Publication date: May 16, 2019

PHDays 9 features a secure development section

At Positive Hack Days 9, a section supported by the Positive Development User Group community will be open for two days. Participants can attend 12 presentations on secure development. The first half of each day will contain technical reports, the second half will contain those on business processes.

May 21

Vladimir Kochetkov and Valery Pushkar (Positive Technologies) will share their experience of developing an efficient static analyzer of JavaScript code, and will demonstrate how the analyzer works, using tough examples.

Sergey Khrenov (PVS-Studio) will talk about SAST, CWE, CVE, SEI CERT, DevSecOps, and will explain programming standards that help to create reliable applications.

Mikhail Shcherbakov (KTH Royal Institute of Technology, Sweden) will make a presentation on vulnerabilities in deserialization in .NET. Participants will also learn what .NET serializers are vulnerable, what tools can be used to search for vulnerabilities, what payloads are known for .NET applications.

Alexander Chernov (Moscow State University) and Ekaterina Troshina (Higher School of Economics) will talk about consistently cultivating secure development from the very start of training. They will formulate goals and objectives of secure development training, using the basic course of low-level coding and operating systems as an example.

The presentation of Sergey Gorokhov (EPAM Systems) will explain how to bring software to compliance with GDPR, and what to do if the client wants "a GDPR-compliant product."

May 22

Pressing security issues of Android applications will be discussed by Dmitry Tereshin and Nikolay Islamov
(Tinkoff Bank). They will point out the causes of vulnerabilities in Android apps, which were not sufficiently covered by OWASP guidelines.

Alexey Dremin, an independent expert, will make a presentation on establishing a pipeline of continuous application security check. He will explain when the pipeline must be launched, which integrations with CI/CD are required and how they are to be done, where to save and process the results.

Vladimir Sadovsky (M.Video) will talk about establishing secure programming process. He will talk about architectural design, automated tests, identification of business logic errors, and bug bounty.

Alexey Ryzhkov (EPAM Systems) will draw upon EPAM experience of establishing the process of security impact analysis of every feature.

Sergey Prilutsky (MixBytes) will discuss automatic security audit of smart contracts. He will explain the peculiarities of executable code of smart contracts and analyzers for them, using Ethereum Virtual Machine as an example. He will also discuss vectors of attack on smart contracts and capabilities of their automatic detection.

Presentation of Vitaly Katunin (EPAM Systems) covers security risk assessment. Participants will learn how to make risk assessment transparent for all stakeholders and how to achieve backward compatibility of threats and security requirements.

Anton Basharin (Swordfish Security) will share his experience of automating AppSec processes, collecting metrics, visualizing and analyzing them.

How to join the section

Tickets are traditionally free for members of the PDUG community, but their number is limited to 100. To get your ticket, apply and wait for confirmation. Please indicate your real name, or the organizing committee will have to reject your application. After your registration is confirmed, you will receive your invite in an email. Registration closes on May 17.

You can watch videos from previous PDUG sections on our YouTube channel:

All news