Name: NDC Security 2025
Start: 2025-01-20
End: 2025-01-23
Location: NDC Security

So what happens if you generate and register a bunch of cheap bitflipped versions of popular cloud / Saas provider domains, point them to your VPS, log all incoming requests & then forget about the whole thing for two years?

Well you will in fact receive a stiff bill, generate huge log files and eventually run out of disk space. But on the upside, you will also have collected a treasure trove of legit credentials & interesting stuff like valid OAuth refresh tokens, JWT tokens, bearers, cookies, emails, meeting invites with passwords & truckloads of internet scanner noise.

In this session we will revisit bit-flip research from the last decade and weaponize it. Showcase 'Certainly' a pioneering offensive / defensive tool that employs Wildcard DNS matching & on-the-fly generated SSL certificates and injects custom payloads for incoming requests across various protocols. All with the intention to downgrade security, harvest credentials, capture emails and replacing dependencies.

Talk (60 min)

Flipping Bits: Your Credentials Are Certainly Mine

Hacking

Application Security

Bug Bounties

Cloud Security

Tools

A significant focus will be on testing, covering unit tests, integration tests, and creating mocks. The session will extensively use Docker, teaching how to create Dockerfiles and manage images. Additionally, it will cover orchestrating microservices using Kubernetes, including deployment strategies and service management.

Key topics like monitoring, logging, and distributed tracing will be discussed to emphasize the importance of a healthy microservices ecosystem. The session will conclude with insights into CI/CD practices specific to Go microservices.

Workshop (60 min)

Part 2: Mastering golang micro-services: From Design to Deployment

Containers

DevOps

Testing

Architecture

Programming

These challenges are visible when reviewing the progress and evolution of DevSecOps approaches over the past ten years and how our teams have reverted to more siloed approaches despite the solid intentions and patterns defined within the DevSecOps concept.

Using data about our software teams, their behaviors, lifecycles, and projects, can we identify which application security initiatives to implement first and which are most likely to succeed and improve overall outcomes? In addition to this, can taking a developer-centric view of these programs encourage meaningful collaboration between security and software teams based on shared contextual understanding?


Using developer-centric data to predict, prioritize, and improve Application Security Outcomes

Big Data

Security

People

In this session, you'll discover how she used these techniques to "hack" people, uncovering hidden information and vulnerabilities without touching a single line of code.

Learn about the methods and strategies employed, real-world examples of successful exploits, and how understanding these tactics can help strengthen your own security measures.

Whether you're a security professional or simply curious about the art of human hacking, this session will provide valuable insights and practical knowledge.

Human Hacking: Unveiling Secrets with Social Engineering and OSINT

Experience report

This talk aims to shed light on the often-overlooked correlation between code quality and security risks. By dissecting the consequences of bad coding practices, we will explore how they can inadvertently compromise security defenses and facilitate breaches.

By the end of this session, you will have a better understanding of:
- The intricate relationship between effective human communication, adherence to coding principles, and the mitigation of security risks.
- The ways in which poor coding practices can evolve into significant security threats.
- Techniques for identifying potential exploit hotspots within a codebase.

The Hidden Dangers of Incoherent Code: How Code Quality Impacts Security

Culture

Process

Supply Chain

In this session we will describe the challenges presented by traditional cryptography libraries, and the security vulnerabilities that can result from misuse. We will then examine modern hard-to-misuse libraries, focusing on Google’s Tink library. Particular attention is paid to key storage and management.

Practical cryptography with Tink

Furthermore, we can do it using less than 100 lines of shell commands. Along the way we can learn quite a bit about the nature of a container and the Linux kernel mechanisms used to implement containers.

In this presentation, I’ll show how to use a few standard shell commands, plus the ever useful Busybox tool, to create a simple container. That container will have a root filesystem, employ Linux namespaces to provide isolation, and have an associated control group (cgroup) that allows us to limit the resources that the processes in the container can consume. Our container will have a superuser, and we’ll consider what it means to be superuser inside a container while at the same time being unprivileged outside the container.

Part I - Linux containers in (less than) 100 lines of shell

Part II - Linux containers in (less than) 100 lines of shell

Consequently, threat surfaces have broadened leading to increased cyber-attacks on third parties with over half of all security incidents being third-party related.

