February 26-28, 2020
Montreal, Canada

Security Conference

Security The number of Unicode code points has never stopped to grow just like its integration in modern technologies. Your web application is likely to support input and output formatted in UTF-8 character encoding. In this talk, you will learn about the security implications. What are the potential side effects of normalizing a UTF-8 string? How encoding can affect security controls? What are the security risks brought by punycode domains?
Security Health data is some of the most private information your app can collect. You have a duty to your users to keep that data private, secure and encrypted. You also need to adhere to strict laws protecting that privacy, while scaling your company.

You'll learn about Protected Health Information (PHI) and how to protect it on Amazon Web Services.
Security OWASP, a nonprofit composed of security experts from around the world, provides a number of free and open source tools designed by security experts to help your secure your applications. Learn how to integrate these tools - from active penetration tests to project dependency checkers - into your DevOps pipeline and deliver on the promise of continuous security.
Security Content Security Policy is the most effective browser measure for web application security in a decade, and one of the reasons why browser developers start removing other security safeguards like their Cross-Site Scripting auditor. But creating an effective Content Security Policy is not always trivial. This session will discuss lessons learned from many CSP projects: what is working, where are issues, and what features can we look forward to?
Security As GraphQL is set to overtake RESTful architectures. This newfound popularity also draws the attention of hackers. Well-known companies have suffered from critical vulnerabilities hidden within GraphQL endpoints. I will show you what GraphQL looks like from a hacker's perspective and walk you through typical attacks against this technology. We will wrap up by discussing ways developers can protect their API from these threats.
Security In this session, you'll see how to leverage open source Spring Security to implement OpenID Connect & OAuth2 with ease, adding powerful & extensible mechanisms for authentication & authorization to provide end-to-end security for your critical systems.

This session is a live-coding "lock it down" exploration of how to secure your apps & assets now and maintain their security over time using 100% open source software.
Security As your code moves along the development and deployment pipeline, it becomes increasingly expensive to remediate security vulnerabilities. We will walk through each stage of this journey to introduce low cost and open source solutions to help you identify security issues before they are exposed to hackers. I will teach you how to use hacker tools to hack yourself first and protect yourself from breaches, on a budget.
Security GDPR has brought privacy & security to the fore, but it's not obvious to developers how to make privacy part of everyday development. "privacy by design" has been around since 1995, but is only now receiving the attention it deserves, providing a clear set of principles that can be used to embed privacy into development workflows. Find out how we can use modern frameworks, tools, and automation to build auditable privacy into our applications.
Security Email has been around forever and is taken for granted – but it has become more complicated in recent years. Newer features like SPF, DKIM, and DMARC are misunderstood and, judging by the questions I answer on Stack Overflow, many are getting even simple things wrong. So we'll go back to basics, review how email works, how to avoid common mistakes, take advantage of its new powers, and stay out of the spam folder of history.
Security Is your first thought when thinking about cryptography, “nope, that’s not for me!”? There’s no need to. When explained with simple examples, you can see the basics are not that complicated. The Javascript Object Signing and Encryption, or JOSE for short is a framework that helps us deal with encryption. It describes ways to securely transfer data either signed (JWS) or encrypted (JWE). Let’s explore the wonderful world of cryptography together.
Security As long as we’ve been using the internet, and way before that, we have been authenticating through some sort of username and password combination. It has become the standard. With the ever-increasing number of web-apps, we’re seeing more and more data breaches as well. What if we could build our authentication processes in a way the user doesn’t need a password?
Security You are the product. The digital age has brought us many conveniences with the very real cost of our privacy as payment. The terms and conditions that none of us read have allowed companies to build a persona of who we are, and possibly better than we even know ourselves. Learn what your privacy looks like today, and take very real steps toward reclaiming the anonymity that allows you to move through the world without being constantly sold.
Security Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.

The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking

Gradle will be used for examples
Security Security and Usability have been at loggerheads since we realized we need to secure our digital existence with the secure option almost always being the least usable option. More recently we have developed more usable solutions and yet users still opt for the less secure option when they can. We’ll explore how users understand their security and how we can improve their security habits through good design.
Security systemd is the default init system on several Linux distros amd can do more than just start services on boot. It maintains dependencies between services, can restart failing services or activate them on demand, handle temp files, and much more. Services can also directly interact with its API. I'll show you how to use systemd to run and monitor your complex application and add tighten security like private /tmp or resource restriction on top.
Security In March 2019 the W3C released the Level 1 of the recommendation for the new Web Authentication Standard "WebAuthn". Supported by all major browser vendors, it strives to make passwords as well as phishing a thing of the past. Given millions of stolen credentials, the switch away from passwords should happen rather sooner than later. Learn what WebAuthn is about, how it works, and how to leverage its potential for you site today!

Explore all 156 sessions

Montreal 2020 sponsored by