A list of my talks about security engineering, applied cryptography, security usability. Twitter, Medium.
I have a wide software engineering background, now I work on products and solutions at cryptographic solutions company Cossack Labs. We provide developers with tools for protection of sensitive data in apps and infrastructures, ranging from SaaS services and mobile apps to critical infrastructure / power grid operators and SCADA networks.
Aside from solutions, we do provide advisory and in-depth application security consulting, assisting developments on various stages of development with security review and improvement advice. Also me & my team conduct secure software development training for senior developers, architects and product managers.
- Open source tools:
Enjoy!
Conferences coming soon
(will the world ever be the same?)
In 2021 I am focusing on washing hands defensive security topics that are interesting for tech leads, CTO, solution architects. Security design and engineering, end-to-end encryption for distributed apps.
Email me if you want to invite me to speak at your conference :)
2020
Mobile app security roundtable with Anastasiia Voitova, Julia Potapenko and Julia Vashchenko
video |
---|
We're speaking about mobile app security, introduce security.plist, discuss security-related cases in developers life.
- Swift Heroes
online, 1 & 2 october 2020
Security track host at QCon Plus
#trackhost
Check Talks and Program: topics include OSINT, security bias, security in a time of insecurity.
- QCon Plus
online, november 2020
Program committee chair at NoNameCon 2020
#trackhost
Check Youtube Talks: topics include PQ cryptography, security engineering, privilege escalation, IoT hacking, country-wide cybersecurity, interview with Bruce Schneier.
- NoNameCon
online, september 2020
Crypto AMA with me, Ruslan Kiyanchuk and Mark Carney
video |
---|
We're speaking about cryptography and answer questions:
- what is our favourite cipher and why it's base64
- is crypto a life-style?
- is it okay to be into crypto without having crypto background
- how to select proper TLS suite
- post-quantum crypto: should we care?
- crypto-coding mistakes we've seen
- regulations, e2ee, lattice, and all the things
Presented at:
- OPCDE
online, 29 July 2020
Use Cryptography; Donโt Learn It
#security #crypto
video |
---|
Weโll talk about โboring cryptoโ: why developers shouldnโt spend time learning all the details of crypto-algorithms (or invent new ones). How to avoid typical crypto-mistakes when all you need is to protect data at rest or in motion. There are enough ready-to-use cryptographic libraries and tools for everyone.
Presented at:
- OWASP Chapters All Day
online, 7 June 2020
Security track host at QCon London
Check it out: topics include security risk management, balancing security and performance, SSDLC, devsecops and post-quatum crypto.
2019
Security track host at QCon SF
#trackhost
Check it out: topics include security architecture, security engineering, cryptography, organizational security.
Maintaining cryptographic library for 12 languages
#security #software-architecture #cryptography
slides | video |
---|
This talk is useful for people that believe that perfect crypto lib is a C lib with 1-page readme :)
Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.
How to simplify complex crypto concepts into simple "encrypt(msg, key)" and "decrypt(data, key)" functions? How to provide unified API for 11 languages, when some of them are strongly-typed and another one is javascript? Secure by default: what design choices should be made to protect from misuse. Multi-platformness: how to make sure that message encrypted using Ruby on x64 Ubuntu 18.04 will be [successfully] decrypted on iOS12 on iPhone armv7s? Testing wildness: static analyzers, fuzzing, unit tests, integration tests. Docs: developers copy-paste from readme anyway, how to make sure that they copy-paste correct things.
I'll describe the 4yrs experience on maintaining multi-platform open source library Themis: from API design to language-specific hacks.
Presented at:
- BlackAlps
Yverdon-les-Bains, Switzerland, 7-8 November 2019
[Training] Security engineering: from encryption to software architecture patterns
Public training on security and cryptography engineering, conducted jointly with Jean-Philippe Aumasson in Lausanne, Switzerland, on Nov 4. Training aimed on software engineers and solution architects that work on distributed applications and security-related features.
