Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, February 27
 

09:00

OWASP Top 10 proactive defenses (Plenary Session)
The OWASP Top Ten Proactive Controls 2016 is a list of security techniques that should be included in every software development project. They are ordered by order of importance, with control number 1 being the most important. This document was written by developers for developers to assist those new to secure development. 

Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author the code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. 

The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game.

Speakers
avatar for Jim Manico

Jim Manico

Founder, Secure Coding Instructor, Manicode Security
Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →



Monday February 27, 2017 09:00 - 10:30
Room: Lemaire

11:00

Low level exploits and countermeasures
Learning objectives
  • the risks associated with the use of unsafe programming languages such as C and C++
  • common attack techniques such as return address clobbering, indirect pointer overwriting, return-to-libc attacks, ...
  • common defense techniques such as stack canaries, address space layout randomization, ...
  • Overview
    This module introduces common low-level security problems and solutions by example. Focusing on the C language, we discuss four common attack techniques that attackers can use to gain control over the execution of software:
    • Return address clobbering, where an attacker gains control by overwriting a return address on the stack
    • Function pointer overwrites, where an attacker redirects a function pointer to his own attack code
    • Return-to-libc attacks, where an attacker steers the execution of existing code in memory rather than injecting new code
    • Data-only attacks, where an attacker modifies critical data variables of the software under attack

    We also discuss four practical examples of defense techniques. These are selected because of their good trade-off in effectiveness versus deployment and performance cost:

    • Stack canaries
    • Non-executable data memory
    • Control Flow Integrity, and
    • Address Space Layout Randomization.

    The following paper is used as lecture notes for this module: Ulfar Erlingsson, Yves Younan, Frank Piessens, Low-level software security by example, Handbook of Information and Communication Security, pages 663-658, 2010.


    Speakers
    avatar for Frank Piessens

    Frank Piessens

    Professor, imec-DistriNet-KU Leuven
    Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He is an active participant in both fundamental research and industrial application-driven projects, provides consultancy to industry on distributed system... Read More →



    Monday February 27, 2017 11:00 - 12:30
    Room: Van Hamaele

    11:00

    Secure Development Lifecycles (SDLC): Introduction and Process Models
    Learning objectives
    • understand the difficulty of developing secure software
    • learn the different elements of SDLC process models
    • understand how to apply these models for agile development

    Overview
    It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.

    In this session, an overview of state-of-the-art SDLC models is presented in order to discuss the fundamentals and cornerstones of these models. This will help participants grasp the scope and different concepts of these models. The perspective of both waterfall and agile development models will be taken to explain these models.

    Speakers
    avatar for Bart De Win

    Bart De Win

    Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →



    Monday February 27, 2017 11:00 - 12:30
    Room: Lemaire

    13:40

    Practical Android Security
    In this session we will cover different attack techniques on Android applications followed by common best practices to protect against these attacks. We start with an introduction to the Android platform stack, Android application and attack surfaces. We introduce several reverse engineering concepts and how they apply to Android applications. We look into how bad cryptography implementations in Android can be attacked. Afterwards we show how to securely store sensitive user data on Android.

    Furthermore, we will show some hacking techniques that are used to dynamically attack an Android application. Immediately afterwards we show how to use certain techniques to evaluate the execution environment of the application. We conclude by showing how easy it is to perform a Man-in-the-Middle attack on an Android application and how you can implement a secure SSL pinning strategy in your application.

    Attendees walk away with tools and howtos on hacking their own applications, common best practices to safely store user data, protect application communications and dynamic application protection techniques.

    Speakers
    avatar for Dario Incalza

    Dario Incalza

    Mobile Security Expert, ZIONSECURITY
    Dario Incalza is a mobile security expert at ZIONSECURITY. He puts his passion for Android and security at good use by performing pen tests on mobile applications. He enjoys performing security assessments on architectural as well as implementation level. When he is not working for clients he enjoys travelling the world to speak at various conferences on mobile security. He likes contributing to the community through technical blogs and open... Read More →


    Monday February 27, 2017 13:40 - 15:10
    Room: Lemaire

    13:40

    Secure Development Lifecycles (SDLC): Maturity Models
    Learning objectives
    • understand the need for maturity models
    • learn the different elements of SDLC maturity models
    Overview
    It takes much more than a good developer to build secure software within an organisation. Indeed, building secure software is about ensuring that security is taken into consideration during the entire software lifecycle. It is about ensuring that security best practices are being employed efficiently, and that uncovered risks are appropriately dealt with in due time.
    In this session, an overview of SDLC maturity models is presented in order to discuss the fundamentals and cornerstones of these models. We will discuss the structure, the different elements and elaborate on the notion of maturity for software assurance. 

    Speakers
    avatar for Bart De Win

    Bart De Win

    Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →



    Monday February 27, 2017 13:40 - 15:10
    Room: Van Hamaele

    15:40

    Secure Development Lifecycles (SDLC): Experience Workshop
    Learning objectives
    • get practical experience with SDLC models
    • understand the typical challenges to put this into practice,
    • identify opportunities to improve your company's practices.

    Overview
    In a second part, we will focus on the practical challenges in implementing these concepts in an organisation. During this session, participants are invited to discuss the challenges that they see in their organisation. The session will start off with a (partial) assessment of your company's development practices, to then further discuss what steps can be taken to improve the situation. Hereby, we will focus on typical challenges that one faces when trying to implement improve secure software development practices within a company.

    Expect a highly interactive, working session.