Recent global events have demonstrated the need for resilient supply chains whilst Environmental, Social, and Governance (ESG) and compliance to regulations creates greater scrutiny on third-party practices.

This briefing is about how to cope with the challenges of Third-Party Risk Management (TPRM) from both a customer and a supplier perspective.

The subject of third-party risk and supply chain security affects all organisations whether they be a supplier or a customer. These days organisations are typically both. This topic is very broad but relevant to everyone involved and interested in risk and security from application developers to CISO's.

This presentation is both entertaining and thought-provoking and includes a sprinkling of popular culture, music, and video.

You Gotta Fight For Your Right To Third Party

Part 1: Mastering golang micro-services: From Design to Deployment

The fast-evolving ecosystem of AI-enabled applications has exposed a complex interplay of vulnerabilities, some stemming from intrinsic pitfalls of data-driven AI and others arising from its unsafe integration into real-world applications. The goal of the session is to raise awareness about the underlying principles and practical challenges of AI security and privacy, and the ongoing mitigation efforts by both academic and industry players.

Navigating the Security and Privacy Landscape of Modern AI

AI/ML

It offers a comprehensive look into how RAG enhances real-time threat intelligence, improves vulnerability assessments, and drives forward-thinking cybersecurity strategies. Attendees will gain insights into how RAG's neural network configurations and adaptive Gen AI mechanisms empower professionals to anticipate and mitigate threats more effectively.
The presentation will also feature case studies from large enterprises and government entities, showcasing RAG's application in real-world scenarios, including phishing detection, insecure code evaluation, and security policy enforcement. The session will conclude with a discussion on the future trajectory of AI-powered risk intelligence in cybersecurity.

RAG Against the Machine

Security Tooling

Keynote

In this talk, we're going to look over the last 100 years of cinema history, to see what it has to say on the subject of InfoSec, Hacking and other security topics.

On our cinematic odyssey, we'll be looking at topics such as:

* How the dinosaur incident in Jurassic Park could have been easily avoided with a few simple changes
* What is the most accurate hacking movie?
* Who was the first hacker depicted in cinema? The answer might shock you!
* A 90s cyber-thriller that clearly doesn't understand the difference between websites and executables
* How baddies throughout cinema history could have been unbeateable with good password policies

Grab a bucket of popcorn, and let's dive on in!

Hack the Planet!  What Movies can Teach Us about InfoSec

Over the years this has been done in many ways, using e g file transfers, message buses and APIs to fit business requirements, compliance and relevant threat models. Some solutions are less secure than others and integrations often introduce risk and attack vectors.

This presentation addresses infrastructure and application layer defenses to meet high security requirements for common types of integrations. In particular for HTTP APIs - from HTTPS, API-keys and Basic Authentication to OAuth2 with mutual TLS, Private Key JWT and DPoP.

Secure System Integrations

AI enhances security through automated detection and analysis, swiftly processing vast amounts of data to spot and predict threats, and Quantum Computing holds the promise to revolutionize various industries by offering unparalleled computational speed and efficiency, enabling it to tackle complex problems far beyond the reach of classical computers.

Yet, these benefits also come with risks: AI's capabilities can be exploited for advanced phishing, vulnerability discovery, and creating adaptive malware, complicating the cybersecurity landscape, while Quantum Computing further challenges digital security by threatening to undermine traditional encryption, making existing protections potentially obsolete.

This session will explore the mixed impact of AI and Quantum Computing on Cybersecurity, highlighting both the advancements and vulnerabilities they introduce. We'll discuss current threats like supply chain attacks and ransomware, alongside the integration of Privacy Enhancing Technologies (PETs) with AI and quantum defenses, offering a strategic viewpoint on safeguarding against the future of cyber threats.

Cybersecurity in the Era of AI and Quantum Computing

This session explores a novel attack vector, homoglyph-based attacks, that effectively bypasses state-of-the-art LLM detectors.

We'll begin by explaining the idea behind homoglyphs, characters that look similar but are encoded differently. You'll learn how these can be used to manipulate tokenization and evade detection systems. We'll cover the mechanisms of how homoglyphs alter text representation, discuss their impact on existing LLM detectors, and present a comprehensive evaluation of their effectiveness against various detection methods.

