PDUG section on PHDays VII: how to develop applications that do not hack hackers

PHDays VII is rapidly approaching, and we are in a hurry to announce that the Positive Development User Group , an open community of safe development, will once again gather at the forum site . A separate seminar was held under the auspices of PDUG last year (for details, see VladimirKochetkov’s report ), and this year we planned a whole section with a workshop on AppSec, thematic reports on various aspects of safe development and even beta testing of a new free service for finding vulnerabilities in the web sites.

Visiting the PDUG section is traditionally free, but not everyone can accommodate the hall, so you need to apply for participation. After considering it, we will send you an invitation with the details of the meeting.

If you have questions, please contact pdugorg@ptsecurity.com or pdug.org@gmail.com .

Full section program

10:00 | Application Security Outback Workshop / Application Security Slums

Vladimir Kochetkov, Head of Application Security Analysis Research, Positive Technologies
Denis Kolegov, Head of Security Technologies Research Group, Positive Technologies

Have you ever thought about how modern application protection mechanisms work? What theory is behind the implementation of WAF and SAST? What are the limits of their capabilities? How can they be moved by a broader view of application security?

The master class will examine the basic methods and algorithms of two fundamental application protection technologies - firewalling of the application level and static code analysis. Using examples of specific open source tools developed specifically for this workshop, we will consider the problems that arise in the way of developers of application protection tools and possible solutions, as well as give answers to all the questions mentioned.

• 10:00 || AppSec Outback: Theory
• 10:40 || AppSec Outback: heuristic application protection methods

11:40 | Coffee break

12:00 | Continuation of the Application Security Outback workshop

• 12:00 || AppSec Outback: formal methods for analyzing source code
• 13:00 || AppSec Outback: Combining Approaches
• 13:25 || Demo PT BlackBox Scanner - a free cloud service for finding vulnerabilities in web applications

13:40 | Automate rule building for Approof

Denis Efremov, Institute for System Programming RAS

Approof - a tool for checking web applications for vulnerable components and configuration errors. His work is based on rules that store the signatures of such components. The report discusses the basic structure of the rule for Approof and the process of automating its creation.

14:00 | Attack Prevention Mechanisms in ASP.NET Core

Mikhail Shcherbakov, freelance developer and consultant.

Let's look at the new Microsoft web framework in terms of security. ASP.NET Core is a continuation of the ASP.NET platform - and, unlike the big brother, its code is completely open and supported by the community. The architecture of the framework was rethought, new security features appeared, some of the existing ones were heavily rewritten.

In the talk, we will talk about these differences and see how the built-in XSS and CSRF protection mechanisms now work, what cryptography features are available out of the box, and how session management works. The report will be of interest primarily to developers writing secure ASP.NET applications, specialists conducting security reviews of .NET projects, and everyone who wants to understand the implementation of security components using the example of this platform.

15:00 | Formal C code verification

Denis Efremov, Institute for System Programming, Russian Academy of Sciences. The

report is devoted to the development of correct software using one of the types of static code analysis. Issues of using such methods, their weaknesses and limitations will be highlighted, as well as the results that they can give. Using concrete examples, it will be shown how the development of specifications for C code and the proof of code compliance with specifications look like.

16:00 | Vulnerable Android app: N proven ways to step on a rake

Nikolay Anisenya, Specialist, Mobile Application Security Research, Positive Technologies

Few developers put security into the application architecture at the design stage. Often there is neither money nor time for this. Even less is the understanding of intruder models and threat models. Application protection comes to the fore when vulnerabilities start to cost money. By this time, the application is already working and making significant changes to the code becomes a difficult task.

Fortunately, the developers are also people, and in the code of different applications you can find similar flaws. The report will discuss dangerous errors that are most often made by developers of Android applications. The features of the Android OS are affected, examples of real applications and vulnerabilities in them are given, ways of elimination are described.

16:45 | Security requirements in software architecture

Kirill Ivanov, architect, Positive Technologies
The development of any software is somehow based on requirements. A complete list is made up of the business goals of the application, various limitations and expectations for quality (they are also called NFR). The software security requirements relate to the last point. The report will consider the emergence of these requirements, their management and selection of the most important.

The principles of building the architecture of the application will be separately covered, if there are such requirements and without, and it will be demonstrated how modern (and well-known) approaches to designing the application help to better build its architecture to minimize the threat landscape.

17:30 | Report from Solar Security (subject to be confirmed)