    Speakers
    avatar for Bart De Win

    Bart De Win

    Bart De Win has over 15 years of experience in software security. He has an extensive background in the field, including his Ph.D. and research work on methods and techniques for software protection.  Since 2009, Bart has been responsible for all application security services within Ascure & PwC Belgium.  He has extensive project experience in software testing and in assisting companies improving their secure software development... Read More →


    Monday February 27, 2017 15:40 - 17:10
    Room: Van Hamaele

    15:40

    The Web's Security Model

    While the web has undergone a dramatic transformation since the first static HTML documents, the underlying security model has been largely unchanged. However, due to the vastly expanded client-side capabilities in modern web applications, the security model is now more important than ever. Understanding this security model is key to building secure web applications.

    In this session we explore how the Same Origin Policy, a 20-year old security policy, is still the most important security feature in the web. We will investigate which restrictions the Same Origin Policy imposes, and how the lack of restrictions actually allows common web vulnerabilities to exist (e.g. Cross-Site Request Forgery, inclusion of untrusted content, etc.). 

    Overall, you will learn how the security model of the Web can be leveraged to build secure web applications, by carefully applying concepts such as domain separation and origin isolation. Additionally, this session provides you with the necessary context to understand and position the latest security technologies that will be covered throughout the SecAppDev course.



    Speakers
    avatar for Philippe De Ryck

    Philippe De Ryck

    imec-DistriNet-KU Leuven
    Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.



    Monday February 27, 2017 15:40 - 17:10
    Room: Lemaire
     
    Tuesday, February 28
     

    09:00

    Paradigms of Privacy Engineering

    The number of privacy debacles of the last years in social networks, web tracking, NSA/GCHQ surveillance, and mass scale breaches have been adding up. Contrary to claims that “privacy is dead”, the popularity of court cases with national and international implications, like Apple vs. FBI, are indicators that people around the world do care about their privacy, and the ambition to design and maintain systems that respond to relevant privacy issues can no longer be dismissed as “anti-progressivism”. However, assuming it is meant to be more than marketing, getting privacy right is challenging. The emerging field of privacy engineering responds to this challenge. It intends to address the gap between privacy research and and engineering practice by systematizing and evaluating methods, techniques and tools to capture and address privacy issues while engineering information systems. In this lecture, I will give an overview of privacy research paradigms in computer science and the nascent field of privacy engineering


    Speakers
    SG

    Seda Gürses

    Seda Gürses is a Postdoctoral Research Associate at CITP, Princeton University and an FWO fellow at COSIC, University of Leuven in Belgium. She works on privacy and requirements engineering, privacy enhancing technologies and surveillance. Previously she was a post-doctoral fellow at the Media, Culture and Communications Department at NYU Steinhardt and at the Information Law Institute at NYU Law School, where she was also part of the... Read More →



    Tuesday February 28, 2017 09:00 - 10:30
    Room: Lemaire

    09:00

    Scaling Threat Modeling

    Threat Modeling is a technique used to find flaws in the design of systems. Threat modeling requires some unique skills and broad knowledge about software security in general. This poses a challenge when trying to do threat modeling on a large number of applications. In this talk, we’ll discuss some options for how to do threat modeling at scale, and address some challenges that different development environments (waterfall, agile, CD) can pose when doing threat modeling at scale.


    Speakers
    avatar for Andrew Lee-Thorp

    Andrew Lee-Thorp

    Senior Consultant, Cigital
    Andrew Lee-Thorp is a security consultant with over 10 years of experience cutting his teeth in development from smart cards through to high-end servers systems. He currently works as a Consultant with Synopsys where he performs code reviews, architectural risk analysis, and Android testing. Andrew's strategic focus is in developing assessment tooling and improving Android testing capability within the company. Andrew holds a postgraduate degree... Read More →



    Tuesday February 28, 2017 09:00 - 10:30
    Room: Van Hamaele

    11:00

    New Security Controls in Java 8 and 9
    Secure software requires making a wide variety of security controls available to the developer. These controls range from automatic defenses to APIs that developers simply need to use, to controls that require extensive configuration and understanding to be used effectively. This session reviews several new security controls available in the Java 8 and 9 platforms. It also covers other important Java security work, such as how the server JRE decreases the attack surface by not including applet code—since 2013! The presentation will help raise awareness of the many defenses present and available in the Java ecosystem, something every Java developer and AppSec professional can benefit from.

    Speakers
    avatar for Jim Manico

    Jim Manico

    Founder, Secure Coding Instructor, Manicode Security
    Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →



    Tuesday February 28, 2017 11:00 - 12:30
    Room: Lemaire

    11:00

    Cryptographic Algorithms
    Learning objectives
    • understand the fundamental concepts of cryptology;
    • distinguish the different types of cryptographic algorithms;
    • appreciate how cryptographic algorithms can provide
      • confidentiality,
      • data authentication.
    Overview

    Stream ciphers, block ciphers and hash functions are the three classical types of symmetric algorithms.

    A stream cipher generates a keystream of random bits which are exclusive-or'ed with the plaintext. Stream ciphers are often used to provide confidentiality for real-time traffic, such as GSM and Bluetooth.


    Block ciphers repeat simple substitution and transposition operations many times on fixed size blocks. The Data Encryption Standard (DES) has been widely used in banking, but is superseded by triple-DES and AES.

    Hash functions accept input strings of arbitrary length and produce fixed-length output. A Manipulation Detection Code (MDC) affords integrity protection. Given an output of an MDC, it is infeasible to find the corresponding input and it should be difficult to find colliding inputs. Practical examples are SHA-1, SHA-256 and RIPEMD-160.

