Slides & talks

Talks and workshops

Members of the Cossack Labs team often participate in international security and development conferences as speakers, organise and co-organise local events, conduct public workshops and private trainings, and support communities (CocoaHeads, Women Who Code, OWASP Women in AppSec, NoNameCon).

You can read more in our blog, facebook or twitter. Below you can find a collection of video recaps and speaker slides from such events.

June 2019

Security, privacy and cryptography at WWDC19

Anastasiia Voitova @ CocoaHeads Ukraine

mobile iOS dev security engineering

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. Anastasiia highlighted important changes for developers – including new CryptoKit framework, data privacy regulations, new app permissions.

Learn More: slides blog post interview

May 2019

Search over encrypted records: from academic dreams to production-ready tool

Artem Storozhuk @ NoNameCon

Acra secure search search over encrypted records encryption product engineering

The search over encrypted data is the modern cryptographic engineering problem. We will talk about existing approaches (both well-known and modern), and concentrate on practical solution based on blind index technique to search data in databases. What’s inside: cryptographic and functional schemes, implementation details, practical security evaluation (risk modelling and potential attacks). We will show how theoretical models turn into real, usable, maintainable, security tools. Search over encrypted records is part of Acra encryption proxy.

Learn More: video [ru] slides

Artem Storozhuk @ NoNameCon

April-June 2019

"Defense in depth": trench warfare principles for building secure distributed applications

Anastasiia Voitova @ muCon London

defense in depth Acra web security engineering security architecture security patterns

"Defense in depth" is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, Anastasiia modeled threats and risks for the modern distributed application, and improved it by building multiple lines of defence. She gave an overview of high-level patterns and exact tools how to build defense in depth for your distributed web applications.

Learn More: slides video from muCon blog post

March 2019

Secure Software Development: From Rookie to Hardcore in 90 Minutes [workshop]

Anastasiia Voitova @ iOSCon London

mobile iOS dev encryption key management workshop

A workshop for iOS developers that illustrates typical mistakes they do trying to implement security into their apps. Anastasiia showed an actionable to-do list of things developers might want to improve in their apps, and gave a set of key management techniques for mobile apps.

Learn More: workshop repo slides

Anastasiia Voitova

Feb 2019

Building SQL firewall: insights from developers

Artem Storozhuk @ OWASP Kyiv

Acra SQL firewall SQL injections encryption security architecture product engineering

How SQL firewalls can help to protect databases from SQL injections: the main difference from web application firewalls (WAFs), common usage scenarios, pros, and cons. We implemented SQL firewall as part of data encryption proxy Acra, and we will share insights about security and development decisions. Expect a story about parsing SQL protocols, matching rules, hidden dangers of logging, best of configuration and usage patterns.

Learn More: video [ru] slides blog post

Feb 2019

Teach your application eloquence. Logs, metrics, traces.

Dmytro Shapovalov @ RubyMeditation 26

web Acra DevSecOps logging, monitoring, tracing

Most modern applications live in a close cooperation with each other. Dmytro spoke about the ways to effectively use the modern techniques for monitoring the health of applications. Being an infrastructure engineer, Dmytro explain typical mistakes developers do when implement monitoring, and suggested a couple of approaches and tools that can help.

Learn More: video [ru] slides blog post

Dmytro Shapovalov @ RubyMeditation

08 Dec 2018

Data encryption for Ruby web applications

Dmytro Shapovalov @ RubyMeditation 25

ruby web Acra encryption

Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. Dmytro talked about typical data security problems in web apps and about proper implementation of encryption. Dmytro reviewed the cryptographic approaches and the exact tools that ensure that no sensitive data leaks from the application or the database.

Learn More: video [ru] slides

Dec 2018

Cryptography & data security: protecting the data while reducing cost in distributed systems

Eugene Pilyankevich @ SecurityBSides Kharkiv

security for senior managers cryptography to reduce costs distributed apps enterprise security

Using cryptography for data protection is not exclusively reserved for “secure chats” and financial products. Modern cryptographic tools help to comply with the regulations and laws, help to improve control over the infrastructure, to prevent data leakages, and to reduce the risk of incidents. Eugene talked about the way modern cryptographic tools allow technology companies to reduce the security budget and to remain protected at the same time.

Anastasiia Voitova @ JavaZone

Dec 2018

Disagree with "I Agree". Enforcing Better GDPR Compliance Through API Documentation

Karen Sawrey @ API Days Paris

GDPR security documentation technical writers

The talk addresses the aspects and elements of API documentation that need to be reconsidered and restyled in the light of GDPR. The way things are, an absolute GDPR compliance is impossible, but maximal compliance is doable. Technical writers can enforce it through the language graphic elements that are used for guiding the users around the API portals.