Join us for an engaging exploration of this emerging threat and to gain insight into how security researchers can stay ahead of evolving evasion techniques.

Homoglyph-Based Attacks: Circumventing LLM Detectors

In this talk we will look at the unintended users of a product, the “threat agents”.

By engaging the Security team in the Product process, we can model the dark side of use cases and user stories through threat modelling techniques. This can help demystify impenetrable security NFRs through concrete examples of how these threat agents may try to misuse your shiny new digital product.

Who this event will benefit
Those building products/apps exposed to the web
People who are wanting to build out an awareness of the possible attack vector use cases (i.e. how might you be attacked)
People who need to write that down as a set of requirements to help build a DevSecOps approach in projects

(Ab)user Experience: The dark side of Product and Security

Design

Mobile Application Security

SDLC

Java, with its recent strides in modernization and optimization, from enhancing startup times to facilitating native execution and advancing machine learning applications, stands at the cusp of this transformative era.

Join us in this journey, where we will embark on an ambitious challenge to build a high-throughput firewall leveraging the combined power of eBPF and Java. We'll start with a deep dive into eBPF's capabilities for kernel-level packet manipulation, then transition to how Java's latest advancements, particularly through Project Panama, enable seamless native code invocation and interoperability. Our focus will then converge to a hands-on demonstration of building a simple firewall using eBPF and Java, integrating kernel-level operations with high-level programming for real-time performance enhancements.

Attendees will gain practical insights into deploying eBPF programs from Java using the hello-ebpf library, managing packet flows efficiently, and implementing firewall rules with precision, leveraging the strengths of both worlds.

Building a lightning fast Firewall with Java & eBPF

In software development and security, unexpected and rare events can have catastrophic consequences, but they also separate which systems have the right to exist. As system complexity increases, it becomes harder to it secure and prepared for unknown events. Building security into every little piece of the system is a more effective way to handle risk.

The Secure by Design approach teaches how to create robust software with design as the primary driver for security. We will demonstrate some of these patterns and how using them will lead to more secure code without thinking about security explicitly. We will also give a walk through of our take on defence in depth and the steps necessary to secure an API request pipeline from top to bottom.

This talk will introduce antifragile and look at how the idea impacts software development and security. We will look at examples from real-world systems, trying to learn from them and improve how we build secure software systems. We will connect the ideas from antifragile to concrete code/architecture examples, utilizing Secure by Design as a mindset.


Building antifragile systems using Secure by Design

Participants will be split into small groups and given real-world vulnerabilities to tackle. Your challenge: instead of just "fixing" them, you'll work together to eliminate their root cause. With the guidance of the lecturer, you'll explore techniques, including automating security mechanisms, and leveraging the most modern web standards (e.g. CSP3, Trust-Types, Sec-Fetch) beyond the OWASP Cheatsheets.

By the end of this workshop, you'll walk away with a deep understanding of how to make vulnerability classes obsolete and ensure your systems are resilient to whole categories of attacks.

Whether you’re a developer, security engineer, or researcher, this workshop will change how you approach security by focusing on scalability, automation, and proactive safeguards.

Part 1: Stop Firefighting Vulnerabilities, Start Eliminating Bug Classes at Scale: A Hands-On Workshop

What are the properties of a 'simple' process that we should be aiming to achieve?. This talk will go beyond just making things easier, and leverage the science of simplicity to explain what 'simple' means, how to evaluate whether existing threat modelling processes are simple, and how you can improve your threat modelling process to deliver a more developer-aligned process that will increase adoption.

Improve your threat modelling through the science of simplicity

In november 1988 the world woke up to what many thought was an attack against the then young internet. Administrators and network managers arrived to work only to find that all the computers in their care had become unusable slow and unresponsive. Even the old reliable trick of rebooting the systems did not have any effect. The internet was compromised.

An attack such as this had of course been theorised about, but no one had imagined that a threat could pop up seemingly over night and cripple critical infrastructure across an entire continent. Robert Morris would learn this first hand when he the night before executed and released the original copy of what history would dub "The Morris worm" into the wild.