    A Message Authentication Code (MAC) is a hash function with a secret key that provides data origin authentication. Practical examples are CBC-MAC, based on triple-DES and AES block ciphers.


    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Tuesday February 28, 2017 11:00 - 12:30
    Room: Van Hamaele

    13:40

    Entity Authentication
    Learning objectives

    Gain insight into

    • entity authentication protocols,
    • the benefits and limitations of authentication factors,
    • key establishment protocols,
    • why and how to use authentication servers.
    Overview

    Authentication methods are based on something known, owned, biometric, location or evidence of trusted third party authentication.

    • A password is a case of something known. Passwords are a vulnerable, but cheap and convenient way of authenticating an entity. Several techniques to augment their effectiveness are in use including challenge-response and one-time passwords.
    • Secure devices such as smart cards and USB tokens often combine the 'owned' with the 'known', since secret keys are locked in the token with a password or PIN code. However, within the broad category of secure tokens, trustworthiness is variable, depending on whether keys can be extracted, passwords can be eavesdropped or the device can be tampered with.
    • Biometry identifies a person via physical characteristics.
    • Location is often used as the sole authentication factor, but is insecure given the relative ease of spoofing IP or MAC addresses.
    • Multi-factor authentication is stronger than single-factor.
    • The Kerberos protocol uses a key distribution-based authentication server. Service consumers must authenticate with a central server to obtain a secret session key with service providers. Such schemes require a single sign-on to access servers across a trust domain.

    While public key cryptography is well suited to entity authentication, performance constraints often mandate a symmetric algorithm for encrypting data passed between systems. Key establishment should be linked to authentication, so that a party has assurances that a key is only shared with the authenticated party. The Diffie-Hellman key agreement protocol underlies a host of current technologies such as STS (Station-to-Station protocol) and IKE.



    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Tuesday February 28, 2017 13:40 - 15:10
    Room: Lemaire

    13:40

    Modern Web Application Defenses against Dangerous Network Attacks (Part 1)
    Do you have any idea how many files you send to the user are modified in transit? How much sensitive information is up for grabs to an eavesdropper? Or whether there is an attacker sitting in the middle, with the ability to carry out a dangerous SSL Stripping attack?

    In the past few years, a secure communication channel has become more important than ever, and browsers are actively pushing developers towards using HTTPS. Therefore, simply deploying sensitive parts of your application over HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel.

    In this session, participants will learn through hands-on experience why a partial HTTPS deployment can easily be undermined by easy-to-execute network attacks. We will cover common (non-cryptographic) attacks on HTTPS applications, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP). You will walk away with an up-to-date list of best practices for deploying your applications over HTTPS.

    Attendees are required to bring a laptop with VirtualBox installed. If you have restricted access to the BIOS settings, please make sure Virtualization is enabled up front.

    The training image is available for download at the following URL: https://people.cs.kuleuven.be/philippe.deryck/training/secappdev2017.ova 

    Speakers
    avatar for Philippe De Ryck

    Philippe De Ryck

    imec-DistriNet-KU Leuven
    Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.



    Tuesday February 28, 2017 13:40 - 15:10
    Room: Van Hamaele

    15:40

    Modern Web Application Defenses against Dangerous Network Attacks (Part 2)
    Do you have any idea how many files you send to the user are modified in transit? How much sensitive information is up for grabs to an eavesdropper? Or whether there is an attacker sitting in the middle, with the ability to carry out a dangerous SSL Stripping attack?

    In the past few years, a secure communication channel has become more important than ever, and browsers are actively pushing developers towards using HTTPS. Therefore, simply deploying sensitive parts of your application over HTTPS is no longer sufficient. You need to move all of your content to HTTPS, and deploy additional security policies to establish a secure end-to-end communication channel.

    In this session, participants will learn through hands-on experience why a partial HTTPS deployment can easily be undermined by easy-to-execute network attacks. We will cover common (non-cryptographic) attacks on HTTPS applications, and how they are countered by the newest HTTPS security policies, such as HTTP Strict Transport Security (HSTS) and HTTP Public Key Pinning (HPKP). You will walk away with an up-to-date list of best practices for deploying your applications over HTTPS.

    Attendees are required to bring a laptop with VirtualBox installed. If you have restricted access to the BIOS settings, please make sure Virtualization is enabled up front.

    The training image is available for download at the following URL: https://people.cs.kuleuven.be/philippe.deryck/training/secappdev2017.ova  

    Speakers
    avatar for Philippe De Ryck

    Philippe De Ryck

    imec-DistriNet-KU Leuven
    Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.



    Tuesday February 28, 2017 15:40 - 17:10
    Room: Van Hamaele

    15:40

    A day in the life of a malware analyst
    A Day In The Life Of A Malware Analyst

    Join Didier Stevens (NVISO) in a typical day of a malware analyst.

    Following the malware response cycle, the analyst is first informed that (potential) malware is detected.
    Then a decision must be taken to analyze the malware or not. After analyzing the malware, appropriate actions are taken.

    This session requires no pre-requisite knowledge about malware or anti-virus. Didier will explain the different steps, give explanations about the different types of malware and how they can be analyzed. A couple of short demos of malware analysis will be given to illustrate the process.

