February 18-20, 2015
Montreal, Canada

Security Conference

Security Cookies have been around for decades and have served us well. Nobody questions their usefulness. However, modern apps demand a better approach. This session is all about the natural successor to cookies: using a token-based design. Tokens help build apps that are assembled on multiple stacks, that use your own and 3rd party APIs. They help easily “flow” user identity across all layers and security contexts , regardless of how they authenticated.
Security If your web application exists on the public Internet, someone *will* try to exploit it.
Many of these are un-targeted & scripted, their authors hoping that their target will fall to one of the hundreds of un-patched vulnerabilities in frameworks, blog engines or storefronts. Let's go through some common and uncommon exploits in the wild, starting from their traces in server logs, and see how we can detect them and better protect ourselves.
Security HTML5 brings both new markup (tags, attributes) and new JavaScript APIs, both directly from the W3C/WHATWG HTML5 specifications, and within other standards documents. But what does that mean from a web application security point of view? Which new attack vectors exist, and how can we protect our web sites from them? This session will feature markup that evades filters and APIs that allow developers - and attackers - to do more than ever before.
Security La sécurité d'une application est en constante évolution. Un jour, elle peut être considérée comme sécuritaire alors de lendemain elle ne l'est plus. Comment est-ce possible? Tous les jours, des vulnérabilités sont découvertes dans des composants dont vos applications dépendent. Il existe des outils pour supporter des activités comme la revue de code ainsi que la revue des dépendances. Cette présentation fera un survol de ces outils.
Security Everybody has been creating Single Page Apps lately. They look neat and fast. Handling authentication in an SPA can be tricky though: Cookies, Tokens, Right to access URLs and Resources. Which one is better? In this talk, I explore all these options: pros and cons. We’ll use AngularJS as an example but the concepts apply to any other client technology like Ember.js or vanilla JS.
Security OAuth 2.0 is an open authentication and authorization protocol which enables applications to access each others data. This talk will presents how to implement the OAuth2 definitions to secure RESTful resources developed using JAX-RS in the Java EE platform.
Security It's pretty common for developers to go with the same kinds of authentication handling when they're creating their applications with permissions and groups. Unfortunately, as applications grow in side an interact with other systems, this kind of system sags under the weight of its own technical debt. Follow along with me as I talk about some alternatives to the typical RBAC authorization including attribute-based, multifactor, pattern-based and f
Security Secure development has become a necessary part of any development process, there’s no way around that. Protecting the various parts of your application (and users) is also becoming more complex. Writing the code is only half the battle - it still needs to be tested. What tests do you need to worry about, though? Join me as I walk you through the most recent version of the OWASP Testing Guide and guide you with a few recommendations of my own.
Security No week passes without another successful high-profile attack against a well-known website. The reason is not only that old vulnerabilities still exist, but also that bad guys came up with new approaches to mess with a web site. We will have a look at some recent events that made the news, and dissect what went wrong, and what we can do about it for our applications. You will see old attacks with a new twist, and modern ways to mess with a site.

Explore all 141 sessions

Montreal 2015 sponsored by