In this talk we turn the clock back to early computer history. From the earliest days of using printers to bypass password security, to the Morris Worm that leveraged insecure architecture and predictable user patterns. These are some fun stories that highlight incidents and what we can still learn from them.

Hacking History: The first computer worm

Several academic studies show that AI generated code based on LLM's that are trained on vulnerable OSS implementations lead to vulnerable generated code. Another study showed that developers tend to trust GenAI created code more than human created code. Combining that with the higher code velocity it will result in more vulnerabilities in it's output.
Using an AI system that runs an LLM also has additional risks tied to it, related to jailbreaks, data poisoning and malicious agents, recursive learning and IP infringements.
In this presentation, we will examine real-world data from several academic studies to understand how GenAI is changing software security, the risks it introduces, and possible strategies to address these emerging issues.

Using GenAI on your code, what could possibly go wrong?

In this presentation, we'll explore privacy engineering and discover how it can strengthen security. Privacy by design actually requires a very similar approach to security by design. This session will explore how privacy can be successfully integrated into security practices, such as threat modeling, while strengthening the security posture along the way.

I don't need privacy, I got confidentiality!

Privacy

Unfortunately this is not always the case as there is so much information that our brains need to take shortcuts to keep up. This is where biases come into the equation, and this can have a detrimental effect on our ability to secure our private and business lives.

In this session, Niall will look at various things that can affect how we make decisions as well as complicate our ability to react when dealing with a security event. We will look at real world examples of this and what happened and what could have been done.

This session will ask you to do an introspective on your security practices and look for own biases so that you can protect yourself better.

Optimistic Security

Participants will discover how Prompt Engineering can mitigate common vulnerabilities such as XSS and injection attacks by leveraging AI-assisted code generation to enforce secure coding practices. Through practical demonstrations, we will explore real-world applications of secure prompts, automated code suggestions, and validation tools that ensure the best security practices. Attendees will also learn how to integrate these techniques into their CI/CD pipelines, enabling continuous validation and security enforcement.

Whether you're a React developer looking to incorporate AI tools, a security professional exploring automation, or an architect designing modern front-end systems, this session will provide actionable insights and cutting-edge techniques to leverage AI to create secure, scalable, and intelligent React applications.

Securing React: Prompt Engineering for Robust and Secure Code Generation

This session will provide valuable insights and practical knowledge on leveraging SAMM as secure development framework:

Tools and Assessment Guidance: Discover the range of SAMM tools available to support your software assurance efforts. We will explain the latest assessment guidance, providing you with the knowledge to utilize these tools to their fullest potential.

Mapping to Other Frameworks: Learn how SAMM maps to other frameworks, such as the NIST Secure Software Development Framework (SSDF) and OpenCRE. This will enable you to leverage SAMM for demonstrating compliance and enhancing your software security posture for any compliance requirement.

Benchmark yourself against peers: The OWASP SAMM Benchmark enables organizations to anonymously compare their software security practices against industry peers, providing insights to identify improvement areas, prioritize security efforts, and track progress over time.

Level Up Your AppSec Game: SAMM's Roadmap to Security Excellence

18:40 - 19:30 - Conference reception with food and drinks in the expo.
19:30 - Late - After party at Summit Bar on the 21st floor.

Talk (140 min)

NDC Party

In this talk I will take you through 3 common AppSec program maturity levels I have encountered over the years, with practical and actionable next steps you could take immediately to improve your security posture.

Keynote: Maturing Your Application Security Program

Part 2: Stop Firefighting Vulnerabilities, Start Eliminating Bug Classes at Scale: A Hands-On Workshop

The session kicks off with an introduction to Kubernetes security challenges, setting the stage for understanding why securing K8s clusters is paramount in today's dynamic threat landscape. We will then navigate through OWASP's best practices tailored for Kubernetes environments, shedding light on key guidelines to fortify your containerized applications.

Moving into the practical realm, the agenda unfolds to reveal a well-defined workflow for Kubernetes security. Attendees will learn how to seamlessly integrate security practices into their development and deployment lifecycle, striking a balance between speed and security. The discussion will extend into CI/CD integration, showcasing the implementation of automated security testing within pipelines, ensuring continuous security validation.