    Speakers
    avatar for Didier Stevens

    Didier Stevens

    Senior Analyst, NVISO
    Didier Stevens (Microsoft MVP, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, ...) is a senior analyst with NVISO (https://www.nviso.be) active for 15+ years in security teams of Belgian financial corporations. | | Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. You... Read More →



    Tuesday February 28, 2017 15:40 - 17:10
    Room: Lemaire
     
    Wednesday, March 1
     

    09:00

    Threat Modeling (Part 1)
    Learning objectives
    • Describe terminology used when threat modeling
    • Describe a process for threat modeling a system
    • Perform a threat model for some fictitious system
    Overview

    This is a very hands-on session. The session begins by describing the threat model process we use at Cigital. We will walk through an in-class example applying the process to identify potential flaws in a system. The class will then be broken up into small groups and we will spend the majority of the time building a threat model as a number of individual labs. This will be a pen and paper exercise with the instructor providing the necessary materials to the students.


    Speakers
    avatar for Andrew Lee-Thorp

    Andrew Lee-Thorp

    Senior Consultant, Cigital
    Andrew Lee-Thorp is a security consultant with over 10 years of experience cutting his teeth in development from smart cards through to high-end servers systems. He currently works as a Consultant with Synopsys where he performs code reviews, architectural risk analysis, and Android testing. Andrew's strategic focus is in developing assessment tooling and improving Android testing capability within the company. Andrew holds a postgraduate degree... Read More →



    Wednesday March 1, 2017 09:00 - 10:30
    Room: Van Hamaele

    09:00

    Building Secure Angular Applications
    Angular is one of the most popular frameworks, and there is a huge amount of information available on building applications, improving performance, and various other topics. But do you know how to make your Angular applications secure? What kind of security features does Angular offer you, and which additional steps can you take to really boost the security of your applications?

    In this session, you will learn how the paradigm shift from server-side to client-side applications impacts security. We will discuss various script-based threats against Angular applications, and the concrete defenses to prevent or minimize these attacks. You will learn how Angular helps you defend against XSS, one of the most dangerous attacks in modern web applications. Additionally, you will learn how you can leverage the latest browser security features in your Angular applications to boost your security. Examples of these technologies include Subresource Integrity, HTML5 sandboxing or Content Security Policy.

    After attending this talk, you will have a good understanding of the various kinds of untrusted code that threaten your Angular applications. In addition, you will have concrete knowledge on how to use these new security technologies to effectively secure your Angular applications against these threats. 

    Speakers
    avatar for Philippe De Ryck

    Philippe De Ryck

    imec-DistriNet-KU Leuven
    Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.



    Wednesday March 1, 2017 09:00 - 10:30
    Room: Lemaire

    11:00

    Network Security Protocols
    Learning objectives

    Gain an overview of secure network protocols.

    Overview

    As well as being important practical examples of the use of PKIs, networking protocols such as SSL/TLS, HTTPS, SSH and IPsec are also of great interest to the designer of secure systems in their own right. Participants gain an appreciation of how security requirements influence the choice of network technology.


    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Wednesday March 1, 2017 11:00 - 12:30
    Room: Lemaire

    11:00

    Threat Modeling (Part 2)
    Learning objectives
    • Describe terminology used when threat modeling
    • Describe a process for threat modeling a system
    • Perform a threat model for some fictitious system
    Overview

    This is a very hands-on session. The session begins by describing the threat model process we use at Cigital. We will walk through an in-class example applying the process to identify potential flaws in a system. The class will then be broken up into small groups and we will spend the majority of the time building a threat model as a number of individual labs. This will be a pen and paper exercise with the instructor providing the necessary materials to the students.


    Speakers
    avatar for Andrew Lee-Thorp

    Andrew Lee-Thorp

    Senior Consultant, Cigital
    Andrew Lee-Thorp is a security consultant with over 10 years of experience cutting his teeth in development from smart cards through to high-end servers systems. He currently works as a Consultant with Synopsys where he performs code reviews, architectural risk analysis, and Android testing. Andrew's strategic focus is in developing assessment tooling and improving Android testing capability within the company. Andrew holds a postgraduate degree... Read More →



    Wednesday March 1, 2017 11:00 - 12:30
    Room: Van Hamaele

    13:40

    Public Key Infrastructures Fundamentals
    Learning objectives
    • learn the components of a public key infrastructure.
    • understand key delivery and management mechanisms.
    Overview

    The function of a public key infrastructure (PKI) is to ensure secure delivery and management of public keys. Alternative trust models lead to different key architectures.

    Public keys are published by means of digitally signed certificates.

    A private key may be compromised, in which case the certificate containing the corresponding public key must be revoked. Many revocation methods are in current use. Publication of Certificate Revocation Lists (CRLs) and checking with an Online Certificate Status Protocol (OCSP) responder are best established.


    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Wednesday March 1, 2017 13:40 - 15:10
    Room: Lemaire

    13:40

    Web Security hands-on (1)
    Students will learn how to verify the security of web solutions. These hands-on sessions will focus on how to do basic web penetration testing. 

    This course will cover Access Control, Injection, XSS, Authentication and other security areas. We will be using both the OWASP Security Shepherd and OWASP Juice Shop projects as training grounds to master basic pentesting skills. In essence, new pentesters will get a wide range of topics to consider and experiment with, under guidance of a skilled trainer.

    You will need a laptop that can run Burp Proxy Free as well as the ability to modify proxy setting and install a certificate authority in your browser of choice. This usually requires admin access. 

    These sessions are for beginners but advanced practitioners are welcome and will be given more advanced challenges.

    Speakers
    avatar for Jim Manico

    Jim Manico

    Founder, Secure Coding Instructor, Manicode Security
    Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →


    Wednesday March 1, 2017 13:40 - 15:10
    Room: Van Hamaele

    15:40

    Web Security hands-on (2)
    Students will learn how to verify the security of web solutions. These hands-on sessions will focus on how to do basic web penetration testing. 

