You are viewing content from a past/completed QCon

Track: Scaling Security, from Device to Cloud

Location: St James, 4th flr.

Day of week: Wednesday

Implementing an effective security strategy is vitally important, regardless of where you are deploying software applications. But in the security world, "nothing is really secure" and "everything will be broken".

The question is – how do we build our systems in a way that security incidents won't happen even if some components fail. Security engineers know that failure of single security control is a question of time, failure of security system is a question of design.

This track is about security architecture and engineering: how to build secure, yet usable, systems.

Track Host: Anastasiia Voitova

Head of Customer Solutions, Security Software Engineer @CossackLabs

Anastasiia is a software engineer with a wide background, she started her career as a mobile developer, then deepen into security engineering. Now she has focused on cryptography/applied security, she helps companies to build secure yet usable systems (oh yes, it takes efforts). Anastasiia maintains open-source cryptographic library Themis, conducts secure software development training, often speaks at international conferences, co-organizes cyber-security events and leads security chapter at WomenWhoCode Kyiv.

10:35am - 11:25am

Designing Secure Architectures the Modern Way, Regardless of Stack

This talk aims to attack two typical conflicts any security architect is well familiar with:

1. Most of the design thinking for preventing security incidents and performance bottlenecks focuses on avoiding known risks in a known way. However, most of the time this approach leads to cost-efficient systems that are prone to unexpected failures and attack chaining.
2. Most of risk treatment choices for both reliability and security focus on "this stack is able to do X in a certain way and no other way around": the capabilities within each technological stack to cope with risks it's facing is limited by pre-defined feature set.

The solution? Focusing on the risk assets, and designing defenses around asset lifecycle in a way that easily translates to any technological stack.

Eugene will share his experience of implementing sophisticated defenses in constrained environments - ranging from protecting huge power grid SCADA networks to improving end-to-end encryption in small mobile applications - and why designing it properly is what counts when limitations are constraining any easy answers one may find.

Eugene Pilyankevich, CTO @cossacklabs, Building Applied Cryptographic / Data Security Tooling

11:50am - 12:40pm

Reconciling Performance and Security in High Load Environments

Most perceive security fixes and improvements as a necessary evil, because security is much “less tangible” than primary product functionality in terms of potential revenue. On top of not bringing any “meaningful” value to the overall system, security comes at a cost of potential performance degradation, as it steals precious CPU cycles and memory from the overall resource pool.

Because of the above in a performance-driven environment product and infrastructure security are either heavily avoided altogether or forcibly imposed by security teams, excusing themselves with numerous legal and compliance requirements. The fear of potential performance penalty and the need to balance performance vs security often leads to insecure architectures and designs or unnecessary complexity.

All this usually makes the rest of the organisation dislike and distrust security in the long term. But what if we can show that security actually improves performance? This presentation explores how to drive security in a high performance environment and make it a welcome and natural part of the product lifecycle.

Ignat Korchagin, Cryptographer, & Security Software Engineer @Cloudflare

1:40pm - 2:30pm

Keep Calm and Secure Your CI/CD Pipeline

Shifting left significantly reduces costs and diminishes release delays. Continuous security validation should be added at each step from development through production to help ensure the application is always secure. We can then switch the conversation with the security team from approving each release to approving the CI/CD process and having the ability to monitor and audit the process at any time.

In this session, we’ll be focusing on work done with Pride in London (a project using Gatsby2, Contentful and Netlify) and showing you how to create a secure continuous integration/continuous deployment pipeline. You’ll learn how GitHub Marketplace helped the team automating and improving our workflow with different tools for accessibility, code coverage, code review, code quality, security and other functionalities (alerting with Slack). You’ll also find out what OWASP is and how to improve the workflow for your own open source projects using GitHub Marketplace applications.

Sonya Moisset, Lead Security Engineer @Photobox / Tech Lead @PrideInLondon

2:55pm - 3:45pm

Security Vulnerabilities Decomposition

In most companies security is driven by compliance regulations. The policies are designed to contain the CWEs each company is interested to comply with. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to secure the software in a more developer friendly manner?

This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (measured at the end) to focus on the security controls which can be used by developers from beginning in software development cycle.

Recommended to all developers looking to integrate security in their software applications.

Katy Anton, Principal Application Security Consultant @Veracode

4:10pm - 5:00pm

The Quantum Risk & Future Post-Quantum Standards

This talk will describe the risk of quantum computing to cryptography, in a way suitable to an audience without quantum physics nor cryptography background. We will present the mitigations available today thanks to research in the field of post-quantum cryptography, and we'll review the ongoing standardization efforts from the US agency NIST, and what it impies for security applications in the coming years.

Jean-Philippe Aumasson, Author of "Serious Cryptography", Designer of Hash Functions BLAKE3 and BLAKE2

Last Year's Tracks

Monday, 2 March

Next Generation Microservices: Building Distributed Systems the Right Way

Microservice-based applications are everywhere, but well-built distributed systems are not so common. Early adopters of microservices share their insights on how to design systems the right way.
Streaming Data Architectures

Today's systems process huge volumes of continuously changing data. Hear how the innovators in this space are designing systems and leveraging modern data stream processing platforms.
Driving Full Cycle Engineering Teams at Every Level

"Full cycle developers" is not just another catch phrase; it's about engineers taking ownership and delivering value, and doing so with the support of their entire organisation. Learn more from the pioneers.
When Things Go Wrong: GDPR, Ethics, & Politics

Privacy, confidentiality, safety and security: learning from the frontlines, from both good and bad experiences
JavaScript: Pushing the Client Beyond the Browser

JavaScript is not just the language of the web. Join this track to learn how the innovators are pushing the boundaries of this classic language and ecosystem
Modern CS in the Real World

Head back to academia to solve today's problems in software engineering.

Tuesday, 3 March

Architectures You've Always Wondered About

Hard-earned lessons from the names you know on scalability, reliability, security, and performance.
The Future of the API: REST, gRPC, GraphQL and More

The humble web-based API is evolving. This track provides the what, how, and why of future APIs.
Building High Performing Teams

There are many discussions outlining the secret sauce of high-performing teams. Learn how to balance the essential ingredients of high performing teams such as trust and delegation, as well as recognising the pitfalls and problems that will ruin any recipe.
Machine Learning: The Latest Innovations

AI and machine learning is more approachable than ever. Discover how ML, deep learning, and other modern approaches are being used in practice.
Bare Knuckle Performance

Crushing latency and getting the most out of your hardware.
Modern Compilation Targets

Learn about the innovation happening in the compilation target space. WebAssembly is only the tip of the iceberg.

Wednesday, 4 March

Growing Unicorns in the EU: Building, Leading and Scaling Financial Tech Start Ups

Learn how EU FinTech innovators have designed, built, and led both their technologies and organisations.
Kubernetes and Cloud Architectures

Learn about cloud native architectural approaches from the leading industry experts who have operated Kubernetes and FaaS at scale, and explore the associated modern DevOps practices.
Chaos and Resilience: Architecting for Success

Making systems resilient involves people and tech. Learn about strategies being used, from cognitive systems engineering to chaos engineering.
Leading Distributed Teams

Remote and distributed working are increasing in popularity, but many organisations underestimate the leadership challenges. Learn from those who are doing this effectively.
Scaling Security, from Device to Cloud

Implementing effective security is vitally important, regardless of where you are deploying software applications
Evolving Java

JVM futures, JIT directions and improvements to the runtimes stack is the theme of this year’s JVM track.

Schedule