Security engineering

Why cryptocurrency wallets security is not about blockchain but about application security and user education? What crypto wallets and banking apps have in common? Are they as secure as banking apps? In her new talk, Julia goes into details, risks and threats of crypto wallets, design concerns and implementation issues, and gives practical advice for developers who want to make their apps more secure.

In his talk for the OWASP Zhytomyr community, Artur uncovers solutions to practical security issues every security engineer faces. The mobile application landscape is constantly changing – developers use new frameworks, Google demands new requirements and security features. Artur demonstrates the latest setup of a lab environment for security testing of Android apps. He uses it to illustrate how different apps implement specific OWASP MASVS requirements — like certificate pinning or root protection. Artur shows where to look to spot the missing security controls.

As a keynote speaker of this flagship event by OWASP, Anastasiia explains how developers and companies use cutting-edge cryptography and data security approaches when no perimeters and trusted zones exist anymore. In this talk, she starts with data security 101 and gets you through peculiarities of application level encryption (ALE), end-to-end encryption (E2EE), searchable encryption, zero knowledge architectures and zero trust. She demonstrates real-world cases of integrating application level encryption and supporting traditional security controls to protect customers’ data. By the end of the talk, you can have a whole picture how “strong cryptography” becomes “real-world security boundary around sensitive data” and what it takes in different contexts.

Can React Native apps be secure? Is it a leaky abstraction? Julia went in details of React Native architecture, platform usage, and its dependencies. This security talk is designed specially for developers, decision-makers, and tech leads interested in addressing and preventing typical mistakes related to this cross-platform solution from Facebook.

The security challenge is to protect ML models from leakage and massive accumulation, which leads to reverse engineering of unique IP. In this talk, Anastasiia explains building DRM-like protection with application level encryption using HPKE-like approach on ephemeral keys. She discusses risks, threats, dataflow, cryptographic layer, key management and integration with traditional application security controls for defense-in-depth approach.

Secure architecture is about decision making. Learn from Julia how it differs from secure coding and what you can do for your developer team to achieve better results while following SSDLC.

Julia talks about US encryption export regulations - what they mean, which applications they affect, and what developers should do.

In this talk, Julia invites app devs and architects to explore common iOS vulnerabilities, outlines popular requirements from OWASP MASVS, enlists examples and paths to make applications more secure.

End-to-end encryption doesn’t guarantee privacy and/or security of your data. Your favourite application can use e2ee and sell data to someone at the same time. Anastasiia explained the relationship between security, privacy and encryption, and how different encryption approaches protect users data from various events or threats.

Julia unraveled security issues developers should keep in mind to implement SSDLC, gave clues to the secure authentication standards, and shared experience on how to avoid typical auth mistakes in iOS apps.

Anastasiia gave a small hardcore cryptographic session and covered usable cryptography and the scenarios which can help app developers to right up their ship in case of cryptography or data security tools misuse. Get in details why boring crypto is actually better than “fun” crypto.

Public training on security and cryptography engineering conducted jointly by Anastasiia and Jean-Philippe. We focused on solving practical security engineering challenges rather than academic cryptography. We talked about SSDLC and risk management, cryptography and typical cryptographic mistakes, using and misusing APIs, building defence-in-depth for distributed applications.

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and the endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse. Anastasiia described the four years journey of designing and supporting Themis: from shaping cryptosystems, writing language wrappers to CICD pipelines, autotests and interactive documentation.

Watch a story behind implementing end-to-end encryption for Bear application. Anastasiia explained the security engineering flow: protocol design, selecting cryptographic library, cryptocoding techniques, building defence-in-depth and preparing for incidents. Learn how to build an encryption engine for the app with 6M users.

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. Anastasiia highlighted important changes for developers – including new CryptoKit framework, data privacy regulations, new app permissions.

“Defense in depth” is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, Anastasiia modeled threats and risks for the modern distributed application, and improved it by building multiple lines of defence. She gave an overview of high-level patterns and exact tools how to build defense in depth for your distributed web applications.

Who are the people in the “blue team” and how do they prevent business risks for company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec Kyiv community and infosec students.