    This course will cover Access Control, Injection, XSS, Authentication and other security areas. We will be using both the OWASP Security Shepherd and OWASP Juice Shop projects as training grounds to master basic pentesting skills. In essence, new pentesters will get a wide range of topics to consider and experiment with, under guidance of a skilled trainer.

    You will need a laptop that can run Burp Proxy Free as well as the ability to modify proxy setting and install a certificate authority in your browser of choice. This usually requires admin access. 

    These sessions are for beginners but advanced practitioners are welcome and will be given more advanced challenges.

    Speakers
    avatar for Jim Manico

    Jim Manico

    Founder, Secure Coding Instructor, Manicode Security
    Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →


    Wednesday March 1, 2017 15:40 - 17:10
    Room: Van Hamaele

    15:40

    Addressing Privacy in Cloud Service Development

    Three major shifts have transformed the practice of software engineering over the last two decades. In short, these are the shifts from waterfall to agile development, from shrink-wrap software to services, and from the PC to the cloud. I will refer to this transformation as the 'agile turn’. After going over the different tenets of the agile turn based on interviews with developers in the US, we will take time to discuss the challenges and opportunities it offers to addressing privacy.  To conclude, I will present some recent academic research addressing aspects of the agile turn and relate those to the challenges to the requirement of privacy by design in the General Data Protection Regulation (GDPR).


    Speakers
    SG

    Seda Gürses

    Seda Gürses is a Postdoctoral Research Associate at CITP, Princeton University and an FWO fellow at COSIC, University of Leuven in Belgium. She works on privacy and requirements engineering, privacy enhancing technologies and surveillance. Previously she was a post-doctoral fellow at the Media, Culture and Communications Department at NYU Steinhardt and at the Information Law Institute at NYU Law School, where she was also part of the... Read More →



    Wednesday March 1, 2017 15:40 - 17:10
    Room: Lemaire
     
    Thursday, March 2
     

    09:00

    Access Control
    This session covers access control. Access control is an essential part of every application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.

    In this session, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.

    Learning objectives 
    • Understand the goal of access control.
    • Understand the process of access control.
    • Learn about existing and emerging models to reason about access control.
    • Learn about different approaches to implement access control, their advantages and limitations.
    • Be aware of upcoming evolutions and how to prepare for them.

    Speakers
    avatar for Maarten Decat

    Maarten Decat

    Postdoctoral researcher on access control & Co-founder of Elimity, KU Leuven / Elimity
    Maarten Decat is a postdoctoral researcher at the department of Computer Science of the Katholieke Universiteit Leuven (KU Leuven) under the supervision of Wouter Joosen. His main research interest is access control for large-scale cloud applications. From this research he recently co-founded Elimity, a tech start-up with the mission of improving access management for security-aware companies all around the world.



    Thursday March 2, 2017 09:00 - 10:30
    Room: Van Hamaele

    09:00

    Data Mining for Security (1)
    Many tasks in computer security revolve around the manual analysis of data, such as the inspection of log files or network traffic. Data mining and machine learning can help to accelerate these tasks and provides versatile tools for detecting and analyzing security data. The sesions deals with the combination of machine learning and computer security. After a short introduction to the basics of machine learning, we present common learning concepts and discuss how they are applied to security problems, such as intrusion detection, malware analysis or vulnerability discovery.

    Speakers
    avatar for Konrad Rieck

    Konrad Rieck

    Professor, TU Braunschweig
    I am a Professor of Computer Science at Technische Universität Braunschweig. I am leading the Institute of System Security. Prior to taking this position, I have been working at the University of Göttingen, Technische Universität Berlin and Fraunhofer Institute FIRST. | | My research interests revolve around computer security and machine learning. This includes the detection of computer attacks, the analysis of malicious software, and the... Read More →



    Thursday March 2, 2017 09:00 - 10:30
    Room: Lemaire

    11:00

    Cryptography in a post-Snowden era
    Learning objectives
    • Understand how sophisticated opponents agencies can undermine cryptographic protection
    • Understand how to maximize your chances to resist sophisticated opponents using cryptographic techniques
    Overview

    This lecture presents an overview of the Snowden revelations and the impact on our understanding of the security of our networks and systems. In particular, we discuss the known ways in which sophisticated attackers can bypass or undermine cryptography. We also speculate on how three-letter agencies could be breaking most encryption on the Internet. We relate this to the latest developments in cryptanalysis and discuss which cryptographic algorithms and implementations to select to stay protected.


    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Thursday March 2, 2017 11:00 - 12:30
    Room: Van Hamaele

    11:00

    Data Mining for Security (2)
    A common application of data mining in security is the detection of attacks. Learning methods can often generate detection models that are competitive with manually crafted patterns and reduce the manual effort of analyzing attack data. In this session, we present learning-based detection approaches. We discuss the underlying learning concepts, namely classification and anomaly detection, and look at some practical examples. We close this discussion by pointing at novel problems, such as poisoning and evasion attacks against machine learning.

    Speakers
    avatar for Konrad Rieck

    Konrad Rieck

    Professor, TU Braunschweig
    I am a Professor of Computer Science at Technische Universität Braunschweig. I am leading the Institute of System Security. Prior to taking this position, I have been working at the University of Göttingen, Technische Universität Berlin and Fraunhofer Institute FIRST. | | My research interests revolve around computer security and machine learning. This includes the detection of computer attacks, the analysis of malicious software, and the... Read More →



    Thursday March 2, 2017 11:00 - 12:30
    Room: Lemaire

    13:40

    Introduction to OAuth 2.0 Security
    OAuth is a delegation framework that appears on the radar of security professionals and developers more and more every day. OAuth intersects with authentication and access control, yet you would not likely use OAuth in and of itself for authentication, session management or an access control in your applications. Even more confusing, OAuth is not a standard and various service providers will likely have different implementations. Let's say it again, OAuth is not a standard - its a framework for delegation. So this leaves us with questions! What really is delegation? Where does OAuth fit in? How can I use OAuth in a secure fashion? These questions and more will me answered in this talk!

