"Hack Yourself First" is all about building up defensive skills in developers. It looks at security from the attacker's perspective and takes them through the steps necessary to exploit vulnerable software on the web so that they can experience hacking first hand. Workshop participants are set specific goals they must complete that involve probing for risks and then exploiting discrete vulnerabilities in a specially built vulnerable application. The interactive nature of the workshop means that multiple attack vectors are usually identified across the spectrum of participants and each person contributes their own unique perspective as to how specific risks are exploited.

The objective of the workshop is that each person walks away with demonstrated experience across a broad spectrum of specific risks. They not only learn about but also demonstrate practical experience across a range of different vulnerabilities targeted to the specific needs of the group.

Courses run for two days on the following schedule:

The first day build fundamental security skills that all technology professionals delivering applications on the web should posses:

- Discovering Risks via the Browser
- Using an HTTP proxy
- XSS
- SQL Injection
- CSRF
- HTTPS
- Framework Disclosure

The second day delves deeper into online risks, covering more advanced topics in greater depth:

- Password Cracking
- Account Enumeration
- FiddlerScript
- Content Security Policy
- Session Hijacking
- Subresource integrity
- Brute Force Attacks
- Automating Attacks and Review

Attendees will get taught the mechanics of each of these risks and of course the defensive patterns required to defend against them. But more than that, they get exposed to how to think about security; how to apply it in depth via multiple defences, how to choose appropriate controls based on the specific risk of the feature and how to have the discussion about what makes sense in different circumstances.

Above all though, security is just one factor in delivering working software and it has to be applied appropriately. Sometimes it comes with a trade-off against usability or cost and decisions have to be made about not what's just most secure, but what's in the overall best interests of the product being built. This workshop helps those who attend have the right discussions about when and where to invest in security.

- Software Developers
- System Administrators
- Testers

This workshop is aimed at any software developer, system admin or tester who wants to get a better understanding what is going on in cyber space if it comes to hacking and cracking of systems. This workshop enables you to take a pro-active approach and you learn how hackers will try to break your system. This workshop will be an eye opener for most attendees and it is the starting point of becoming a better developer. It all starts with awareness and improving your own habits. So start hacking yourself first, to become a better developer!

Attendees will need to use their own computer with one of following software options installed: Fiddler: 

https://portswigger.net/burp/communitydownload

If possible please also bring your smartphone.

2 Days

Hack Yourself First: How to go on the Cyber-Offence

Security

The class is a combination of lectures, security testing demonstrations, code review, and interactive threat modeling discussions. Students will learn the most common threats against applications. More importantly, students will learn how to code secure software via a variety of techniques such as secure design practices, defense-based coding, the use of security libraries and services, and the use of a variety of web security standards.

As part of this course, we will explore the use of third-party security libraries and frameworks to speed and standardize secure development. We will highlight production quality and scalable controls from various languages and frameworks including Java, PHP, Python, Javascript, and .NET, but any developer building web applications and webservices will benefit from this class.

Familiarity with the technical details of building web applications and webservices from a software engineering point of view.

Any laptop that can run an updated web browser and "Burp Community Edition".

Day 1 of the course will focus on web application basics.

Introduction to Security Goals and Threats

Day 2 of the course will focus on API secure coding, Identity, and other advanced topics.

Webservice, Microservice, and REST Security

The course will include several hacking and secure coding labs!

Building Secure API's and Web Applications

2022 is an excellent year to either start learning OAuth & OpenID Connect from scratch or give them a refresher. With the upcoming OAuth 2.1 protocol revision, the protocol has been streamlined and simplified and the specification has been updated to meet modern application and security requirements. At the same time ASP.NET and .NET in general has excellent support for all the moving parts needed to implement an OAuth-based security system.

This full-day workshop teaches you all the OAuth you need utilizing the most common and practical techniques and libraries in the .NET ecosystem. Besides looking at built-in features of (ASP).NET, we will use popular frameworks like IdentityModel and IdentityServer, and we will learn how to use them to secure native/desktop and web applications as well as SPAs, Blazor WASM applications, APIs and daemons.

