On Positive Hack Days 9, a section on the safe development of the Positive Development User Group community will be held within two days. Participants will have 12 presentations: in the first part of each day, technical reports will be held, and in the second part – dedicated to business processes.
Sergey Khrenov (PVS-Studio) will talk about SAST, CWE, CVE, SEI CERT, DevSecOps and introduce developers to programming standards that help create reliable applications.
The report by Mikhail Shcherbakov (Royal Institute of Technology, Sweden) is devoted to vulnerabilities in the process of deserialization in .NET. Students will also learn which .NET serializers are vulnerable, which tools can be used to search for vulnerabilities, which payloads are known for .NET applications.
Alexander Chernov (MGU) and Ekaterina Troshina (HSE) will tell how to consistently inculcate a safe development from the very beginning of their studies. They will formulate the goals and objectives of teaching safe development using the example of basic courses on low-level programming and operating systems.
From the speech of Sergey Gorokhov (EPAM Systems), students will learn how to bring the software product into compliance with the European law of GDPR and what to do if the customer asks "to make a GDPR-compliant product".
22nd of May
Dmitry Tereshin and Nikolay Islamov (Tinkoff Bank) will touch upon the current issues of Android application security. They will highlight the causes of vulnerabilities in Android applications that are not well covered in the OWASP guides.
Presentation by Alexey Dremin (independent expert) – on building a pipeline of continuous application testing for security. He will figure out at what moment to start the pipeline, how and what integration to do with CI / CD, where to save and where to process the results.
The construction of the secure programming process can be heard at the speech of Vladimir Sadovsky (M. Video). He will tell about architectural design, automated tests, error detection of business logic, about bug bounty.
Alexey Ryzhkov (EPAM Systems), based on the experience of implementing EPAM's secure development processes, will talk about building the process of analyzing each feature in terms of security impact on a project (security impact analysis).
Sergey Prilutsky (MixBytes) will raise the topic of automatic security audit of smart contracts: he will talk about the features of the executable code of smart contracts and analyzers to work with them using the example of Ethereum Virtual Machine, as well as the vectors of attacks on smart contracts and the possibilities of their automatic detection.
The Vitaly Katunin report (EPAM Systems) is dedicated to security risk assessment: students will learn how to make risk assessment transparent for all stakeholders and achieve backward compatibility of threats and security requirements.
Anton Basharin (Swordfish Security) will share his experience in automating AppSec processes, collecting metrics, visualizing and analyzing them.
How to get to the section
For members of the PDUG community, tickets for the track are traditionally free, but only 100 of them! To get a ticket – apply and wait for confirmation. Please indicate the real name and surname, otherwise the organizing committee will be forced to reject the application. After confirming the registration you will receive an invitation by email. Registration closes May 17th.
You can view records of reports from previous PDUG sections on the YouTube channel: youtube.com/channel/UCpcLVW5yxexISUIRbYBw_9w