    Speakers
    avatar for Jim Manico

    Jim Manico

    Founder, Secure Coding Instructor, Manicode Security
    Jim is the founder of Manicode Security where he trains software developers on secure coding and security engineering. Jim is a frequent speaker on secure software practices and is a member of the Java-One Rock Star speaker community. Jim is a Global Board Member for the OWASP foundation where he helps drive the strategic vision for the organization  | and is the author of "Iron-Clad Java: Building Secure Web Applications" from... Read More →



    Thursday March 2, 2017 13:40 - 15:10
    Room: Lemaire

    13:40

    Cryptography Best Practices
    Learning objectives
    • decide if and when cryptography should be used.
    • make informed key architecture and management decisions.
    • use appropriate algorithms and parameters.
    • select an appropriate cryptographic library.
    • choose network protocols for distributed applications.
    Overview

    Application architects need to make informed choices to use cryptography well:

    • Alternative key architectures have their merits and drawbacks. PKIs, in particular, should be contrasted with symmetric key architectures such as Kerberos.
    • Network protocol characteristics are pivotal in ensuring distributed applications meet security requirements. Key strength choices impact on security guarantees offered, as do cryptographic algorithm modes.
    • While strong keys and wise use of cryptographic algorithms may thwart cryptanalytic attack, applications are insecure without prudent key management. In this context, key generation and key storage require particular attention.
    • The selection of crypto-libraries requires awareness of inherent library qualities and failures. Application developers are advised not to implement their own.
    • Cryptography is used innovatively in areas such as obfuscation and watermarking.

    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Thursday March 2, 2017 13:40 - 15:10
    Room: Van Hamaele

    15:40

    Blockchain: distributed trust (Plenary Session)

    Learning objectives 

    -       understand the principles of distributed consensus
    -       understand the principles of cryptocurrencies and smart contracts
    -       understand the strength and limitations of Bitcoin

    Overview 

    After the failure of a large number of innovative payment and currency systems in the 1990s, the rise of Bitcoin, launched in 2009, was surprising. The Bitcoin ecosystem had a bumpy start, but driven in part by the demand created by the Silk Road and perhaps the Cyprus crisis, the impact grew quickly: the total value of bitcoins rose to several billion US$ in the first two years (currently it is around US$ 14 billion), hundreds of alternative cryptocurrencies (altcoins) were created and large mining entities were established, mostly in China. The ideas behind Bitcoin have opened up new approaches to cryptocurrencies, but also to distributed consensus, distributed naming, secure timestamping and commitment. One of the aspects that have drawn the most interest is the smart contract (that is, cryptographically enforceable agreements) on top of the Bitcoin ecosystem (or on other systems such as Ethereum). Even if some observers predict that the Bitcoin ecosystem will disappear or become irrelevant, the core ideas have already made a major impact.

     

    Unlike any other payment system or cryptocurrency created before, Bitcoin allows for fully decentralized generation of currency and fully decentralized verification of transactions. The core idea is the blockchain, a public ledger that registers all transactions under the form of a hash chain; the blockchain describes the state of the system, that is, it specifies who owns which amount. Transactions themselves are validated based on a scripting language, which creates some flexibility. In a distributed system, a central problem is how to achieve consensus (e.g., how to deal with double-spending transactions). Transactions are broadcast over a low-latency peer-to-peer network that offers some robustness against censoring or sabotage. This approach allows the Bitcoin ecosystem to achieve distributed consensus in a practical way assuming that players are rational (something which is known to be unachievable without additional assumptions such as rationality) albeit at the cost of a major computational effort in terms of mining.

     

    While the financial industry is less interested in the anarchistic aspects of the Bitcoin ecosystem (the governance model and the uncontrolled money supply), the distributed consensus idea is very appealing and is believed to have a very high business potential for a large number of financial transactions and interactions. In 2015, about US$ 1 billion was invested in venture capital in the area of blockchain and cryptocurrencies and the Aite Group predicted in 2016 that blockchain market could be worth as much as US$ 400 million in annual business by 2019. The idea of a public ledger for timestamping and registering documents using hash chains is more than 25 years old, as witnessed by the efforts of Surety Technologies in the early 1990 and the ISO standardization in this area in the mid 1990s –- but these earlier approaches did use a central authority to register all transactions. Bitcoin has inspired many actors to revisit those ideas by `taming’ the Bitcoin ecosystem into a private or permissioned ledger, where only a few selected actors have control over new currencies or verification of transactions (to get rid of distributed control) and where access to the ledger can be restricted (to get rid of full transparency). Some of the notable developments in this context are the open source initiative of IBM that is called Hyperledger and Intel's experimental Sawtooth Lake architecture.