Interested in conducting similar training for your team? Email me.
10 lines of encryption, 1500 lines of key management
#mobile #iosdev #encryption #e2ee #Bear
slides | blogpost | video (ru) | video (eng) |
---|
The real case about one large note taking the app, that decided to implement convenient note encryption and note locking for their existing user base. But finding a balance between usability, security and mobile platforms' restrictions is complicated.
We will start with the security design scheme, then select the proper encryption library, then implement the flow, and prepare for incidents. Now โ think about it โ cryptography is only chapter 3 in OWASP MASVS (8 chapters in general). Even the best cryptography will fail if basic security controls are badly implemented.
Points we will go through: the difference between "locking" and "encrypting", the difference between password and encryption key, how to sync passwords between devices, what exactly to store in keychain/keystore, how to use proper cryptography (AES CBC or AES GCM, random salt? IV? padding? what a hell is this mess), how to use biometrics (we donโt want to bother user, letโs use biometric keychain, but what if users will change their fingerprints โ shall we invalidate all passwords?), updating encryption version (imagine, vulnerability is discovered in our library or app โ how to update cipher, and softly migrate users to the new cipher, if users donโt even have a clue that encryption was versioned).
At the end, this is only one simple JIRA ticket "let's encrypt the notes" from the eyes of security software engineer :)
Presented at:
-
FrenchKit
Paris, France, 7-8 October 2019 -
RSConf
Minsk, Belarus, 9-11 August 2019 -
CocoaHeads Kyiv conference
Kyiv, Ukraine, 28 July 2019
Security, privacy and cryptography at WWDC19
#mobile #iosdev #encryption #privacy
slides | video coming soon | blog post | interview |
---|
Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. Anastasiia highlighted important changes for developers โ including new CryptoKit framework, data privacy regulations, new app permissions.
Presented at:
- CocoaFriday Kyiv meetup
Kyiv, Ukraine, 14 June 2019
"Defense in depth": trench warfare principles for building secure distributed applications
#security #software-architecture #app-sec
slides | video (en) | video (ru) | blog post |
---|
It comes to no surprise, that any micro-services, any security controls you use to build applications โ will eventually be broken (or fail). Under certain pressure, some components will fail together.
The question is โ how do we build our systems in a way that security incidents won't happen even if some components fail. And the data leaks won't occur even if attacks are successful.
"Defense in depth" is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, we will model threats and risks for the modern distributed application, and improve it by building multiple lines of defence. We will overview high-level patterns and exact tools from the security engineering world and explain them to the modern web devs ;)
Presented at:
-
SwampUP
San Francisco, US, 17-19 June 2019 -
muCon
London, UK, 29-31 May 2019 -
InfoShare
Gdansk, Poland, 8-9 May 2019 -
JSFest Kyiv
Kyiv, Ukraine, 5-6 April 2019
Encryption intro for kids (13-17 yo)
slides (ukr) |
---|
I was co-organizing and speaking at CyberKids event during NoNameCon cyber security conference in Kyiv, Ukraine, 14-17 May. Kids learnt basics about encryption and did simple cipher-decipher exercises.
Read about in my LN post and NoNameCon site.
Presented at:
- NonameCon CyberKids
Kyiv, Ukraine, 14 May 2019
Secure Software Development: From Rookie to Hardcore in 90 Minutes [workshop] ๐
#key-management #workshop #mobile #cryptography
slides | github repo |
---|
OWASP SSDLC, how to select encryption library, what are common mistakes in implementing encryption around data. Key management techniques (storing user passwords, storing API keys).
The actionable to-do list of things you might want to improve in your apps, deepen your understanding of the landscape of cybersecurity, a set of resources to read/dive next to make your apps even more secure.
Workshoped at:
- iOSCon London
London, UK, 21 March 2019
2018
Secure Development Is Dead, Long Live Secure Development
Essay for De Programmatica Ipsum magazine about secure software development and the mindset gap between the world of product makers and the world of security people.
