Making Applications Secure

Developing applications that are secure is becoming an essential part of the toolkit of any programmer, and project managers are increasingly tasked to ‘Make it more secure - we don’t want to be the next headline…’ In 2015, this has become a major priority for many people.

So if you want a week of immersive training in making mobile, web and other applications more secure, then I thoroughly recommend the SecAppDev conference. It’s an intense program of background lectures where you learn the theory, and hands-on workshops where you get to try it out for real. Even better, it’s set in a renovated 17th century university location 25 kilometers east of Brussels, arguably the epicentre of Europe, and easy to get to by train or plane. Leuven is a charming ‘student city’ venue, full of bikes and cobbled streets, and where you can walk to just about anywhere inside the ring-road in less than half an hour. And the cars on that outer ring aren’t allowed far into the central area, so apart from a few busses, students and bikes rule! There’s a very good overview of the history of Leuven here: https://www.cosic.esat.kuleuven.be/course/about_leuven.shtml

The SecAppDev conference is held in the Faculty Club, to the south of the centre of Leuven. http://www.facultyclub.be/en/ It’s a perfect mix of old exteriors and modern interiors, and whilst this is the Dutch/Flemish part of Belgium, the conference language is English. KU Leuven, the University of Leuven, founded in 1425, is the oldest Catholic University in the world.

Inside the conference, you step straight into the 21st century. The two-track program covers topics like post-Snowden, cryptography, TLS hands-on, SDL, Threat Modelling, and web/mobile hardening. I like following a topic and getting immersed, and so I went to the sessions where the introductory lecture covered the theory, and then the hands-on double-lecture provided a detailed hands-on workshop with plenty of opportunity to dig deep into the material. Pre-prepared VMs are used for some of the workshops, so that everyone has an isolated and common starting point, and I was particularly impressed with the TLS session, where you configured an Apache web server (on Fedora) from scratch so that HTTPS worked properly by using tools like mod_ssl and Open_SSL, replacing the default self-signed certificate with a trustable one from a CA using a CSR, generating a key-pair using Open-SSL… The Threat Modelling workshop was notable too, with teams competing to find flaws in a web system. The lecturers were all very familiar with their subject matter, and I learnt a lot.

If a day of intense learning wasn’t enough, the local chapter of OWASP had an evening event on the Tuesday night, which was an opportunity for more learning and networking. With the Computer Security and Industrial Cryptography (COSIC) research group and the Department of Electrical Engineering nearby, and the meeting being held in the Department of Computer Science, there was a large and informed audience.

There is a wealth of information on the SecAppDev website ( http://secappdev.org ), with handouts going back to 2007 (the first SecAppDev was in 2005, so this was the 11th conference!), video recordings of lectures before 2013, A YouTube channel for more recent videos ( https://www.youtube.com/channel/UCSii2fuiLLlGqaR6sR_y0rA ), and a blog which has an entry that describes the user experience in more detail: http://secappdev-org.blogspot.co.uk/2014/02/secappdev-2014-reflections-from-ido.html 

Secappdev.org is a non-profit organisation whose aim is to broaden security awareness in the development community and advance secure software engineering practices. For me, the week at SecAppDec 2015 taught me a lot, provided consistently excellent interactive workshops, good networking and follow-up opportunities, and was totally worthwhile. If you develop, or manage developers, or just want to be ‘security-savvy’, then you should be considering attending SecAppDev 2016!

Oh yes, and the food at the Faculty Club was wonderful!