An integral part of the session is the exploration of cutting-edge tools designed for securing Kubernetes. Live demonstrations will provide a hands-on understanding of tools for vulnerability scanning, runtime protection, and policy enforcement, helping attendees make informed decisions based on their specific needs.

Whether you're a developer, DevOps engineer, or security professional, this session is your gateway to enhancing the security posture of your Kubernetes deployments, guided by OWASP best practices.

Part 2: Securing Kubernetes: Practical Workflows and Tools for Enhanced Cluster Protection

Kubernetes

In this session, we use real-world cases to dive into best practices for securing your APIs. We dive into FOUR crucial vulnerabilities highlighted in the OWASP API Security top 10, exposing the areas you need to safeguard against. But we don't stop there. We also bring the threats to life with ONE demo, providing a practical look at how these vulnerabilities can be exploited. Lastly, we'll discuss TWO real-world case studies, where you'll see how even high-profile organizations can fall victim to these weaknesses. At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs.

SEVEN things about API security

One of the main reasons of low TPM adoption is that interfacing with TPMs is quite hard: there are competing TPM software stacks, lack of key format standardization and many operating systems are not set up from the start to make TPM easily available (TPM device file is owned by root or requires privileged group for access). Even with a proper software stack the application may have to deal with low-level TPM communication protocols, which are hard to get right.

In this presentation we will explore a better integration of TPMs with some Linux Kernel subsystems, in particular: kernel keystore and cryptographic API. We will see how it allows the Linux Kernel to expose hardware-based security to third party applications in an easy to use manner by encapsulating the TPM communication complexities as well as providing higher-level use-case based security primitives.

TPMs and the Linux Kernel: unlocking a better path to hardware security

Platforms

We want to scale our security programs and improve security culture and communication, but what happens when are champions are less-than-enthused? There’s no support from management? We can’t get enough buy in? Let’s look at when things go WRONG with security champions programs, with this list of WORST practices, and how to avoid each one.

Security Champion Worst Practices

In this talk, we'll dive into how Open FGA, an open-source fine-grained authorization solution, tackles these challenges head-on. We'll highlight the shortcomings of RBAC and show how Open FGA uses relationship-based access control (ReBAC) to offer a more flexible and detailed approach. You'll see how this tool can boost security, performance, and access management across various systems. If you’re curious to learn why the future of authorization is fine-grained and how Open FGA is paving the way, you don’t want to miss this session.

Role-Based Access is So Yesterday: Revolutionizing Authorization with Open FGA

More importantly log based detections as well as some Endpoint Detection & Response products will utilize process creation events written to Windows Security to either enrich detections and show an analyst exactly what was run, or they will be part of the detection itself.

Unfortunately, there has existed a technique for some time now which allows an attacker to stop what is really being run on the command line from being logged. This works for process creation logs generated by Windows itself, Sysmon and even Defender XDR Device logs.

This presents attackers with an opportunity to evade some types of detection and if they pair EDR/logging bypass techniques with this technique it makes the job of an analyst trying to deconstruct what has actually occurred.

In certain circumstances an attacker could even change the command to something which occurs often within an environment get basically trick an analyst into thinking certain detections are likely false positives.

In this presentation we will go through the following;
- Understanding how a process log is created under normal circumstances.
- How useful process creation logs can be to analysts and security teams
- Showing how an attacker can use a previously discovered technique to mask the true command which is run.
- A breakdown of the code used to produce the incorrect logs and why this cannot currently be fixed.
- A number of scenarios demonstrating how both logging detections and EDR detections can be impacted by this technique.

Included in this session will be either live demonstration or pre-recorded attack where we can clearly see the malicious commands run and the resultant logs within the Windows system.

Key Takeaways
- Logs are an important part of the detection and analysis process and if they cannot be trusted to be accurate we have a big issue.
- If this cannot be fixed or detected easily its use could skyrocket.
- This technique could be in widespread use and due to the very nature of how it works it has gone under reported.

1. High level explanation of how processes are created and logged in Windows
2. High level usage for process creation logs across Windows native logging, Sysmon and Device Logs 3. 2 scenarios a. How log based detections are impacted by this technique and what it means for analysis b. How EDR alert triage can be affected even if the detections are not
4. Overview of why this may not be possible to fix and MSRC response to our submission.
5. Questions

Spoofing Commands - Can You Trust Process Creation Logs?