Protecting sensitive data in modern multi-component systems
#security #software-architecture #basic-sanity #product-engineering
slides | video |
---|
We will take a deep look into data lifecycle, risk, trust and how they affect security architecture, encryption, and key management techniques. We will illustrate typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk is to give general thinking framework and enough ideas about tools for senior engineers to plan their solutions securely, regarding sensitive data contained within.
Plan:
๐ซ how to build trust model for your app,
Presented at:
-
DevExperience 19
Iasi, Romania, 19 April 2019 -
Javazone 18
Oslo, Norway, 12-13 September 2018
Making Security Usable: Product Engineer Perspective
#security #usability #basic-sanity #product-engineering
slides | no video yet |
---|
This is a story of going through typical security challenges: how to build products that reliably deliver security guarantees, avoid typical pitfalls, and are usable in a predictable fashion by real users. It's a tale of balancing religious adherence to security practices with keeping customer's needs in mind at all time inside the development team; listening to the customers and observing actual behavior outside in the wild; and trying to make the best decisions to empower customers with easy tools for encrypting data in their apps securely and without pain.
We'll take a look at the process through the eyes of one of our customers, who made all the things wrong before doing things right, and through the eyes of product engineer, responsible for learning the lessons to make security products even more usable and reliable for non-security-focused engineers.
Key takeaways:
Attendees will go through several stages of inception and implementation of database encryption/intrusion detection tools. They will see the "behind the scenes" work inside a cryptographic engineering company, will see how customers are one of the most useful people to learn from, and how getting over "we tell you what to do" mentality makes security tools better.
Presented at:
- QConNYC 18
New York City, USA, 27-29 June 2018
๐
Zero Knowledge Architecture Approach for Mobile Developers [workshop] #security #workshop #mobile #cryptography #symm-encryption #asymm-encryption
github repo |
---|
Zero knowledge algorithms and protocols ensure that no keys, passwords, files, or any other sensitive material ever gets transferred in an unencrypted or reversible form. There is no point in time when encryption keys or unencrypted files are visible to the servers or service administrators.
We took simple iOS application (Firebase notes app) and implemented two encryption schemes to illustrate how easy it is to protect data even for apps that use BaaS.
Plan:
- Learn about ZKA
- Familiarize with Firebase notes application
- Protect own notes (E2EE)
- Share notes to other users
- Improve security in general (protect keys, improve login flow, hide screenshots, obfuscate code etc)
Workshoped at:
-
Special workshop for Women Who Code Kyiv
Kyiv, Ukraine, 30 August 2018 -
The Swift Aveiro
Aveiro, Portugal, 21-22 June 2018
X Things you Need to Know before Implementing Cryptography
#mobile #security #basic-sanity
slides | video from UIKonf | video from mDevTalk | video from CocoaHeads [ru] |
---|
Before we get deep into protocols vulnerabilities: things you should remember designing your app flow from a security point of view.
This talk will focus on copybook headings of infosec: what you need to know before exciting stuff like cryptography and AI-assisted incident detection. Like, choice of data you show in the background mode, choice of 3rd party SDKs, which logs we send and where...
Even when developers create apps with security in minds, protect user secrets, and donโt reveal unencrypted data, attackers can find ways to bypass these security measures by exploiting architectural weaknesses and unobvious, yet very simple vulnerabilities. We will talk about all the tiny bits and pieces are necessary to make your app secure against simple attacks way before focusing on the hard things (like crypto).
- Handling user secrets with care (showing, storing, logging).
- Input validation and password rules.
- Handling transport connection.
- And some tips and tricks that will confuse attackers.
