PHDays 9: Welcome to the Safe Development Section
The Positive Hack Days 9 forum will host a section on the safe development of the Positive Development User Group community for two days . 12 presentations are waiting for the participants: in the first part of each day technical reports will be held, in the second - on business processes.
May 21st
Vladimir Kochetkov and Valery Pushkar (Positive Technologies) will share their experience in developing an effective static JavaScript code analyzer, as well as demonstrate the operation of the analyzer with complex examples.
Sergey Khrenov (PVS-Studio) will talk about SAST, CWE, CVE, SEI CERT, DevSecOps and introduce developers to programming standards that help create reliable applications.
A report by Mikhail Scherbakov (Royal Institute of Technology, Sweden) is devoted to vulnerabilities in the process of deserialization in .NET. Students will also learn which .NET serializers are vulnerable, which tools can be used to search for vulnerabilities, and which payloads are known for .NET applications.
Alexander Chernov (Moscow State University) and Ekaterina Troshina (HSE) will tell you how to consistently instill safe development from the very beginning of training . They will formulate the goals and objectives of teaching safe development on the example of basic courses on low-level programming and operating systems.
From a speech by Sergey Gorokhov (EPAM Systems), students will learn how to bring a software product in line with European GDPR law and what to do if a customer asks “to make a GDPR-compliant product”.
22nd of May
Actual security issues for Android applications will be touched upon by Dmitry Tereshin and Nikolay Islamov (Tinkoff Bank). They will highlight the reasons for the vulnerability of Android applications, insufficiently covered in the OWASP guides.
Presentation by Alexey Dremin (independent expert) - on the construction of a pipeline for continuous security testing of applications. He will figure out at what point to start the pipeline, how and what kind of integration you need to do with CI / CD, where to save and where to process the results.
You can hear about the construction of the secure programming process at a speech by Vladimir Sadovsky ("M. Video"). He will talk about architectural design, automated tests, identifying business logic errors, and about bug bounty.
Alexey Ryzhkov (EPAM Systems), based on the experience of implementing the processes of safe development of EPAM, will talk about the construction of an analysis process for each feature in terms of the impact on the security of the project (security impact analysis).
Sergey Prilutsky (MixBytes) will raise the topic of automatic audit of smart contract security: he will talk about the features of the executable code of smart contracts and analyzers for working with them using the example of Ethereum Virtual Machine, as well as attack vectors for smart contracts and the possibilities of their automatic detection.
Report by Vitaliy Katunin (EPAM Systems) on security risk assessment: Students will learn how to make risk assessment transparent to all stakeholders and achieve backward compatibility of threats and security requirements.
Anton Basharin (Swordfish Security) will share his experience in automating AppSec processes, collecting metrics, visualizing and analyzing them.
How to get to the section
For members of the PDUG community, tickets to the track are traditionally free , but there are only 100 of them! To get a ticket - submit an application and wait for its confirmation. Please indicate the real name and surname, otherwise the organizing committee will be forced to reject the application. After confirmation of registration, you will receive an invitation by e-mail. Registration closes on May 17th.
You can watch reports from previous PDUG sections on the YouTube channel .