Typical protocol flows and application scenarios

Simplifying protocol interactions with IdentityModel

JWT Bearer authentication handler for ASP.NET

Automatic token management with IdentityModel.AspNetCore

Integrating various applications into one coherent architecture

Native/desktop applications (e.g. Windows desktop or mobile apps)

1 Day

OAuth, OpenID Connect & .NET – the Good Parts

In this workshop, you will discover best practices for building secure APIs. We investigate various techniques to implement authentication and authorization, along with their trade-offs and pitfalls. We dive deep into handling JSON Web Tokens, but also discuss the relevance of browser security features such as Cross-Origin Resource Sharing. Additionally, we discuss current best practices for securing an API with OAuth 2.0.
This course offers practical and immediately applicable security advice for architects and developers. Throughout the course, Philippe is available to answer any questions, including concrete scenarios applying to your own applications.
Concretely, we will cover the following topics:

Modern security header configurations for APIs

Understanding Cross-Origin Resource Sharing (CORS)

Making authorization decisions with access tokens


This workshop consists of a mixture of lectures, demos, interactive quizzes, and hands-on labs. The lectures provide in-depth knowledge of attacks and defenses. The hands-on labs are conducted in a custom-built competitive training environment, allowing participants to gain hands-on experience with offensive and defensive technologies.

This security training specifically targets API developers. Anyone involved in building API-based systems or managing development teams should be here. This training course is not just any training course. It is packed with in-depth and up-to-date content. We do not merely brush over a threat and defense but focus on the underlying cause and consequences. Why do we have this problem? Which mitigations are often used? Why are some ineffective? Which one is the current best practice? These are the questions that will be answered throughout the training.

To participate in this training, you should have development experience with APIs. Familiarity with the basics of security is helpful, but not required. The training will use examples from the Spring Boot and NodeJS ecosystems, but also applies to other environments.

To participate in the lab sessions, participants need an internet-accessible laptop with a modern browser installed (E.g., Chrome, Firefox).

API security for developers

Root, UID transitions, and capabilities (*)

Creating a child process in a new namespace: clone()

Combining user namespaces with other namespaces

What does it mean to be superuser in a namespace?

The BPF virtual machine and BPF instructions

The primary audience comprises designers and programmers building privileged applications, container applications, and sandboxing applications. Systems administrators and DevOps engineers who are managing such applications are also likely to find the workshop of benefit.

The workshop consists of a mixture of presentations coupled with practical exercises that allow participants to apply the knowledge learned in the presentations.

Participants should be familiar with fundamental system programming topics such as file I/O using system calls, signals, and the system calls that define the lifecycle of a process (

). For a refresher on these topics, you can download the course materials available at 

. In addition, participants should have a reading knowledge of the C programming language. (Note, however, that the practical sessions do not require writing C programs.)

You'll need a laptop with Linux installed - either as a native install or inside a virtual machine (VM). You should ensure that you have a fairly recent Linux distribution.

Linux Security and Isolation APIs Fundamentals

Linux

These environments need more security features than originally specified in OAuth. That’s the reason both the IETF (BCPs) and the OpenID Foundation (FAPI) started working on a number of documents which update the original specs and threat models and give more prescriptive guidance. The discussion during creation of those documents led to the conclusion that OAuth itself needs updates to provide a better security baseline for the things to come.


First, we look at the so-called “best current practices” (or BCP) documents that cover security patterns and anti-patters as well as common attacks and implementation flaws and how to fix them. This includes general implementation guidance, as well as very specific guidance for web applications, SPAs and native apps.

All these BCPs combined form the foundation for the upcoming revision to OAuth called OAuth 2.1



Next, we will look at currently released add-on specifications that help improve the security of today’s OAuth architectures. These include:

hardening the front-channel with PKCE and signed authorization requests

hardening the back-channel with asymmetric key based client authentication and mutual TLS

hardening API calls with proof-of-possession access tokens


In part three we look at future specs that take OAuth to the next level and are in line with the grand vision currently code-named “OAuth 3.0”. This includes:

A replacement for the scope parameter using rich authorization request

Eliminating all classes of attacks against the browser front-channel using pushed authorization requests


In the last part of the workshop, we will have a look at FAPI 2.0 which defines a basic and advanced high-security profile for OAuth 2.0 and 2.1 (independent of financial scenarios) and how to apply it to the technologies you learned throughout the day.

High Security OAuth

.NET

From breaking out of your shell scripts in the CI/CD pipeline, misusing typo's in third packages or even squatting your internal package names on a public repository: there are lots of ways to get into your pipeline!

