what will be discussed in the development track at Positive Hack Days 12

Before the grand cyberfest Positive Hack Days 12 there is nothing left – already on May 19 it starts in Moscow’s Gorky Park. This year the technical program combines five tracks at once: artificial intelligence, blockchain, Development, Offensive And Defense.

In the track dedicated to development (including safe 😉), 17 coolest performances are waiting for you. We asked our speakers to tell more about themselves and their reports.

Execution cannot be pardoned: vulnerabilities due to errors in business logic

Ksenia Zmicherovskaya

More than 6 years of practical experience in information security in such areas as pharma, gamedev, software development, including as a system and business analyst

Ilya Sharov

More than 6 years of experience in system integration in fintech. For the past three years, he has been developing, scaling and popularizing secure development practices as an expert, architect and leader

When using web applications, it is worth remembering that a significant part of critical vulnerabilities are associated with flaws in the business logic level. In appearance, legitimate user activity can turn out to be a critical “hole”, while the set of vulnerabilities is unique for each application.

We will talk about approaches to combating logical vulnerabilities, analyze how to apply them in practice, and give useful tips on implementing secure development in companies.

How the developers of the single-exponent source code analyzer struggled

George Alexandria

Wizard of the third circle, sorcerer of the sixth rank and currently teaching the theory and practice of spells in the magic tower of Positive Technologies

I will reveal to you several useful mystical conspiracies to facilitate the work of the magical apparatus. But be careful, do not be deceived by the simplicity of the word “conspiracy” – they are by no means simple and will contain certain formulas and symbols that require understanding and knowledge … well, or perseverance to digest them.

With abstract interpretation (this is such a magical thing that analyzes the source code), a fairly large number of branching paths, forks of fate, arise, which our magical apparatus must somehow process. Let our device be magical, but it is by no means omnipotent, and the more reagents are slipped into it, the longer it will take to convert them. And we, creatures endowed with magical powers, are a terribly impatient people, we want everything quickly, and even yesterday, which forces us to twist and trick our machine so that it works faster.

After listening to my speech, you, fellow magicians, will probably open up opportunities for accelerating your shaitan machine, saving yourself a lot of time and magical powers.

Service Architecture: Reducing Labor and Improving Security

Yuri Kardyukov

Head of Identity and Open API at eKassir, Product Owner of the Identity Platform system, specialist in authentication and authorization, and one of the creators certification stand OpenAPI

In the report I will talk about providing API for users and partners. How are user services different from System-to-System interactions? How to safely store sensitive information, not distribute passwords to services, and delegate authentication to the API Gateway and Authorization Server (oAuth 2.0 and OpenID Connect) side?

You will learn:

🔹 how to securely authenticate a user without third-party libraries and a single line of code;

🔹 what is the difference between the system-to-system architecture and the user API;

🔹 provide access to the service without opening access on the firewall.

Brave Docker Security Master’s Guide

Sergey Zadorozhny

Techlead, worked at Center-Invest Bank for 14 years, was engaged in writing backends in Java and Kotlin for an enterprise enterprise in fintech. Now devopsit, techleader, devrelit and makes presentations. Holds snakes, spiders and other exotic creatures. Likes cats and black metal

In an enterprise enterprise, you can’t just take and bring in any technology, and Docker is no exception. Despite the popularity of Kuber and containerization in general, not everyone has come to this yet. And the enterprise, especially such as fintech, imposes security requirements. And not everyone has legendary devsekops.

From my presentation you will learn:

🔹 how to get on the path of DevSecOps and configure Docker to satisfy cybercriminals;

🔹 what is CIS Docker Benchmark, how to implement it and what ways to strengthen containers are still available (Gvisor, Firecracker, additional requirements for deploying containers from IS…);

🔹 how to sell Docker to security guys.

supply chain security

Dmitry Shmoylov

Head of software security Kaspersky, 17 years in information security, last 5 years in Kaspersky responsible for secure development, development of SDLC and DevSecOps, as well as bug bounty. Daily faces the topic of his report in practice

I will consider the security issues of software components and processes that organizations are forced to obtain from external vendors (software, data centers, services, open source). Supply chain risks have always been there, but over the past few years have led to a number of incidents in different companies around the world.

Together we will analyze the causes of these risks and what they affect, create a draft threat model to select the correct mitigations.

You can:

🔹 CISO — look at threats from a different angle, update the concept of information security and understand how to convey risks to management;

🔹 DevSecOps — check whether all the necessary controls are implemented or are in your backlog;

🔹 DevOps or Developer — learn about risks that have gone undetected;

🔹 Security officer — find security gray areas within your infrastructure.

How to apply ZeroTrust approaches when building a secure development process

Svetlana Gazizova

Head of Security Development Audit at Swordfish Security. In recent years, I have collected a collection of “do’s and don’ts” of DevSecOps, having worked with several dozen companies. Author and trainer of courses on secure development, leads secure development channel with reviews of the latest news, usefulness and memes

My presentation will focus on how to integrate the concept of Zero Trust into secure development. So far, everyone is suggesting doing DevSecOps “at the minimum” and somehow securing applications. But it’s time to admit that we need to move on. The cyber environment is such that without adequate controls and the use of the full potential of tools, it is impossible to guarantee the safety of information.

You can find answers to the following questions for yourself:

1. How realistic is it to make friends between the two concepts and how will this affect the time to market?

2. Who should be “not trusted” and why?

3. How will the secure development cycle change?

I’m a reverser, that’s how I see it

Dmitry Sklyarov

Head of Reverse Engineering, Positive Technologies. Picks binarism, looking for everything bad to make it good…

Over the years that I have been doing Reverse Engineering, I have seen a lot of different code, sometimes even in source codes. Talked to many people related to software development, often very smart. I read many articles and books, sometimes even useful. I observed the emergence of new techniques and technologies to improve the security of applications, which are quite effective …

But the errors in the code do not all disappear. Not that every binary contains critical vulnerabilities, but the chance to find something “bad” is still very high…

In the speech, I want to convey my reverse view of the causes of problems with the code and the processes that these problems are designed to eliminate.

Code query language… not needed?

Vladimir Kochetkov

Head of Application Security Expertise and Code Analyzer Development, Positive Technologies. Organizer of POSIdev and development track on PHDays

Sergey Podkorytov

Team leader for code analyzer development, Positive Technologies

In our report, we will share our experience in solving the problem of alienating expertise in PT Application Inspector, consider such popular tools as Semgrep and CodeQL, and talk about the difficult path that the PT Application Inspector team has traveled through several versions of the query language to a completely different way of describing a static knowledge base. analyzer.

The report will be useful not only for those who have long wanted to be able to expand the logic of a static analyzer almost arbitrarily, but also for those who are interested in the technical aspects of highlighting the expert component of a software product.

And this is not the whole list. 👀 You can see the full program of the development track on our website. Come listen to the reports live on May 19 and 20 in Gorky Park!

Experts will present them in the security area on the embankment – to visit it you need to buy a ticket 🎫. It will also allow you to get into the closed part of the Cyberfestival, take part in discussions and competitions, and also watch the twists and turns of the Standoff cyberbattle. Everything was covered in detail in a previous post.