BCS SPA Software in Practice

24th – 26th June 2019

Book your place now

Session

Crafting Secure Software

The hands-on for the developers who have no time for security!

150 minutes

Abstract

During this session, we will have the challenge to start a new business. But, take care, we will face evil hackers!

We'll consider technics like secure coding and secure by design and see how we can improve the security of our applications with some genius design by applying practices like TDD or DDD. At the end of the session, you will understand how weaknesses can sneak into your code and how you can craft quality and secure code.

And, maybe, you will find some "quick wins" to apply in the real life...

You will need to bring your own device. The session has a Java and c#/.net core versions.

This session is specially designed for beginners to intermediate developpers

Audience background

This session is specially designed for beginners to intermediate developpers

Benefits of participating

After this session, attendees will have basic tips and knowledge about:
- Secure coding
- How to improve their code to prevent weaknesses
- Secure by Domain-Driven Design (strategic and tactic approach)
- Secure by Design

This talk doesn't aim to transform developers into security gourous and elite pentesters. Attendees will be aware of how dangerous can be their code and how to change small things to make it better

Materials provided

Slides (https://fr.slideshare.net/YvanPHELIZOT/crafting-secure-software-dddeu-2019)
Codebase (https://github.com/cotonne/bbl-crafting-secure-softwares)

Process

This session uses a codebase (https://github.com/cotonne/bbl-crafting-secure-softwares) that attendees have to investigate and refactor to make it secure.

Detailed timetable

00:00 - 00:05 : introducing myself :)
00:05 - 00:10 : describe context (Neflipster)
00:10 - 00:30 : attendees download code and look for weakness
00:30 - 00:40 : highlight some weaknesses and how to fix them (secure coding approach)
00:40 - 01:00 : attendees have to fix them
01:00 - 01:05 : previous exchange can be traced as tests (TDS approach)
01:10 - 01:20 : people write tests
01:20 - 01:30 : hey, there is still another weakness (Secure by DD-Design)
01:30 - 01:50 : attendees introduce VO like money, quantity, ...
01:50 - 02:00 : hey, I was tired and again, there is a weakness in this codebase (Strongly typed code)
02:00 - 02:10 : People fix it
02:10 - 02:20 : Conclusion
02:20 - 02:30 : questions


Outputs

I don't understand this part, can you help me? :)

Presenters

  1. Yvan PHELIZOT
    Arolla