SecAppDev 2019: Day 2

With not much sleep I traveled to Leuven again. The usual traffic jam, but nothing too bad, so I arrived on time.

In the coffee corner I saw Philippe De Ryck. He read my recap of day 1 and insisted that I’d deliver each night a blog about the past conference day. So that leaves me no choice but to write this post. If you read this Philippe, I’m just kidding of course ;-).

The first session of the day was given by Andrew Lee-Thorp. In his talk he highlighted several vulnerabilities and security issues of Android WebViews.

Android WebView is embedded in most internet-enabled apps. During the session it became clear that it’s really not easy to secure Android apps that use WebViews. Embedding WebViews transfers the problems of the web model into the apps and even creates new problems.

After the coffee break it was time for Philippe De Ryck’s talk titled “Introduction to OAuth 2.0 and OpenID connect”. A not so easy to grasp topic, very well explained.

The fact that the different OAuth 2.0 flows were discussed both from the Client and the resource server perspective certainly helps for a better understanding. The talk ended with a short introduction on OpenID connect.

After a nice lunch (again!), I went to Jim Fenton’s talk “Authentication beyond passwords”. It was in a conference room in the other wing of the building. Very nice view on the way towards the conference room by the way.

Jim Fenton’s talk was about different ways of implementing authentication. Each mechanism has it strengths and weaknesses (i.e. threats it cannot address). It’s only by being aware of this that we can build the best possible authentication solution for our applications.

After another short coffee break, I attended Bart De Win’s talk “Driving security with maturity models”. It was a very hands-on session in which we completed a part of a security maturity model based on the OWASP SAMM Project. This maturity model looked very promising, certainly worth checking out!

Another great, educational day, but really exhausted now. Tomorrow night more about day 3. Stay tuned!

Read more about SecAppDev 2019 day 1 here.

Read more about SecAppDev 2019 day 3 here.

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life