Talk (60 min)

Protect yourself against supply chain attacks through your pipeline

In this session you'll learn what possible attack vectors you need to look for, how to protect yourself against them and how to leverage GitHub's features to make your life easier!

Dependency scanning for known vulnerabilities

Secret scanning (and revoking) out of the box

Protect your code with GitHub security features

This is the talk for you! We will go through how you can create your own sandbox on Linux using the APIs available to you. This will give you insight into how large projects like chromium and docker uses these APIs to both protect the rest of the system, as well as solve problems.

Sandboxing a Linux application

Steinar will share how this can be achieved by defining a trust framework that uses the security profile FAPI 2.0 as a technical basis for the trust relationships.

Building a Trust Framework for sharing health information with FAPI 2.0 as a technical security prof

We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.

Classic Vulnerabilities

Oh hey Niall, what do you do?

I work in IT security.

Oh wow, what’s that like?

Let me tell you some stories.

Over the last 20 years of my career, I have been working with cybersecurity in both a professional and private capacity. In this talk, I will go through some of the missteps I made, what I could have done better and advice I would give to me now on various things like building out your security competence, creating security cultures within organisations, building security teams and how not to handle a vulnerability disclosure.

On building teams, security culture and creating international incidents

Based on analysis of hundreds of acquisition targets, vendors, customers and partners, it is clear that most small software companies are underinvesting in security to the detriment their future and customers. Based on our analysis, the danger zone seems to be <40 FTEs, <5 MEUR revenue. The good news is that major improvements in security can be made without the need for huge investments.

It doesn't take much to be above average: The critical shortcomings of small software companies

One day in 2012, that exact thing happened at Evernote, resulting in 50Million users being compromised overnight.

Hear what happened, what we did, and what to do from someone who has direct experience with breach recovery and cleanup.

Opening the Playbook: What to Do When You've Been Hacked

We will also discuss how developer team and security teams struggle to talk in a common language to prevent and mitigate those vulnerabilities. Lastly, we will see how you can prevent and mitigate them in real-life.


Common Python coding mistakes, how they can cause vulnerabilities and how to solve it!

If so – join my session! I’ll show you real-life attack scenarios to convince you that misconfigurations can have dire consequences.

Cloud Hacking Scenarios

This talk with review the history of application security to help illustrate not just how much application security has gotten better, but also how the rate of positive change has been getting better as well. This fun ride through the history of application security will help inspire those who work in the very stressful security industry. Security professionals are often looking closely at failure and insecurity as part of their work, which can be exhausting on many levels. But when we step back and look at our sector historically, we can all see just how much things genuinely are getting better.

Keynote: The Abridged History of Application Security

Every language has its peculiarities, dedicated security features and recommended APIs. This session reviews several new security enhancements available in the recent version of the Java platform. Examples are SHA-3 support, deserialization security, better TLS and DTLS support, web plugin deprecation, security manager changes, improved key management, dangerous API deprecations and a whole lot more. This session gives a solid overview of the security defenses offered in the Java 9, 10, 11 and 12 platforms.

Advances in Java Security

In this presentation, I'll provide a high-level view of each of these technologies and explain their role in securing applications, limiting resource consumption, and virtualizing the environment seen by running processes.

The Building Blocks of Linux Containers and Sandboxes - Part I

Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.

AppSec is too hard!?

I'm going to talk about our infrastructure and how we use the most awesome data structure that you're probably not using, a Bloom Filter, to help us handle unimaginable amounts of data with amazing speed and space efficiency.

Hyper Speed! When Big Data Blooms

In this interactive talk you'll learn best practices for setting up an internal bug bounty at your company and get some ideas for how to make it fun!

Gamify Your Security: Setting Up an Internal Bug Bounty

Looking at how Saml2 approaches the top 10 challenges of a Single Sign On Protocol makes a strong argument on why OpenID Connect is better on every single point.

Why we should kill Saml2

18:40-19:45 - Conference reception in Expo with nibbles and drinks

19:45-20:45 - Fun talks hosted by Niall Merrigan in Room 1

20:45 - 22:00 - Burgers and drinks at Skråplanet.

Half-Day

NDC Party

This talk gives an overview of the ASP.NET Core security features, by looking at how they address the most common security issues: The OWASP Top 10.