Dark Arts

Instead of an endless fight, they act as defenders, addressing issues like thieves, intruders, or zombies if we stay on game terms. Join this session to learn how to ensure web security through your automated tests, emphasizing the fundamental testing types you know instead of focusing on tools only: Helping you navigate cyber threats without the necessity of introducing new dedicated tools and ensuring your web apps stay secure.

Plants vs thieves: Automated Tests in the World of Web Security

These responses not only safeguards the security of Google's products and users but also extends its reach to millions of devices connected to the Internet, in certain instances, including the case I'm going to share here in details.

In this talk, I'd like to go through a recent incident at Google, including technical details, in which I was the global lead. The incident involves the discovery by a Google's security researcher of a critical CPU vulnerability (Reptar) and the extensive remediation efforts across all of Google's products and systems.

The incident presented a confluence of intriguing technical challenges and unique operational complexities. I plan to elaborate on the strategies employed by Google to address these challenges effectively, emphasizing the time constraints and pressures under which we operated.

Inside Google's Discovery and Remediation of a Critical CPU Vulnerability

Part 1: Securing Kubernetes: Practical Workflows and Tools for Enhanced Cluster Protection

We'll take it even further and will show an example on how we found an infected endpoint before an alert was triggered by using threat hunting techniques and some human smartness. Bits, bytes, base64, hex, and some AI of course. Very nerdy stuff.

And as all my stories begin; "It was a dark and stormy night..."

War Stories From the SOC

Floki: Defining Agentic Workflows for Security

What few users know is that the Registry has a major security hole, allowing module authors to insert malicious code without the end user being aware. Come to this talk to learn about supply chain attacks and watch Kyle steal his own enterprise credentials through a module on the Terraform Registry. Guaranteed, you will never use it again.

LIVE DEMO: Supply Chain Attacks in the Terraform Registry

In this demo, I will show how badly things can go, and what we can do to prevent that. The presentation is structured so that anyone with a basic software development can adapt and run it for their own team. Everything needed for running the demo can already be found at 

https://github.com/equinor/appsec-demo-rce-python

RCE via legacy dependency in Python


This is why we are presenting a “run-of-the-mill” simulation of a full network breach, from initial access, to discovery, lateral movement and finally exfiltration. Based on public DFIR reports, MITRE’s ATT&CK framework and common hacking tradecraft as covered by atomic red-team tests, we demonstrate how attackers execute such attacks, without the need for tailor-made and sophisticated tools or techniques.

In addition to showing the recorded simulation, we’ll discuss the importance of defense-in-depth and how you should place multiple different tripwires to stop network breaches. In particular, the significant role that network controls and detections can play in such cases.

Start covering your bases & Stop chasing APT headlines

This talk will help you navigate safely through all the directives, levels, enforcement modes, deprecations, fallbacks, and varying browser implementation and support. You'll learn how to build a policy efficiently, the considerations you need to make along the way, and how you handle violation reports from users.

Halvor Sakshaug is one of the top answerers for Content Security Policy questions on Stack Overflow.

Content Security Policy: From newbie to advanced

I will present a new technique for attacking Azure resources by abusing legacy Azure Resource Management APIs, and how to mitigate this in your environments by building defense in-depth.

The techniques enabled us to find several vulnerabilities in Azure products themselves, and these will be used as examples to underline the attack techniques. Some of the vulnerabilities have been partially fixed by Microsoft, but most configurations are still vulnerable to some extent.


Privilege Escalation in Microsoft Azure

Traditional tools analyzing build manifests often fail to provide timely insights, overlooking actual code usage. This talk demonstrates how static and reachability analyses offer a more effective approach by examining real dependency usage, enhancing prioritization and understanding of necessary updates for vulnerable libraries.

Using real-world examples, we'll show how these analyses help developers reduce vulnerability response times by up to 50% and cut unnecessary updates by 30%. We'll explore strategies for implementing these techniques to manage dependencies more effectively, uncover hidden vulnerabilities, and enhance security and productivity in software development workflows. You'll leave with actionable insights to apply these advanced analysis methods in your projects, regardless of your tech stack, transforming how you approach dependency management and security.

