication for your application, with ASP.NET Core Identity or by using a token service (STS). When that's done we'll dive into the authorization part which is also completely overhauled.
Security Web applications are getting more complex. A lot of effort has been deployed in web frameworks.
On the other side, the infrastructure used is rarely scrutinized by developers for potential vulnerabilities.
This talk will show you how the use of a cache server can introduce serious vulnerabilities to your web applications. It will cover Web Cache Deception, ESI injection and Cache poisoning. These attacks have all emerged in the past two years.
Security DLL Injection sounds like some black magic used only by hackers. However, it is used widely in the Windows ecosystem by multiple antiviruses and system utilities. During the presentation I show how we can use it to change 3rd party applications, how to write simple keylogger in 20 lines of code, and how to inject both native and managed code into other applications. We will see memory management on x86 and some Windows internals.
Security Experience with security is a useful and even profitable skill for every technical and non-technical employee in IT. Contrary to common stereotypes, security is far more than black hoodies, math and crypto. It's also humans and communication skills. Attendees of my talks regularly ask me how to get started. Let me introduce you to diverse areas of info sec and point you to books, online courses, talks, and other resources to get you started.
Security Every month, we hear about a new data breach and billions of user passwords are being shared as we speak. How can we stop this? There is a simple solution, let’s stop using passwords! From email links to biometrics, more and more technologies are available to help developers handle different types of credentials. During this presentation, the attendees will learn about some of the alternatives and how to implement them.
Security Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth and learn how to use them to make more secure apps.
Security The story is always the same; if you want to create a JavaScript centric app with API and identity security, you’re told that you need to have a server-side component for handling your identity and application security. That’s simply not the case in modern development.
In this session we'll look at client-side identity, API, and token security, exploring token downscoping methodologies, key management tools, and security on the client.
Security From IoT thermostats to self-opening windows, there's an off the shelf product out there that will allow you to control your home. Proprietary hubs in the cloud allow you to control your home from anywhere, but also gives the vendor full control!

In this talk, Ben discusses tools and components available today, to create your own home automation system. Keep control over your data, and still turn off the oven from the other side of the world!
Security IoT has been, and still is, a very hot topic. Same for security. Mix the two, and we get all sorts of scary news headlines.
In this talk, Ben will discuss ways in which you can improve the security of your IoT applications, using a live demo around automatic doors as an example.
Security The EU new General Data Protection Regulation (GDPR) came into force in May 2018, significantly raising privacy & data protection standards. Its effects are being felt around the world, helping users to regain control of their own data outside of Europe too. As part of this, privacy by design provides a primary line of defence between companies and terrible headlines. Learn what developers & project managers need to know about GDPR in this talk.
Security Keeping your web application secure and free from vulnerabilities is hard work, even if you know the OWASP Top 10. In this talk I will show tools, best practices and patterns to help you with this, so that you can find security issues before an attacker does and even prevent them in the first place.
Security In this talk, i speak about some basics actions to secure your API. Keeping in mind that an API remains a web application, without html/javascript, i will do a demo of SQL injection and then quickly review the OWASP top 10 application security risks. From there i zoom on authentication doing a focus on oauth2/OpenID Connect. Stepping to API Management, i deep dive on some features that can help us to secure our APIs.
Security Using JSON Web Tokens (JWTs) for API Authorization can have awesome benefits over the more traditional session-ids approach: stateless verification/authorization, cross-domain and being client-side readable, but using JWTs on the web can be contentious. There is a lot of concern (and a lot of FUD spread) about using JWTs in web apps, specifically about storing the JWT in localstorage, but luckily there is a better way...
Security The Open Web Application Security Project (OWASP) curates a list of the top ten security risks for web applications and how to mitigate them. The ever changing world of web development created a challenge for the 2017 list, which needs to combine both existing approaches and modern trends in web development. We will have a look at each item in the list, see what can go wrong (with code!), and make sure that this won't happen in our web sites.
Security TLS encryption is an important part of websites, service and app deployment, and plays a vital role in protecting data in transit. TLS 1.2 has been around since 2008, and it's being replaced by the excitingly-named TLS 1.3. This talk will give you a rundown on the shortcomings of TLS 1.2 and earlier versions, how and why 1.3 changes things, and what changes you may need to make in your deployments to take advantage of the 1.3 enhancements.

Explore all 156 sessions