Presented at:
-
CocoaHeads Kyiv #14
Kyiv, Ukraine, 6 October 2018 -
mDevTalk 18
Prague Czech Republic, 24 May 2018 -
UIKonf 18
Berlin, Germany, 13-16 May 2018
Encryption Without Magic, Risk Management Without Pain
#security #crypto #databases #notmobile #trust #infrastructures #separation-of-duties #echelonization
slides | video from QCon | video from Security BSides [ru] |
---|
In-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controlled attack surfaces, enables managing the risk efficiently and elegantly, how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling sensitive data.
- What is attack surface, how cryptography helps to narrow it.
- Simple crypto-systems, but significant downsides.
- Middleware-side encryption: protecting data in web-based infrastructures.
- Client-side encryption: trust to mobile apps and code execution. E2EE. ZKA. ZKP.
- Echelonization, and traditional techniques.
Presented at:
-
QCon London 18
London, UK, 5-7 March 2018 -
Security BSides Ukraine
Kyiv, Ukraine, 21 April 2018 -
Codemotion Milan
Milan, Italy, 29-30 November
2017
Donโt waste time on learning cryptography: better use it properly
#security #crypto
slides | video (ru) |
---|
Crypto in our lives: why you shouldnโt spend time learning all the details of the crypto-algorithms. Typical mistakes you make using crypto in your products. How to avoid late night commits, but to code 'fast and boring' instead.
- The typical engineering workflow "we should protect the data, what shall we do", and possible mistakes.
- What is "boring crypto", what do we want from using crypto-products.
- Possible solutions: HSM / TPM / software crypto.
- How to select appropriate software crypto: libs, systems, containers.
- We want crypto to be similar to the Edison lamp: controllable and boring system.
Presented at:
-
Swift and Fika
Stockholm, Sweden, 10 September 2018 -
Devexperience.ro
Iasi, Romania, 23 April 2018 -
OWASP Kyiv Meetup Winter 17
Kyiv, Ukraine, 2 December 2017
Blockchain solutions: the balance of safety and efficiency, or just a trend?
#security #blockchain
slides | video (ru) |
---|
The security engineer's job is to choose the appropriate solutions for the problems and to apply them. Discussing blockchain regarding cryptography is rather boring: it is simple, and even some assumptions in high-level protocols do not cause protests.
I will talk about the other side - where blockchain looks like an optimal strategy, where it causes questions. We will walk through the risk&threats models, trust, and guarantees, to the experience of using blockchain in the real project (and what happened next).
Presented at:
- UA.SC 17
Kyiv, Ukraine, 18 October 2017
๐
Zero Knowledge Architectures for mobile Applications #security #mobile #zkp #zka
slides | Mobiconf video | |DevFest Baltics video](https://www.youtube.com/watch?v=O-PnVVCc5fY) ---- | --- | --- |
With intensifying threat access, snooping governments and insecure-internet-of-everything, the importance of zero-knowledge application architectures and end-to-end trust, for things more complicated than simple messaging, becomes more and more obvious for the app developers.
We will talk about real-world problems that ZKA fights against, learn typical cryptographic designs and progress in different spheres of ZKA. We will find out how to make data sharing, user collaboration on data in the cloud with your app provably secure.
Presented at:
-
DevFest Baltics 17
Riga, Latvia, 17 November 2017 -
SE Conf 17
Kyiv, Ukraine, 27-29 October 2017 -
MobiConf 17
Krakow, Poland, 5-6 October 2017
Build it, not just solve it! ๐
#ux #productdev #mobile #design
slides | video |
---|
This is a story from a designer @anatinge and a developer who worked together and built a product for people who really need it. It's all about working in a tight collaboration, conducting user research and user interviews, sharing tip & tricks about team working.
Presented at:
- ADDC 2017
Barcelona, 22-23 June 2017
๐
Keys from the castle: ancient art of managing keys and trust #security #keys #mobile #trust
slides | AppBuilders video | CraftConf video |
---|
We will talk about building trust. Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. We will talk about what should you trust, how to establish and verify trust, how to share trustedly among different users. We will discuss technical aspects: key exchange, key trust, key derivation, channel trust, multi-factor authentications. I will try to make the audience understand how this huge universe of tools and algorithms serves just one purpose: letting the right guys in, keeping the wrong guys outside our magical castle. And fairies there should be!
