Preparing web applications for security assessments

At some point, you will have your web applications being submitted to a pen-test or security assessment, where a team of security engineers will poke your API and Web Apps to see if they can get different results than expected.

In this workshop, we're going to harden our API and Web application by addressing a lot of common risks:
- fingerprinting
- proper use of cookies
- adding several security-related HTTP headers
- checking our dependencies for vulnerabilities

We'll be using .NET mostly but the concepts will apply to Java, React, Angular and other frameworks as well.

Emulating a Game Boy in .NET 6

In 1989, Nintendo released their first handheld console with cartridges, the Game Boy, which sold over 100 million of units. This device has been the inspiration for game developers around the world to start creating games, and even today, games are still being created for the Game Boy, although not officially on cartridges.

Enter the world of emulation, where the Game Boy is now available as a .NET 6 project. Want to know more about how to emulate a CPU, graphical unit, hardware interrupts and more? Let's dive into C# code and dusty hardware manuals on this journey back to our favorite Italian plumber.

Don't Panic! Security's here to assess your project.

You and your team have been working on some web apps and APIs for a few sprints now, and you may or may not already have a version running in production, when out of the blue, the client announces that a security company will do an assessment of your project. If your initial reaction to this news is either being scared or concerned, you're probably right. And you should probably attend this session.

During this session, I'll explain what is typically going happen during a security assessment, and show you how to prepare before the assessment happens: with code to apply security headers or tighten down attack vectors, and with a threat model to quickly identify how fast a project gains vulnerabilities. Not to scare you even more, but help you get the overview and identify where you can easily perform some quick yet safe wins.

Beyond the basics: Building a feature-rich OpenID Connect Identity and Access Management Platform

In today's world, identity and access management (IAM in short) is critical to protecting confidential data and applications. With the increasing adoption of cloud-based applications, building a scalable and secure identity and access management platform is a must for organizations of all sizes.

In this session, you'll learn about the journey of building an advanced IAM platform based on Duende IdentityServer. We'll discuss the standard capabilities of IdentityServer and explore how we extended it with features such as multi-factor authentication, home realm discovery, and user impersonation. You'll also learn about the best practices for building a resilient and secure platform, including strategies for handling scale and redundancy.

Whether you're just starting out with OpenID Connect or you're looking to take your identity and access management platform to the next level, this session is for you.

This session is not a sales pitch for Duende IdentityServer, I will also briefly mention what other options we considered and why the decision was made to go for Duende's solution. I might include live coding in this session, but that will depend on my timing.

Safety first! Low-level C# without the unsafe keyword

For a side project, I converted DooM from C to C#. Having to deal with strange file types, alternative ways of (re)allocating memory, data structures being passed around as void* pointers and the likes, it's tempting to use unsafe code in C#. Turns out, that's not needed!

In this session, let's look at how C translates to modern C#, and how C# adds safeguards to avoid shooting yourself in the foot.