ASP.NET Core vs OWASP Top 10

The Building Blocks of Linux Containers and Sandboxes - Part II

X-Road is used nationwide in the Estonian data exchange layer X-tee, in the Suomi.fi Data Exchange Layer service in Finland and in the Straumurinn data exchange platform in Iceland. However, X-Road is not just for public sector organisations – all kinds of organisations regardless of size or type can use it. Two X-Road ecosystems can be joined together, federated. Federation enables easy and secure cross-border data exchange between countries using X-Road.

Nordic Institute for Interoperability Solutions (NIIS) is a non-profit association with the mission to ensure the development and strategic management of X-Road® and other cross-border components for digital government infrastructure. The republics of Estonia, Finland and Iceland are members of NIIS.

X-Road provides a solution to API management and its approach is quite different from other solutions on the market. In addition, the development model – multiple countries developing an open source solution that‘s used for implementing nationwide services in multiple countries – is quite unique even in global scale. The aim of the presentation is to discuss X-Road as a platform, the security guaranties that it provides, its cross-border data exchange capabilities and its unique development model.

Secure Data Exchange in  Digital Government Context

But by using in a third-party library you also pull in it's issues and possibly security problems that are found over time. What does the library do? And what type of other libraries and/or functionality does it rely on? What do the projects/people behind it do for security?
If we develop a .NET application using external libraries can we improve our security posture? Other new technologies like WebAssembly introduced a concept of nano-process, which allows the developer to limit the capabilities available for an external module by creating a restricted sandbox for it. Could we maybe do the same in .NET? In the old days we could use AppDomains and Code-Access Security (CAS) to achieve that, but with the introduction .NET Core there only is a single AppDomain and CAS has been deprecated.
Luckily with .NET Core we did get more internals exposed on AssemblyLoadContext and in this session we're going to create a sandbox using that. A restricted sandbox that limits the functionality available that will improve the security posture of our application!

Sandboxing .NET assemblies for fun, profit and of course security!

The benefits of taking a DevSecOps approach are easy to explain and natively visible for development and security teams. But how do you know that DevSecOps is working?
In today's milestone of DevSecOps, you need to measure your security to demonstrate success and drive further transformation.
What marks a high-secure team? Which KPIs can tell you what's working and what's not—and lead you to the insight that will explain why? What do you measure, how do you measure it, and what do the numbers say in reality?
This talk outlines the most relevant KPIs that will create the foundation of DevSecOps metrics. The exercise that will continue to evolve as DevSecOps methodology becomes more established in teams of all type.

You will learn how to determine which security KPIs are essential to track for your team, how to do that, and how to visualize the metrics. The session goes from theory by introducing the metrics framework to technical demo.

Measuring DevSecOps: building metrics to understand effectiveness and success

Seen from a technical perspective HelseID is an OAuth2 and OpenID Connect implementation. Both of these protocols were designed (and are continually adjusted) with modern web applications and modern infrastructure in mind. As health care by nature is a very conservative industry, legacy (non web-native) software is more the norm than not. Thus, introducing a service like HelseID has been and is a challenge. 

In this talk we will look at HelseID, what it is and what we have done to make sure it covers the particular needs of the Norwegian health sector. Furthermore we will dig into some of the unique challenges we must handle in a high risk sector like health care. Finally we will look at some real-life examples of how we support legacy systems while also supporting modern applications.

HelseID - Introducing Modern Web Security in a Geriatric Health Sector

We will look at the constructs we are using (and not using) and why changing some of the ways we typically write our code, can have security benefits. We will grab some elements from (modern) Domain Driven Design and see how we can use this to avoid or limit vulnerabilities.

Secure coding - back to basic

Side channel analysis is a type of attack on cryptographic implementations that sidesteps the traditional black box security model. By observing e.g. the power consumption of a device while it performs cryptographic operations, one can analyze and gain knowledge about the information being processed. From there the secret key can often be reconstructed byte for byte.

In this talk, I will introduce side channel analysis in general, and then focus on how to attack AES using correlation power analysis (CPA). Finally, I will demonstrate a real attack extracting the secret key from AES running on an embedded CPU.

Breaking AES with side channel analysis

In this session, we use real-world cases to dive into best practices for securing your APIs. We discuss the attack surface of an API, common authorization problems, and best practice techniques to avoid these problems. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.