>>> Read more in Medium post <<<
Presented at:
-
Mobile Optimized
Minsk, Belarus, July 14-15 2017 -
CraftConf 17
Budapest, Hungary, April 25-28, 2017 -
AppBuilders 17
Lausanne, Switzerland, April 24-25 2017
๐ฑ
App security for kittens #security #mobile #kittens
no slides | no video |
---|
Summary talk for the newbies in security field.
Mobile platforms present both new threats and new opportunities for system security. This presentation will deal with modern approaches: how to protect data, which trusted relationships emerge with mobile phone, how they affect traditional security layouts. I will tell you how mobile phones dictate important client-server relationships.
Based on my other talks.
Presented at:
-
Tech meetup on Cactus Hackathon
Kyiv, Ukraine, May 2017 -
Women Who Code Kyiv meetup
Kyiv, Ukraine, March 2017
2016
๐
Swift and Security [workshop] #security #workshop #mobile #ssl
slides | no video | github repo |
---|
The idea was to share some knowledges about making more secure apps. We talked about:
- why SSL is not enough
- strategies to implement SSL pinning
- how to understand basic risks and threats of common mobile client-server infrastructure
- protection methods against those threats
- what is symmetric encryption; why we need it. where to store data and key.
- what is transfer encryption; when we need it.
Presented at:
- The Swift Alps
Crans-Montana, Switzerland, 10-11 Nov 2016
๐ฅ
Building user-centric security model in iOS applications #security #keys #mobile #trust
slides | EatDog video, 1h (ru) | MobiConf video, 40m (eng) |
---|
We will talk about building security, that does not fail when application keys are exposed; when servers are hacked; security that lasts as long as unique user's crypto keys (or passwords) are safe. Putting secrets known by the user to be a source of trust is the ultimate way for an app to become "thin" in relation to the security model, thus lowering the risks and developer pain. We will learn about thin transparent security layers system and its applicability in client-server systems.
>>> Check for transcript and video on Realm (25m) <<<
Presented at:
-
MobiConf
Krakow, Poland, 6-8 Oct 2016 -
NSBarcelona
Barcelona, Spain, 21 Sept 2016 -
NSSpain
Logrono, Spain, 14-15 Sept 2016 -
try!swift
NYC, USA, 1-2 Sept 2016 -
EatDog
Kharkov, Ukraine, 18 August 2016
๐ฉ
Multiskilled dev teams: unlock your hidden powers #teammanagement #development
slides | UMT video (ru) |
---|
Everyone is talking about developers' specialization. 'Know you niche'. We have separate conferences for every dev area now: mobile, cloud, big data, iOT. In order to build a modern multiplatform mobile app you need to work with separate iOS and Android dev teams, separate backend dev team, designers and managers. Doesn't look too much?
I'll talk about another way of organization: multiskilled dev team, experience and benefits.
Presented at:
-
AgilePizza #49 meetup
Kyiv, Ukraine, 26 July 2016 -
UaMobiTech
Dnipro, Ukraine, 18-19 July 2016
๐ก
Upgrading approaches to the secure mobile architectures #security #trust #mobile #ZKP #KDF
slides | CocoaHeads Video (ru) |
---|
Mobile platforms present both new threats and new opportunities for system security. This presentation deals with modern approaches: how to protect data, which trust relationships emerge with mobile phone, how they affect traditional security layouts. How mobile phones dictate important client-server relationships.
But, whatโs more important, we talk about making these things a consistent system: how to think to pick the right tools, which architectural patterns enforce security and minimize risks by design. We learn about ideas of echelonized defence, compartmentation and risk control. We finish with understanding where we stand right now: in security landscape that is rapidly changing, and mobileโs role in it is both dangerous and very important.