Prioritisation of SCA Findings in Software Dependencies Using Static Reachability Analysis

This talk will cover how such integration is done, and in particular how this is done both securely and not-so-securely. The state-of-the-art way to do this is through OIDC/federated identity, which allows access to protected resources without needing to manage secrets. However, there are lots of ways of misconfiguring this, that leave your workflows vulnerable to lateral movement, privilege escalation and more. There will also be examples of real world security vulnerabilites we've seen in the wild related to GitHub actions (mostly integrating with Azure).

GitHub Actions: A Cloudy Day for Security

In this follow-up session, I'll cover the nearly finalized RFC on OAuth 2.0 for browser-based apps. We'll explore the specific threats posed by XSS vulnerabilities and discuss strategies to enhance application security. Additionally, we'll dive into the best practice of using a Backend-For-Frontend (BFF) approach, demonstrating how its implementation has minimal impact on development. You'll leave with a clear understanding of OAuth 2.0 security in frontends and practical steps for securing sensitive applications.

Breaking and securing OAuth 2.0 in frontends at NDC Security

We shall also explore some dynamic malware analysis as mini case studies of each of these techniques with some deeper investigation on code. We will then discuss some features of advanced malware in the market and how this malware is distinct compared to previous known malware files; mainly why it is more evasive and harder to detect. Additionally, we will then discuss some counter measures that us, as defenders, can take to protect our systems including some best practices as well the development of an incident response procedure that is capable of helping the defense team against advanced malware.
Here are the main topics I intend to cover for my session:
- Introduction
Highlighting the importance of advanced malware analysis in modern cybersecurity and brief introduction to the key techniques: polymorphism, packing, anti-analysis behaviour of malware

- Polymorphism – Adapting to evade detection
Explaining how polymorphic malware works and its ability to mutate to avoid signature-based detection, discussion on how to do polymorphism successfully, technical demonstration- analysing polymorphic code to identify patterns

- Packing – Concealing a malicious intent
Explaining the concept of packing with an overview of popular packers and their mechanisms for compressing and encrypting executable files, techniques for unpacking packed malware samples, practical case study – analysing a packed malware, unpacking this sample to reveal what it really does

- Anti-analysis tricks – evading detection against forensic examination
Exploration of anti-analysis techniques employed by malware authors to thwart detection and analysis, techniques such as code obfuscation, anti-debugging, and anti-VM detection and a hands-on exercise: using debugging tools and evasion techniques to analyze and bypass anti-analysis mechanisms in real-world malware sample

- Features of Advanced Malware as well as Techniques
Discussing self-modifying malware, C2 communication being hidden, rootkit installation and fileless malware samples

- Countermeasures against such Advanced Malware
Discussing measures to enhance malware detection and analysis capabilities, some best practices for developing resilient security architectures and incident response procedures, emphasizing the collaborative approaches for sharing threat intelligence and enhancing community defense against such threats

- Conclusion
Recapturing main points about the three common malware techniques, highlighting similarities in malware files that may facilitate detection and recounting defensive measures – ending with a small Q&A session.

Advanced Malware Analysis Techniques – Unmasking Hidden Threats

This talk will cover the following topics:
- the quantum threat and the "store now, decrypt later" attack
- standardised quantum-safe algorithms and their properties
- how quantum-safe crypto is used today for TLS and messaging
- challenges using the new quantum-safe algorithms in practise
- opportunities using quantum-safe cryptography going forward

While this is a technical topic, it is mostly new to everyone, and most of the talk will be non-technical so that everyone with interest in quantum-safe cryptography can benefit from it.

Challenges and Opportunities from Quantum-Safe Cryptography

Working with OpenID Connect and OAuth2 implementations, Anders have seen how different vendors approach the standard. Some stay very close to the standard and try to be true to them, while some have a more liberal approach. And in some cases it's just impossible to do the right thing when different standard documents contradict each other.

Tales of OAuth2/OIDC in the wild

In this talk I'll walk you through the discovery and investigation of the attack, look at how Governments around the World handled their remediation poorly, and discuss how you can stop your website becoming the victim of similar attacks that continue to this day.

