Build Stuff 2018

More and more developers are building APIs, whether that be for consumption by client-side applications, exposing endpoints directly to customers so they can use an alternative front-end or wrapping up services in containers.

Now that we have all these exposed endpoints, what are we doing to secure them? Previously, our monolith was self contained with limited points of access making authentication and authorisation more straightforward - that’s no longer the case.

We’ll cover the potential risks we may face such as cross site scripting and BruteForce attacks as well as look at the possible options for securing API endpoints including OAUTH, Access Tokens, JSON web tokens, IP whitelisting, rate limiting to name but a few.

Research company Gartner predicts that more than 20B connected devices will be used worldwide by 2020. Protecting and securing IoT devices starts with device identification.

How advanced device identification helps to protect smart homes? How to use the latest cloud technology and innovative machine learning algorithms to secure connected homes? How to scale to 15M households, 100M devices worldwide in one year?

Santeri Kangas shares his insights about running an agile organization that managed to secure the router while deploying the private cloud effectively.

We live in a world of poorly protected persistent data silos, the digital equivalent of a rusty tin box tied up with string and buried in a somewhat disheveled flowerbed. The owners of these silos hoard a bewildering array of personal data on everyone who interacts with them on the off chance that some of this might be useful to them in the future or have concrete resale value. A vast industry exists to help secure these silos once they exist, but rarely does anyone asks the key existential question: do we need all that data in the first place? 
In most cases the answer is no, and by collecting and storing this personal data we're endangering both our systems and the people who use them.
Across the developed world, the outcry over high-profile data breaches has forced legislators to take action, introducing strict new regulations on how personal data can be stored and the rights of individuals both to control their data and to be forgotten. So how as IT professionals can we deal with this new reality? And what are the implications as the IoT expands the scope of personal data and new analytic tools make it increasingly transparent? 
Join Eleanor to explore the relationship between privacy and identity, the slippery nature of consent, and how we can prove after the event that our applications acted correctly. Can we really design all this into our processing systems from their very inception? And if so, how?

Equifax, Yahoo, the NSA, IHG, Hyatt, Uber, and eBay are just a few of the over 100 companies that reported security and data privacy breaches in 2017. For many organizations, the perimeter firewall has been the only required security, but with the move to cloud, no longer can users rely on a firewall as the only means of defense. Instead, we need to adopt defense in depth and rethink the way we do security in microservices. Just like DevOps, this is a collaborative process that requires changes throughout the stack from developers, operators, security professionals, and executives.
Hackers are getting more sophisticated in their attacks. As a result, we need a strong recipe to reduce the threat of intrusion, a mechanism for detecting security breaches and anomalies, and a process for quickly responding to security incidents (“break glass”).
Seth Vargo outlines the key principles for securing microservices and distributed systems in the modern world, where applications run in cloud or hybrid cloud infrastructure. You’ll learn the challenges associated with microservices and the principles of secure applications (think 12-factor apps, but for security); you’ll also discover how to implement time-based, limited-access controls and capture security practices and policy as code. 

Websites are hacked daily and their data is stolen by hackers. How, why is it done and what can we learn from it?

InSpec is an open source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.
Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines. This workshop covers the basics of working with InSpec, writing tests to reflect your organization’s security guidelines, consuming community security profiles, and managing InSpec as part of a high-velocity workflow.

In this talk we'll go over the new 2017 OWASP Top 10 vulnerabilities and how they apply to ASP.NET. We'll include a demonstration of each vulnerability, the risk it poses, how to detect the attack, and how to mitigate it. Source code and demo project will be available.