Getting API security right

If we think about our production microservices operations, in the same way we think about how we design and build our products, we could build and automate minimum viable security plans that we could easily bake into our config files and CI/CD processes. Once we build this foundational framework of security, it will always be possible to iterate and evolve our security framework, for advanced layers of security that often comes with time, increased experience, and greater maturity around security.

In this talk, we will present what MVS looks like for microservices operations, how to build a cluster secured by design, continuously monitoring networking, container internals and primitives, and access management with a least privilege principle mindset. In this session we will demonstrate this through code, and even how this can work seamlessly with other ecosystem projects - from Helm to OPA, ArgoCD, Notary and more.

Minimum Viable Security for Modern Tech Stacks

Because pattern matching cannot operate on encrypted data, previous approaches have leveraged observable metadata gathered from the flow, e.g., the flow’s packet lengths and inter-arrival times. In this session we will walk through the machine learning models and algorithms that have offered an efficient way of detecting malware in encrypted traffic, without decrypting the traffic. To set the stage, we will first also have a broader look at the uses of AI and ML in cyber security.

How to detect Malware in Encrypted Traffic WITHOUT Decryption

Projects like Open Policy Agent (OPA) have brought policy management to forefront, and have provided one method for applying centralized policy at scale - for improved security and compliance. This talk will review different methods for applying centralized policy at scale, demoing this through OPA as a policy operator, and applying policies to Kubernetes config YAMLs, for a real world example for how you can integrate security through code to your services as well.


Centralized Policy Management at Scale

Marit and Christian introduce the concept of binary exploitation with code examples. They demonstrate how to exploit a recent vulnerability in Sudo by explaining the vulnerability and the exploit, and running it live! Then they will demonstrate ways to detect and prevent memory corruption vulnerabilities in your software.

Demonstrating binary exploitation with a recent vulnerability

This talk dives into experiences from exploring and securing a smart home, as someone who's received a fair share of threats, and pivots to cover how this aligns with possible nation-state interference on the go.

Smart home threats, with a pinch of nation-state hackery

This is not a talk filled with code, but filled with examples of do's & and don'ts from more than 23 years of obsession into passwords & digital authentication. An obsession which started with a domain admin at a Fortune 500 company using "password" has hen's password.

Passwords are not going away, so make them easier on users. PLEASE!

Vulnerabilities that Hide From Your Tools

- Who can push code into to an environment?
- Who could read and change the connection strings to the database?
- Who can create new resources in your cloud environment?
- Do you trust your third party extensions?
- What part of the network does your pipeline have access to?

I'll go over each of these aspects of your GitHub Actions Workflows and show you what to look for and how to improve your security stance without locking every DevOps engineer out.

NDC { Security }

Agenda

09:00 - 10:00 (UTC+02)

Keynote: The Abridged History of Application Security

Jim Manico

10:20 - 11:20 (UTC+02)

Gamify Your Security: Setting Up an Internal Bug Bounty

Jillian Ratliff

Protect yourself against supply chain attacks through your pipeline

Rob Bos

The Building Blocks of Linux Containers and Sandboxes - Part I

Michael Kerrisk

11:40 - 12:40 (UTC+02)

Building a Trust Framework for sharing health information with FAPI 2.0 as a technical security prof

Steinar Noem

Protect your code with GitHub security features

Rob Bos

The Building Blocks of Linux Containers and Sandboxes - Part II

Michael Kerrisk

13:40 - 14:40 (UTC+02)

On building teams, security culture and creating international incidents

Niall Merrigan

Classic Vulnerabilities

Patricia Aas

It doesn't take much to be above average: The critical shortcomings of small software companies

T. Alexander Lystad

15:00 - 16:00 (UTC+02)

AppSec is too hard!?

Philippe De Ryck

Why we should kill Saml2

Anders Abel

Common Python coding mistakes, how they can cause vulnerabilities and how to solve it!

Christopher Van Der Made

16:20 - 17:20 (UTC+02)

Cloud Hacking Scenarios

Michal Brygidyn

Advances in Java Security

Jim Manico

Sandboxing a Linux application

Martin Ertsås

17:40 - 18:40 (UTC+02)

Hyper Speed! When Big Data Blooms

Scott Helme

Opening the Playbook: What to Do When You've Been Hacked

Heather Wilde

ASP.NET Core vs OWASP Top 10

Anders Abel

18:40 - 22:00 (UTC+02)

NDC Party

Niall Merrigan