Learn More: video

Dec 2018

Defensive team – who are the security engineers and how they help teams to develop secure applications

Anastasiia Voitova @ Women in Appsec Kyiv Winter Meetup 2018

cybersec domains security engineering

Who are the people in the "blue team" and how do they prevent business risks for company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec Kyiv community and infosec students.

Learn More: slides

Cossack Labs people @ NoNameCon

Sept-Dec 2018

Marrying usability and security in large-scale infrastructures

Eugene Pilyankevich @ OSDN Kyiv

security for senior managers usability vs security high level cryptography success and fail stories

Usability is often thought of as the opposite of security. However, most of the security controls inside operating systems and most of the security tools that run there are designed for being operated by humans. This talk is a summary of Eugene's experience in building and seeing engineers integrate the security tooling – how security controls and tools are mis-designed and fail once used, how poorly integrated controls decrease the overall security of a system, and how lessons learned in reliability/infrastructure engineering apply to security tooling to fix that. Presented to senior engineers at OSDN Kyiv and to technical managers at UA.SC

Learn More: video from OSDN Kyiv [ru]

Sept 2018

Protecting sensitive data in modern multi-component systems

Anastasiia Voitova @ JavaZone and DevExperience 2019

distributed apps security patterns high level cryptography zero knowledge architectures SSDLC

A talk for solution architects and technical leads, in which we took a deep look into data lifecycle, risk, trust, and how they affect security architecture, encryption, and key management techniques. We illustrated typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk was to provide a general thinking framework and enough ideas about tools for senior engineers for them to be able to plan their solutions securely, in relation to the sensitive data inside.

Learn More: video from JavaZone slides

Karen Sawrey @ API The Docs Amsterdam

June-Aug 2018

Zero Knowledge Architecture Approach for Mobile Developers [workshop]

Anastasiia Voitova @ SwiftAveiro 2018

mobile iOS dev encryption e2ee zero knowledge architectures workshop

A workshop for iOS developers that illustrates how to implement end-to-end encryption of Firebase notes application. Zero knowledge algorithms and protocols ensure that no keys, passwords, files, or any other sensitive material ever gets transferred in an unencrypted or reversible form. Workshop code contains two encryption schemes and set of general recommendations of improving security of any iOS application.

Learn More: workshop repo

June 2018

Making security usable: product engineer perspective

Anastasiia Voitova @ QConNYC

usability vs security product engineering naming

This is a story of going over the typical security challenges: how to build products that reliably deliver security guarantees, how to avoid the typical pitfalls, and how to create tools that could be usable and predictable for real users. It's a tale of balancing religious adherence to security practices while keeping the customers' needs in mind all the time, inside the development team; a story of listening to the customers and observing the actual user behaviour outside in the wild, and trying to make the best decisions when it comes to empowering the customers with easy tools for encrypting data in their apps, securely and without pain. Presented for senior software engineers at QConNYC.

Learn More: video slides

Eugene Pilyankevich

May 2018

Getting secure against challenges or getting security challenges done

Eugene Pilyankevich @ NoNameCon

security for senior managers cost of security decisions security solutions

What it takes to make security decisions in a business environment, from the perspectives of both vendor and client, urging security engineers not only to think outside the technical box but also outside the box of engineering thinking when faced with real humans on the other side of the wire. Presented for security engineers at NoNameCon.

Learn More: video [ru] slides

May 2018

X things you need to know before implementing cryptography

Anastasiia Voitova @ UIKonf and CocoaHeads Kyiv

mobile iOS devs encryption security controls

A "tips and tricks" talk for mobile developers. Even when developers create apps with security in mind, (at least try to) protect user secrets, and don’t reveal unencrypted data, attackers can still find ways to bypass these security measures by exploiting architectural weaknesses and non-obvious, yet very simple vulnerabilities. The talk is about all the tiny bits and pieces that are necessary for making your app secure against simple attacks way before focusing on the hard things (like cryptography).

Learn More: video from UIKonf [eng] video from CocoaHeads [ru] video from mDevTalk [eng] slides

Apr 2018

Delivering security products without shooting yourself in the foot

Dmytro Shapovalov @ SecurityBSides Kyiv

SSDLC product engineering DevSecOps Acra

Dmytro Shapovalov, our senior infrastructure engineer, talks about improving the infrastructure for developing, testing, and delivering security tools. Our experience of smoothing the difference between security idealism and engineering friendliness. Presented at SecurityBSides Kyiv for software engineers and the security community.