    Speakers
    avatar for Bart Preneel

    Bart Preneel

    Professor, imec-COSIC, KU Leuven
    Professor Bart Preneel of KU Leuven heads the  imec-COSIC (COmputer Security and Industrial Cryptography) research group. His main research areas are information security and privacy with a focus on cryptographic algorithms and protocols and efficient and secure implementations.  He has authored more than 400 scientific publications and is inventor of five patents. He teaches cryptology, network security and discete algebra at the... Read More →



    Thursday March 2, 2017 15:40 - 17:10
    Room: Lemaire
     
    Friday, March 3
     

    09:00

    New Technologies for System Software Security
    The war between attackers and defenders of system software (i.e. servers, middleware, operating systems) has been ongoing for decades.
    This session will cover a number of interesting new technologies that have the potential of being game changers in this ares:
    • Protected module architectures (like the new Intel Software Guard Extensions - Intel SGX) make it possible to securely execute applications on a machine, even when the system software (e.g. the operating system) on that machine is infected and hence malicious.
    • New safe systems programming languages (like Mozilla's Rust programming language) make it possible to prevent the introduction of memory safety vulnerabilities in systems code (and at the same time also prevent the introduction of data races in multi-threaded code!)
    • Advances in defensive compilation make it possible to compile legacy C code with hard assurances on resistance against memory safety based attacks
    This session will give an overview of these exciting and promising new technologies.

    Speakers
    avatar for Frank Piessens

    Frank Piessens

    Professor, imec-DistriNet-KU Leuven
    Frank Piessens is a professor at the Department of Computer Science of the KU Leuven, Belgium. His research interests lie in software security, including security in operating systems and middleware, architectures, applications, Java and .NET, and software interfaces to security technologies. He is an active participant in both fundamental research and industrial application-driven projects, provides consultancy to industry on distributed system... Read More →



    Friday March 3, 2017 09:00 - 10:30
    Room: Van Hamaele

    09:00

    The Rise and Fall of Client-Side Web Security Technologies
    The web used to be sever-centric, and the browser was merely a rendering engine to display information. Today, the introduction of numerous new technologies has made the web client-centric. A similar evolution can be seen in web security technologies. In recent years, numerous new security technologies can be configured by the server and are enforced by the browser.

    In this session, we investigate why these server-driven browser-enforced policies are so popular. We will illustrate how quickly they have risen, and how browsers have become a major driver for security. But it's not all unicorns and rainbows. These technologies allow you to mess up, making your applications unreachable. What's even worse, these technologies can be used for malicous purposes as well, and there is not much that can be done against it.

    You will leave with an up-to-date view on web security, and with evidence-backed recommendations of which technologies you should be adopting first.

    Speakers
    avatar for Philippe De Ryck

    Philippe De Ryck

    imec-DistriNet-KU Leuven
    Philippe De Ryck is a professional speaker and trainer on software security and web security. Since he obtained his PhD at the imec-DistriNet research group (KU Leuven, Belgium), he has been running the group's Web Security Training program, which ensures a sustainable knowledge transfer of the group’s security expertise towards practitioners.



    Friday March 3, 2017 09:00 - 10:30
    Room: Lemaire

    11:00

    GDPR: From regulation to coding (Part 1)

    May 2018, a date to keep in mind... a new privacy regulation comes into force in Europe.  

    The General Data Protection Regulation (GDPR) introduces a new set of constraints that has to be followed by any company doing business in Europe.

    During this session, participants will learn how to translate GDPR into a set of security tasks, which can be implemented within an application. 

    We will describe what do we mean by Personal Information and which risks are related to such kind of data.   Based on data handle by the application, the participants will discover why a Privacy Impact Assessment (PIA) is a useful tool.  We will walk into the Processing Purpose, Data life cycle Management, Data Flow Diagram, Data classification, Data Accuracy (such as Correction, Destruction, Blocking, Retention period), Third Party, Complaints management and Privacy Notice.  

    From these notions, we will describe which security controls can be put in in place.  We will introduce the relation between Privacy and Security, the notion of Privacy by Design and how the Secure Development Lifecycle (SDLC) can be impacted.  The last part of this session will introduce the need data Breach detection.


    Speakers
    avatar for Georges Ataya

    Georges Ataya

    Professor, Solvay Brussels School of Economics and Management
    Georges Ataya, CISA, CISM, CISSP, is a professor at Solvay Business School in Brussels, Belgium, in charge of IT Management Education at Solvay Brussels School of Economics and Management. He is managing partner of ICT Control SA, a management consulting firm that specializes in IT governance. Georges is Vice-President and Board member of the IT Governance Institute.
    avatar for Alain Cieslik

    Alain Cieslik

    Alain is an IT consultant with over 15 years of experience in cyber security, development, and architecture design across public and private sectors. He adds security in each phase of a project (SDLC), and helps organizations to increase the business value through the use of innovation and new technologies. 



    Friday March 3, 2017 11:00 - 12:30
    Room: Van Hamaele

    11:00

    Towards a Secure IoT Landscape
    The Internet of Things (IOT) allows one to check and control devices and sensors fully automatically and remotely.
    All sorts of equipment including cameras, physical health monitors, domotics, alarms and access control systems can report events and the receiver of these notifications can take action when necessary.
    These devices and sensors can be used everywhere. Not only in the house, in hospitals, storage facilities or industrial plants, but also in vehicles, phones, portable computers, clothing, etc.
    This offers many opportunities and the possible applications are virtually unlimited.
    In this presentation we will give an overview of the possibilities and risks one has to take into account when designing and developing IOT systems.
    We also give a set of sound rules of thumb that should be kept in mind when installing, configuring and deploying IOT systems in the field to ensure that the installed system does not only work reliably but also safely and securely, even long after its initial deployment.

