PDUG section on PHDays VII: how to develop applications that hackers do not hack

PHDays VII is rapidly approaching, and we are in a hurry to announce that the Positive Development User Group , an open community of secure development, will meet again at the forum site. Last year, under the auspices of PDUG, a separate seminar was held (details in the VladimirKochetkov report), and in this we planned an entire section with an AppSec master class, thematic reports on various aspects of secure development, and even beta testing of a free web service to find web vulnerabilities. sites.

A visit to the PDUG section is traditionally free, but the hall will not be able to accommodate everyone, so you need to apply for participation. After reviewing it, we will send you an invitation with the details of the meeting.
')
If you have any questions, please contact pdugorg@ptsecurity.com or pdug.org@gmail.com .

Full program section

10:00 | Application Security Outback Workshop / Application Security Slums

Vladimir Kochetkov, Head of Application Security Research, Positive Technologies
Denis Kolegov, Head of Protection Technologies Research Group, Positive Technologies

Have you ever thought about how modern application protection mechanisms work? What is the theory behind the implementation of WAF and SAST? What are their limits? How much can they be moved due to a broader view of application security issues?

At the master class, the basic methods and algorithms of the two fundamental technologies for protecting applications will be considered: firewalling of the application level and static code analysis. Examples of specific open source tools developed specifically for this master class will address problems encountered by developers of application protection tools, and possible solutions, as well as answers to all the mentioned questions.

• 10:00 am || AppSec Outback: Theoretical Foundations
• 10:40 || AppSec Outback: Application Protection Heuristics

11:40 | Coffee break

12:00 | Continuation of the Application Security Outback Workshop

• 12:00 || AppSec Outback: Formal Methods of Source Code Analysis
• 13:00 || AppSec Outback: combining approaches
• 13:25 || Demo PT BlackBox Scanner - a free cloud service for finding vulnerabilities in web applications

13:40 | Automating the construction of rules for Approof

Denis Efremov, Institute for System Programming of the Russian Academy of Sciences

Approof is a tool for checking web applications for vulnerable components and configuration errors. His work is based on the rules that store the signatures of such components. The report discusses the basic structure of the rule for Approof and the process of automating its creation.

14:00 | ASP.NET Core Attack Prevention Mechanisms

Mikhail Scherbakov, independent developer and consultant

Let's look at the new Microsoft web framework from a security point of view. ASP.NET Core is a continuation of the ASP.NET platform - and, unlike the older brother, its code is fully open and supported by the community. The framework architecture has been rethought, new security features have appeared, some of the existing ones have been heavily rewritten.

The report will talk about these differences and analyze how the built-in XSS and CSRF protection mechanisms now work, what cryptography features are available out of the box, and how session management is organized. The report will be of interest primarily to developers writing secure ASP.NET applications, specialists conducting security review of .NET projects, and everyone who wants to understand the implementation of security components using the example of this platform.

15:00 | Formal verification of C code

Denis Efremov, Institute for System Programming of the Russian Academy of Sciences

The report is devoted to the development of correct software using one of the types of static code analysis. It will highlight the issues of applying such methods, their weaknesses and limitations, as well as the results that they can give. With concrete examples, it will be shown how the development of specifications for C code and the proof of conformity of the code to specifications look like.

16:00 | Vulnerable Android application: N proven ways to step on a rake

Nikolay Anisenya, Specialist for Mobile Applications Security Research, Positive Technologies

Few developers embed security into the application architecture at the design stage. Often for this there is neither money nor time. Even less - an understanding of the model of the offender and threat models. Application protection comes to the fore when vulnerabilities start costing money. By this time, the application is already running and making significant changes to the code becomes a difficult task.

Fortunately, developers are also people, and in the code of different applications you can meet the same type of flaws. The report will discuss the dangerous mistakes that most Android developers make. The features of the Android OS are touched upon, examples of real-world applications and vulnerabilities in them are given, ways to eliminate are described.

16:45 | Security Requirements in Software Architecture

Kirill Ivanov, architect, Positive Technologies
The development of any software is somehow based on the requirements. A complete list is made up of the business objectives of the application, various restrictions and quality expectations (they are also called NFR). Software security requirements refer to the last item. The report will consider the appearance of these requirements, their management and the selection of the most important ones.

Separately, the principles of application architecture will be covered, with and without such requirements, and it is demonstrated how modern (and well-known) approaches to designing an application help to better build its architecture to minimize the threat landscape.

17:30 | Report from Solar Security (subject to be specified)