AppSec is Too Hard!? - Philippe De Ryck - NDC Security 2022
Вставка
- Опубліковано 17 тра 2022
- Looking at available tools and features, it is easy to conclude that AppSec is shooting for the moon. Modern frameworks build security in by default, and vulnerable technologies are replaced by more secure alternatives. But regardless of all these good intentions, we see the same vulnerabilities popping up over and over again. Are we just careless when building applications, or is AppSec too hard?
Throughout this talk, we review various cases where frameworks and libraries get in the way of security, paving the way for application-level vulnerabilities. With practical examples, we investigate more robust approaches to application security. The patterns we discuss will not only help you to improve the security of your applications but also make application security more manageable at scale.
Check out more of our featured speakers and talks at
ndcconferences.com/
ndc-security.com/ - Наука та технологія
what a shock that the first issue is in java :D
At least it wasn't PHP
@@computer9764 it cant be as noone is using it
@@sCr33nSh0o71 Impossible. Do you use PHP for job security?
Great talk! Nice explanations and examples
The first part on OIDC is so severely understated in the dev community, I'm glad it was mentioned. A lot of developers think JWT = AuthN/Z and go on to roll their own half-baked security mechanisms using core JWT libraries. There is so much more nuance involved in setting up AuthN/Z correctly via OAuth2/OIDC libraries. It's only compounded by the fact that real-world implementations require handling of authentication context for 2FA, application type, federations, third party integrations and other scenarios to make a meaningful and secure app. Truly great advice in this session!