Crypto Heist: The Aftermath of a Government Website Cryptojacking Attack

In this talk, we will delve into how bug bounties compare to traditional tools, delivering significantly more real-world vulnerabilities at a fraction of the cost of other activities. You will discover what makes bug bounties uniquely effective, learn how to launch and manage a successful program, and understand how they complement existing security practices. Using concrete examples and lessons learned from FINN.no and other Schibsted brands, we will share fun facts and spicy takes that challenge traditional AppSec advice!

From DevSecOops to Security Success: The Bug Bounty Effect at FINN.no

In this talk, I’ll share how tools like Microsoft Security Copilot are changing the game. We’ll look behind the curtain at how its AI Driven Guided Response Architecture works—how it suggests actions and fits into the daily grind of a SOC. But here’s the thing: AI can’t replace human expertise. It needs you to validate decisions, refine responses, and handle the unexpected. Together, we’ll explore how to adapt, what new skills matter most, and how you can thrive in this exciting (and sometimes overwhelming) AI-driven shift. Whether you’re already working in a SOC or just curious about where cybersecurity is headed, this session will give you practical insights and a fresh perspective on what’s next.-

AI and the SOC Engineer: The Evolving Human Element in Security

We’ll start with an introduction to V8, explaining its architecture and common vulnerabilities. We’ll then cover the new V8 Heap Sandbox and its different implementations during the past years and how it can be bypassed.

NDC { Security }

Agenda

09:00 - 10:00 (UTC+01)

Keynote: Maturing Your Application Security Program

Tanya Janca

10:20 - 11:20 (UTC+01)

Navigating the Security and Privacy Landscape of Modern AI

Vera Rimmer

Securing React: Prompt Engineering for Robust and Secure Code Generation

Jim Manico

Building antifragile systems using Secure by Design

Anders Kofoed

Eivind Jahr Kirkeby

Part I - Linux containers in (less than) 100 lines of shell

Michael Kerrisk

Part 1: Mastering golang micro-services: From Design to Deployment

Rabieh Fashwall

11:40 - 12:40 (UTC+01)

RAG Against the Machine

Brennan Lodge

Practical cryptography with Tink

Neil Madden

Human Hacking: Unveiling Secrets with Social Engineering and OSINT

Karyna Kholodar

Part II - Linux containers in (less than) 100 lines of shell

Michael Kerrisk

Part 2: Mastering golang micro-services: From Design to Deployment

Rabieh Fashwall

13:40 - 14:40 (UTC+01)

Homoglyph-Based Attacks: Circumventing LLM Detectors

Aldan Creo

I don't need privacy, I got confidentiality!

Kim Wuyts

Level Up Your AppSec Game: SAMM's Roadmap to Security Excellence

Sebastien Deleersnyder

Building a lightning fast Firewall with Java & eBPF

Johannes Bechberger

Part 1: Stop Firefighting Vulnerabilities, Start Eliminating Bug Classes at Scale: A Hands-On Workshop

Javan Rasokat

15:00 - 16:00 (UTC+01)

The Hidden Dangers of Incoherent Code: How Code Quality Impacts Security

Tav Herzlich

Using GenAI on your code, what could possibly go wrong?

Niels Tanis

Cybersecurity in the Era of AI and Quantum Computing

Tudor Damian

Improve your threat modelling through the science of simplicity

Dave Soldera

Part 2: Stop Firefighting Vulnerabilities, Start Eliminating Bug Classes at Scale: A Hands-On Workshop

Javan Rasokat

16:20 - 17:20 (UTC+01)

(Ab)user Experience: The dark side of Product and Security

Lianne Potter

Jeff Watkins

Using developer-centric data to predict, prioritize, and improve Application Security Outcomes

Laura Bell

Secure System Integrations

Tobias Ahnoff

Optimistic Security

Niall Merrigan

17:40 - 18:40 (UTC+01)

You Gotta Fight For Your Right To Third Party

Mathew Caplan

Flipping Bits: Your Credentials Are Certainly Mine

Stök ·

Joona Hoikkala

Hacking History: The first computer worm

Håvard Opheim

Hack the Planet! What Movies can Teach Us about InfoSec

Simon Painter

18:40 - 21:00 (UTC+01)

NDC Party

Niall Merrigan