Secure Development Section on the PHDays 8 Forum

For several years in a row, the secure development community Positive Development User Group has organized its own events at the PHDays International Forum site. Last year, we devoted one day to discussing the development of protected applications, and in this case, we are organizing a large-scale two-day marathon of round-table reports.

You can get to the section for free, but the number of places is limited, so you need to register . If you can not be present in person, it does not matter - after the forum we will publish the presentation of reports and videos in open access (including on Habré).

Full program section

May 15

10:40 - 11:00 | Opening

Vladimir Kochetkov, Positive Technologies
')

11:00 - 12:00 | Is it possible to generalize the source code analyzer?

Ivan Kochurkin, Positive Technologies

The report discusses various types of code analyzers that accept regular expressions, tokens, parse trees, data flow graphs, and symbolic execution instructions as input.

The speaker will describe the problems arising from the generalization of each type of analyzer into different programming languages, and suggest solutions. It will also demonstrate the vulnerabilities and shortcomings that can be found with each approach (for example, goto fail), describe the possibilities of the open source code analyzer PT.PM, how to use it, and development prospects.

12:00 - 13:00 | Safe development myths and legends

Yuri Shabalin, Swordfish Security

Based on the experience of implementing Application Security processes both within the company and as an external consultant, the author of the report will tell about the main myths and stereotypes that pursue this trend, the main mistakes in planning and launching that can spoil and complicate the path to perfection.

Based on these myths, legends and mistakes, the speaker will explain how to approach the alignment of processes, what needs to be considered, how to correctly assess your strengths and correctly launch the process of safe development. Organizational measures, technical means (without specifying vendors), interaction between development and information security, awareness-programs, management of the whole process, performance metrics will be presented as the main examples of errors and ways to overcome them.

13:00 - 14:00 | Integrity Security in C ++

Igor Sobinov, security expert

The report is devoted to the issues of ensuring the security of applications in C ++ against attacks on overflow of integer types. We consider typical cases of the occurrence of vulnerabilities associated with this class of attacks, the possible consequences of their operation and methods of protection.

14:00 - 15:00 | Detection of vulnerabilities in theory and practice, or Why there is no perfect static analyzer

Yaroslav Alexandrov, Alexander Chernov and Ekaterina Troshina, Solar Security

Today it is difficult to imagine the qualitative development of software code that meets the requirements of information security, without the involvement of static analysis. Practicing SDL requires static analysis using a tool at the code development stage. In theory, it is believed that each of the currently known vulnerabilities can be identified in the source code, you only need to select a high-quality analyzer. In practice, the analyzer as a result of the work produces multi-page reports with false positives and, even worse, missing defects.

Despite this, it is necessary to use a high-quality static analyzer — it allows you to detect critical vulnerabilities that cannot be detected using other code analysis methods. Effective use of a static analyzer is based on building a continuous development process using this tool and is based on organizational and technical components. But how to build such a process, taking into account all these features?

The report will discuss the basic principles of the static code analyzer, a comparative overview of the methods and algorithms underlying modern static analyzers will be given. With concrete examples, it will be shown how a static analyzer searches for vulnerabilities, and answers the question why there is no ideal static analyzer that works fast, does not give false positives and does not miss the vulnerability. We will describe how to embed a static analyzer into the development process so that it is efficient in terms of resources and gives qualitative results.

15:00 - 16:00 | Perfect static analysis

Vladimir Kochetkov, Positive Technologies

Ideal statanalysis as a tool does not exist. But is there an ideal statistical analysis as a process? What should be the distribution of roles in it between a person and the SAST toolkit? What should be the tools to make it as easy as possible for a person to solve the problem of statistical analysis?

16:00 - 18:00 | Round table: "SAST and its place in the SDLC"

Moderator: Vladimir Kochetkov, Positive Technologies

Participants: Positive Technologies, SolidLab, Mail.ru, Solar Security, PVS-Studio, ISP RAS

16th of May

11:00 - 12:00 | LibProtection: 6 months later

Vladimir Kochetkov, Positive Technologies

The speaker will tell about the results of the public testing of the library, consider in detail the bypasses found and ways to eliminate them, and also present plans for the development of the library for the current year.

12:00 - 13:00 | Safety fundamentals of consensus algorithms in the blockchain (English report)

Evangelos Deirmentzoglou, Positive Technologies

Consensus algorithms are an integral part of any blockchain platform. Whether it is Bitcoin, Ethereum, or even distributed registry technology without the use of a blockchain (for example, hashgraph), reaching consensus is an essential step in carrying out transactions. In the near future, we will witness the transition from the Proof of Work algorithm to more advanced distributed consensus algorithms.

The report will highlight the working principles of such consensus algorithms as Proof of Work (Proof of Work), Proof of Stake (Proof of Ownership), Delegated Proof of Stake (Delegated Proof of Share) and Proof of Authority. When analyzing the differences of these algorithms, the most common attacks against systems based on these technologies will be considered, such as double-spending, 51% attack, bribery attack, Sibyl attack, Nothing-At-Stake attack and others.

13:00 - 14:00 | Predict random numbers in smart Ethereum contracts.

Arseny Reutov, Positive Technologies

Smart contracts are used not only for the initial placement of cryptocurrency tokens. In the Solidity language, various lotteries, casinos and card games are available, available to anyone who uses the Ethereum blockchain. The blockchain's autonomy limits the entropy sources for random number generators (RNGs). There is no common library with which developers could create secure RNGs. For this reason, the implementation of its own RNG can create a lot of problems.

It is not always possible to implement a secure RNG, which gives attackers the opportunity to predict the result and steal significant amounts of money. The report presents an analysis of blockchain-based smart contracts for the gambling industry. The author of the report will demonstrate real examples of incorrect implementation of the RNG. Participants will learn how to identify problems in the RNG and create their own safe generator, taking into account the limitations of the blockchain.

14:00 - 15:00 | Pitfalls of parameterization and object approach

Vladimir Kochetkov, Positive Technologies

Does the use of parameterization tools and the transition to the object model always allow you to effectively solve the problem of ensuring application security? What risks do these approaches entail? Is it possible the emergence of vulnerabilities in the project code when using them? The author of the report will answer these questions using concrete examples and real-life cases.

15:00 - 16:00 | Method Hooking in Android

Alexander Guzenko, Tinkoff

The author of the report will tell you what Method Hooking and Injector are and explain how, knowing these two concepts, apply them to Android and force someone else's application to do what you need.

16:00 - 17:00 | How to create a fast WAF. Building a high-performance network traffic analysis system

Mikhail Badin, Wallarm

During the report, the stages of packet processing in WAF, the issues of obtaining the necessary information from the request, optimization of tokenization processes, filtering based on regular expressions and the implementation of behavioral analysis as part of traffic post-processing will be considered.

***

Please send any questions about the section or community work to pdug@ptsecurity.com .