SecAppDev 2024 workshop details
Externalizing authorization in a diverse application landscape using OPA
Learning goal: Participants will understand the benefits of externalizing authorization and will be able to do so in practice, while at the same time understanding the limitations of such an architecture.
Friday June 7th, 09:00 - 17:30
Room Lemaire
Abstract
This hands-on, interactive training will teach participants how their applications can benefit from external authorization and how they can implement this using Open Policy Agent (OPA), a modern solution to realize the PIP-PAP-PEP-PDP model and an accessible alternative to XACML-based solutions. OPA is application agnostic and allows writing policies as code in the Rego policy language. Through this policy engine, participants will learn how to manage access away from their applications, which will help them to address the current number one risk of the OWASP Top 10: Broken Access Control.
Content overview
- Externalizing user directories
- Externalizing authentication
- Externalizing authorization
- Broken Access Control
- Access control models (RBAC/ABAC)
- PIP-PAP-PEP-PDP model
- Open Policy Agent (OPA)
Content level
Advanced
Target audience
Developers who know how cumbersome it is to manage authorization in multiple applications and who are looking for a fresh take on it. Architects that are interested in understanding how the PIP-PAP-PEP-PDP model can be implemented in practice.
Prerequisites
Actual coding is very limited, but you will be required to configure and set up the required components.
Technical requirements
Laptop and internet access. Git, node, docker, and visual studio code installed.
Michael Boeynaems
Co-founder, lector, Splynter BV, AP Hogeschool
Expertise: Enterprise security architecture, security engineering, IAM, web security, governance and privacy
Jasper Rots
Cyber security architect, Splynter
Expertise: Cryptography, privacy and secure development
Other workshops
WAF Whirlwind Tour - A one day introduction to OWASP ModSecurity and OWASP CRS
One-day workshop by Christian Folini in room Lemaire
Thursday June 6th, 09:00 - 17:30
The OWASP ModSecurity WAF engine and it's rule set counterpart OWASP CRS is the dominant team in the WAF world. Most commercial products are based on CRS and very often also ModSecurity. The key characteristic is the high detection rate and the transparency of the rule set. The generic nature of the rule set also comes with a painful downside: false positives.
In this one day workshop, we will look into the configuration of the WAF, we will write a few rules and we will namely fight false positives. The workshop is all you need to understand the basics and to get you started with WAF.
Learning goal: This workshop aims to equip participants with the skills to perform basic WAF configuration, write and read simple ModSecurity rules, and handle false positives.
Navigating the 2021 OWASP Top Ten for web security
One-day workshop by Jim Manico in room West Wing
Friday June 7th, 09:00 - 17:30
This workshop offers a deep dive into the OWASP Top 10 2021, essential for web developers and security professionals aiming to master secure coding practices. It elucidates the critical web application security risks, fostering a comprehensive understanding and implementation of defensive programming. Attendees will gain insights into the most prevalent security threats and the methodologies to mitigate them, ensuring the development of secure and resilient web applications.
Learning goal: Participants will master the OWASP Top 10 2021, learning to identify, understand, and mitigate the most critical web application security risks, thereby enhancing their secure coding skills.
Bulletproof APIs: Hands-On API Security
One-day workshop by Philippe De Ryck in room West Wing
Thursday June 6th, 09:00 - 17:30
As APIs become a big part of our tech world, making sure they're secure is key. The 2023 version of the OWASP API Security top 10 shows us that API security needs our attention. Building secure APIs requires developers and architects to really get API security, from the big picture down to the nitty-gritty details.
This workshop will teach you the skills you need! We're going to think like an attacker to test APIs and like a defender to figure out the best ways to protect them. With lectures, real-world demos, fun quizzes, and hands-on labs, you'll learn how to secure your APIs.
Learning goal: Gain hands-on security strategies for APIs, understand the root causes of threats, and learn to implement effective solutions. Master best practices and leave with a checklist to enhance your application's security.