GDPR: Get Da Protection Right

During this intensive training day, you will learn more about how to design, build and deploy GDPRcompliant applications. This is a training specially created for developers with a strong focus on software security for frameworks like Java, PHP, ASP.NET MVC, Angular,... using classic hosting or cloud solutions like Amazon Web Services or Azure.


Time Training
09h00-09h30 About the GDPR act
What is GDPR and how can it impact your software development? Why is this important for developers and how can it be done without the legal mumbojumbo? We will discuss Personally Identifiable Information (PII), where it can be found, attacked, leaked, ... using some real-word examples.
09h30-10h45 OWASP Top 10
In this section we will have a look at the OWASP Top 10, like SQL Injection, indirect object references (IDOR) and Cross-site-scripting.

Not only will we be looking at typical web applications but we extend this to Angular and APIs because these entry points are often forgotten and can introduce huge security flaws that impact GDPR compliancy and data leakage.
10h45-11h00 Coffee break
11h00-12h30 OWASP Top 20
Besides the OWASP Top 10, the platform released the Top 20 of

automated attacks beginning of 2018. This is an important milestone because it explains the different attacks that can be used to steal PII like screen scraping, brute-force attacks, account takeover, .... We will take a look at the new additions and discuss every

vulnerability and risk.
12h30-13h00 Lunch
13h00-14h30 Cryptography 101
Everybody will agree that cryptography is important for GDPR. During this session we will give a not too mathematical overview of encryption, hashing, how HTTPS works (different standards such as AES, PBKDFv2, SHA-256,...) but also which typical attacks and flaws occur when using cryptography.

In addition, we will also discuss the different security headers that are

needed and how you test your own web stack against these vulnerabilities.
14h30-15h30 OAuth, SAML and JWT
Because there are a lot of flaws and misunderstandings of implementing OAuth, SAML and Java Web Tokens (JWT), it is important to have a full overview of the protocols, best practices and examples of bad

implementations. Moreover, we will also dive into business logic flaws, IDOR vulnerabilities and how to defend against exploits in your code at different layers: client-side JavaScript, front-end API, back-end server and database.
15h30-15h45 Coffee break
15h45-16h30 Privacy by Design & Privacy by Default
Using a threat modeling approach we will design a threat model for a web application that stores PII. We shall discuss different threats and related security risks and how to take several countermeasures into account using the different technologies and the best practices like database encryption. What should be the ideal situation that is workable and allows to be GDPR compliant?
16h30-17h15 Securing non compliant GDPR apps
How can you improve the GDPR compliancy of legacy applications without rewriting the entire application? How can you implement breach notification? We will learn about Web Application Firewalls (WAF), Runtime Application Security Protection (RASP), Security Incident and Event Monitoring (SIEM), SecDevOps using vulnerability management and static analysis tools, ...
17h15-18h00 Blockchain and GDPR
We end the day by making a link between blockchain and GDPR. What is blockchain and how can it or cannot help GDPR? This session will give a high-level overview of blockchain technology and how it can be used for GDPR compliancy like the distributed ledger, smart contracts, transaction logging, ...