>>> Read more in Medium post <<<
Presented at:
-
AppBuilders 16
Zurich, Switzerland, 25-26 Apr 2016 -
CocoaHeads Kyiv #9
Kyiv, Ukraine, June 2016
๐ not โ๏ธ
Working with designs: make #teammanagement #development #design #mobile
slides | video (ru) |
---|
As the developer, I donโt want to be frustrated when I need to convert designs into assets.
We will talk about:
- lots of tools and ways how to save own time
- how to communicate with designer, and
- if itโs okay to change designs on our own
Presented at:
- ITSubbota meetup
Kyiv, Ukraine, May 2016
2015
Avoiding damage, shame and regrets: data protection for mobile client-server architectures ๐ช
#security #trust #mobile #architecture
slides | Do iOS video (eng) |
---|
- communication with server: security, reliability, ease of use, choose two
- applied cryptography: should you manually configure CommonCrypto or ...?
- practical example: protecting network transport without breaking the app
- storage security: how to prevent anyone reading your secret chat messages
>>> Read more in Medium post <<<
Presented at:
-
CocoaHeads Kyiv
Kyiv, Ukraine, December 2015 -
CocoaConfBy
Minsk, Belarus, December 2015 -
do{iOS}
Amsterdam, Netherlands, November 2015
๐
Data transfer security for mobile apps: what the fish doesnโt notice in the ocean? #security #mobile #architecture
slides | no video |
---|
- Wise fish knows there ainโt enough talks about security
- Communication with server: security, reliability, ease of use, choose two
- Applied cryptography: should you manually configure CommonCrypto or โฆ?
- Network security is piranha in risk and ruff in implementation
- Practical example: protecting network transport without breaking app
Presented at:
- Lviv Mobile Dev Day
Lviv, Ukraine, October 2015
Building profanity filters on mobile: clbuttic sh!t
#mobile #development #nlp
slides | no video |
---|
Short story about building app with profanity text filter inside.
- profanity filters: why we need them in mobile at all?
- handle tricky cases: what is wrong with word 'classic'
- how to filter fast (strings vs sets)
- gentle filtering not to scare users
Presented at:
- ITSubbota meetup
Kyiv, Ukraine, September 2015
๐ฑ
Users' data security in iOS applications #security #mobile #usersdata #commoncrypto
slides | video (ru) |
---|
-
Why should we think about security at all.
-
How to protect the users' data. Why shouldn't we store passwords. Encrypt database: it is necessary or too lazy to do that?
-
How to transfer data to the server in a safe way. What is MitM attack?
-
What is password protection? Why snapshots and pasteboard are dangerous?
Presented at:
- WebCamp
Odessa, Ukraine, July 2015
โ๏ธ
Backend without code. Parse.com: myth and reality #backend #mobile #parse #development
slides | video (ru) |
---|
- How many developers are needed to write client-server mobile app? Fun and easy: set up a new app with Parse.com.
- Feeling confident enough to use own server? Check migration issues.
- Own experience: limitations and best practices
>>> Read more in Medium post <<<
Presented at:
- Stanfy MadCode Meetup #5
Kyiv, Ukraine, April 2015
๐
Health psycho atmosphere in dev life #teammanagement #development #mobile
slides | no video |
---|
Nice and useful things to do if you feel too lazy to write code today.
Presented at:
- ITSubbota meetup
Kyiv, Ukraine, April 2015
2014
๐
Making friends with backend developers #teammanagement #development #backend #mobile
slides | no video |
---|
This MadCode Webinar was dedicated to the effective interactions between mobile and backend developers to find the ways of productive communications with the latter not spending their time on finding who made errors, but rather building great products together.
>>> Read more in Medium post <<<
Presented at:
- Stanfy MadCode Meetup #1
Kyiv, Ukraine, November 2014