    Slides are available from http://homes.esat.kuleuven.be/~decockd/slides/20170303.towards.secure.iot.landscape.pdf

    Speakers
    DD

    Danny De Cock

    Sr. Research Manager, KULeuven ESAT/COSIC
    Danny received his Ph.D in Engineering Science from the Katholieke Universiteit Leuven. He has more than 20 years of hands-on expertise in computer security and applied cryptography. As a post-doc researcher and senior research manager he focuses on solving complex security issues and defines roadmaps of challenging research activities to exceed the current state-of-the-art. He is particularly interested in the analysis of identity management... Read More →



    Friday March 3, 2017 11:00 - 12:30
    Room: Lemaire

    13:40

    AuthN/Z for REST Services
    REST services are very popular. Unfortunately, many are not secure. In this session, we identify access control requirements for a range of application types and discuss how these can be delivered with current standards and tools.
    The presentation is interactive; we discuss the trade-offs when implementing typical requirements.
    OpenID Providers authenticate end users and issue a security token called an ID Token, containing a set of claims about the attributes of the caller. We will be dissecting the OpenID Connect ID Tokens, encoded as JSON Web Tokens (JWT).
    Even though OIDC and OAuth are supplanting older authN/Z standards for web services such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language), they will have to co-exist for a long time. Many components offering OIDC or OAuth interfaces also work with SAML or XACML, which define interesting roles such as Identity Provider (IdP), Policy Enforcement Point (PEP) and Policy Decision Point (PDP). So it is natural to ask whether these roles are relevant in a REST architecture as well and, if so, how they map on OIDC and OAuth roles.
    This session builds on Maarten Decat's Access Control lecture and Jim Manico's Introduction to OAuth 2.0 Security. 

    Speakers
    avatar for Johan Peeters

    Johan Peeters

    independent
    Johan Peeters is an independent software architect. He serves both large companies and SMEs and has addressed software development issues ranging from product definition to acceptance testing. He is the founder of secappdev.org.



    Friday March 3, 2017 13:40 - 15:10
    Room: Lemaire

    13:40

    GDPR: From regulation to coding (Part 2)

    Use the Ashley Madison Data Leakage case to explore application controls related to: Website & User Profile, Mobile applications, Localization / Tracking, Chat, Profiling, Sharing information with third parties

    The participants shall break-out in groups to work on the case

    A presentation of the groups results shall be delivered to the class


    Speakers
    avatar for Georges Ataya

    Georges Ataya

    Professor, Solvay Brussels School of Economics and Management
    Georges Ataya, CISA, CISM, CISSP, is a professor at Solvay Business School in Brussels, Belgium, in charge of IT Management Education at Solvay Brussels School of Economics and Management. He is managing partner of ICT Control SA, a management consulting firm that specializes in IT governance. Georges is Vice-President and Board member of the IT Governance Institute.
    avatar for Alain Cieslik

    Alain Cieslik

    Alain is an IT consultant with over 15 years of experience in cyber security, development, and architecture design across public and private sectors. He adds security in each phase of a project (SDLC), and helps organizations to increase the business value through the use of innovation and new technologies. 



    Friday March 3, 2017 13:40 - 15:10
    Room: Van Hamaele

    15:40

    Denial-of-service attacks: solutions and pitfalls
    In this session, we will discuss the current threat of denial-of-service attacks and several popular mitigation solutions. Based on our research, we will talk about the common pitfalls of setting up cloud-based DDoS protection services.

    Speakers
    avatar for Thomas Vissers

    Thomas Vissers

    Researcher, KU Leuven
    Thomas Vissers is a PhD Researcher at imec-Distrinet, KU Leuven. He is involved in several internet security challenges, such as cloud-based security, domain name abuse and denial-of-service attacks. Furthermore, he has a special interest in machine learning and large-scale analyses to better understand security problems. Thomas obtained his Master’s degree in Engineering from the University of Antwerp and was a visiting researcher at Anna... Read More →



    Friday March 3, 2017 15:40 - 16:30
    Room: Van Hamaele

    15:40

    Between Testing and Formal Verification

    The security testing of software is inherently difficult.  This is because vulnerabilities typically emerge as unanticipated interactions in the design of a software component, as implementation artefacts that were not specified in the design, or as bugs, where design and implementation deviate.  Thus, when searching for breaches of security properties we are looking for design or implementation details that can be abused in ways not considered by the designers, developers and testers of a software component.

     Formal methods promise to systematise this search for needles in haystacks and use mathematical rigour to provide convincing arguments for the absence of such needles.  Yet, with few exceptions in safety-critical systems engineering, the adoption of formal techniques in software development processes is low.  Furthermore, formal methods traditionally focus on safety aspects of software, i.e., functional correctness and the absence of runtime exceptions of software.  In this talk I will outline the advantages and disadvantages of modern approaches to formal software analysis and verification.  I will focus on tools and techniques that can be integrated efficiently with testing efforts, in particular in security testing.


    Speakers
    avatar for Jan Tobias Muehlberg

    Jan Tobias Muehlberg

    Researcher, imec-DistriNet, KU Leuven
    Jan Tobias Muehlberg works as a researcher at imec-DistriNet, KU Leuven (BE). His is active in the fields of software security, and formal verification and validation of software systems, specifically for embedded systems and low-level operating system components. Tobias is particularly interested in security architectures for safety-critical embedded systems and for the Internet of Things. Before joining KU Leuven, Tobias worked as a... Read More →



    Friday March 3, 2017 15:40 - 16:30
    Room: Lemaire

    16:40

    Closing Session
    Speakers
    avatar for Johan Peeters

    Johan Peeters

    independent
    Johan Peeters is an independent software architect. He serves both large companies and SMEs and has addressed software development issues ranging from product definition to acceptance testing. He is the founder of secappdev.org.


    Friday March 3, 2017 16:40 - 17:00
    Room: Lemaire