Learn More: video [ru] slides

Dmytro Shapovalov @ SecurityBSides Kyiv

Apr 2018

Encryption without magic, risk management without pain

Anastasiia Voitova @ QCon London, Codemotion Milan and Security BSides Ukraine

high level cryptography risk management security patterns security architecture Acra

An in-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controllable attack surfaces, enables efficient and elegant risk management, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling the sensitive data.

Learn More: video from QCon video from Security BSides [ru] slides

Karen Sawrey

Apr 2018

The Bad, The Ugly, The Good

Karen Sawrey @ API The Docs Paris

security documentation technical writers GitHub wiki vs Doc Server

Karen Sawrey, our technical writer, gave a talk on refactoring the existing GitHub documentation of our products and moving it to our own proprietary documentation server.

Learn More: video

Apr 2018

GDPR – Get security done

Karen Sawrey and Eugene Pilyankevich @

GDPR security documentation

We co-organised a security meetup for Ukrainian companies to discuss the various technical aspects of GDPR. Our speakers gave two talks, outlining various aspects of GDPR demands and possible compliance tactics.

Learn More: facebook event Karen slides

Eugene Pilyankevich @ OSDN Kyiv explaining Data encryption

May 2018

Documenting the secret

Karen Sawrey @API The Docs Amsterdam

security documentation technical writers

A talk for Women Techmakers Lviv on creating and maintaining documentation for cryptographic software. Besides the issues of information security, such things as basic self-care and sanity were also brought up. This talk was also given in December 2017 at the one-day API The Docs Amsterdam conference.

Oct 2017

Zero-knowledge architectures for mobile applications

Anastasiia Voitova @ MobiConf and DevFest Baltics

mobile iOS dev zero knowledge architectures security architecture high level cryptography

The talk focused on real-world problems that ZKA counters, typical cryptographic designs and progress in different spheres of ZKA. The talk also explained the practical approaches useful for mobile developers (implementing data sharing and user collaboration on data in a cloud in a way that makes a mobile app provably secure).

Learn More: video from DevFestBaltics video from MobiConf slides blog post

Oct 2017

Why decentralized social services fail

Eugene Pilyankevich

state security blockchain security architecture

It often feels like distributed and federated services provide better resiliency, risk management, and privacy than typical star-topology systems. However, Facebook et al. provide and maintain huge, single-point-of-entry, solely owned, walled gardens with hostile privacy policies, and yet they successfully serve millions of users, attracting some of the best engineering talents along the way.

Learn More: blog post

Anastasiia Voitova @ NoNameCon

Apr 2017

Key management approaches for mobile applications

Anastasiia Voitova @ AppBuilders

mobile iOS dev key management encryption

Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. Key management is complicated when done the right way.

Learn More: video from AppBuilders 17 slides blog post

Apr 2017

DevOps and security: from the trenches to command centers

Eugene Pilyankevich

DevSecOps SSDLC security patterns security architecture

DevOps movement emerged as an attempt to build the bridge between people who write code, people who maintain the infrastructure for running it, and people who make the business decisions. These changes have put the emphasis on the new set of techniques and values. These techniques and values can either be beneficial or problematic for the security posture.

Learn More: blog post

Nov 2016

End-to-end data turnover: building Zero-knowledge software

Eugene Pilyankevich

zero knowledge architectures security architecture high level cryptography security for senior managers

Our CTO's talk on the evolution of end-to-end software, survival within the "everything will be broken" model with the help of employing proper cryptography and trust management, plus a disclosure of some ideas and concepts behind Hermes.

Learn More: blog post

Eugene Pilyankevich

May 2016

Everything will be broken

Eugene Pilyankevich @ SecurityBSides Kyiv

security architecture high level cryptography security for senior managers risk management

Our CTO's talk about the classic and emerging threat models, a proper understanding of security risks, perception of technical infrastructures ranging from idealistic to realistic, and adopting stronger techniques in the face of the vanishing perimeter and the (sadly) lowering standards of security tools and overall quality of the produced software.

Learn More: blog post

Aug 2016

Evolution of password-based authentication systems

Ignat Korchagin @ DefCon Crypto Village

password authentication cryptography zero knowledge architectures

These are the slides that accompanied the talk of our core scientific contributor. The talk is focused on on evolving from regular authentication to Zero-Knowledge Proofs (including with Secure Comparator) at DefCon Crypto Village.

Learn More: Secure Comparator slides