Slides & talks

Talks and workshops

Members of the Cossack Labs team often participate in international security and development conferences as speakers, organise and co-organise local events, conduct public workshops and private trainings, and support communities (CocoaHeads, Women Who Code, OWASP Women in AppSec, NoNameCon).

You can read more in our blog, facebook or twitter. Below you can find a collection of video recaps and speaker slides from such events.

MAR 2020

Designing secure architectures the modern way, regardless of stack

Eugene Pilyankevich @ QCon London 2020

security architecture security management risk management

Eugene talked about implementing sophisticated defences in constrained environments: ranging from protecting massive power grid SCADA networks to improving end-to-end encryption in small mobile applications. Technological stack doesn't matter if you focus on the risk assets and design defences around asset lifecycle.

Learn More: slides

NOV 2019

Protecting data in ICS, SCADA and industrial IoT: goals, problems, solutions

Eugene Pilyankevich @ UA.SC

security for senior managers security architecture IoT security

Eugene shared our experience and lessons learnt of building secure data aggregation systems with hardware-based encryption, time-series processing and end-to-end security. Learn about our solutions that are integrated into ICS/SCADA networks of industrial operators, extract sensitive data, encrypt it "on the fly" and process separately.

Learn More: solutions for critical infrastructure

Eugene @ UA.SC

Nov 2019

Security engineering: from encryption to software architecture patterns

Anastasiia Voitova and Jean-Philippe Aumasson @ their own training

cryptography security engineering SSDLC security architecture

Public training on security and cryptography engineering conducted jointly by Anastasiia and Jean-Philippe. We focused on solving practical security engineering challenges rather than academic cryptography. We talked about SSDLC and risk management, cryptography and typical cryptographic mistakes, using and misusing APIs, building defence-in-depth for distributed applications.

Learn More: training modules

NOV 2019

Maintaining cryptographic library for 12 languages

Anastasiia Voitova @ BlackAlps

security engineering open source high level cryptography Themis DevSecOps

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and the endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse. Anastasiia described the four years journey of designing and supporting Themis: from shaping cryptosystems, writing language wrappers to CICD pipelines, autotests and interactive documentation.

Learn More: slides video

Anastasiia @ BlackAlps

OCT 2019

Designing secure architectures, the modern way

Eugene Pilyankevich @ Devops Stage

security for senior managers security architecture risk management DevSecOps

In this talk, Eugene tried to cross the bridge between modern DevOps/SRE practices, systems architecture design and traditional security/risk management. It is driven by lessons learnt from building systems the modern way in high-risk environments with high reliability and security demands, drawing from the experience of protecting governmental secrets, critical infrastructure and preventing banking fraud at scale..

Learn More: blog post

Eugene and Anastasiia taking part in panel discussion @ Devops Stage

Oct 2019

Building SQL firewall: insights from developers

Artem Storozhuk @ OWASP Kyiv and Fwdays Highload

Acra SQL firewall SQL injections encryption security architecture product engineering

How SQL firewalls can help to protect databases from SQL injections: the main difference from web application firewalls (WAFs), common usage scenarios, pros, and cons. We implemented SQL firewall as part of data encryption proxy Acra, and we will share insights about security and development decisions. Expect a story about parsing SQL protocols, matching rules, hidden dangers of logging, best of configuration and usage patterns.

Learn More: video [ru] from OWASP video [ru] from Highload slides blog post

Artem @ Fwdays Highload

SEPT 2019

10 ways open source will hurt security and reliability

Eugene Pilyankevich @ OSDN

security for senior managers security architecture risk management open source

We all know how open source is useful. In this talk, Eugene describes the obvious and not very obvious risks that open source brings with it and what are the practical consequences. Learn what you need to pay attention to when selecting components for your new spacecraft to protect it from exploding during takeoff.

Learn More: video (ru)

SEPT 2019

10 lines of encryption, 1500 lines of key management

Anastasiia Voitova @ FrenchKit and RSConf

mobile iOS dev security engineering high level cryptography

Watch a story behind implementing end-to-end encryption for Bear application. Anastasiia explained the security engineering flow: protocol design, selecting cryptographic library, cryptocoding techniques, building defence-in-depth and preparing for incidents. Learn how to build an encryption engine for the app with 6M users.

Learn More: slides blog post case study video (ru) video (eng)

Slide from Anastasiia's talk with lines of defense around end-to-end encrypted notes

Sep 2019

Disagree with "I Agree". Enforcing Better GDPR Compliance Through API Documentation

Karen Sawrey @ API Days Paris and Write the Docs Prague

GDPR security documentation technical writers

The talk addresses the aspects and elements of API documentation that need to be reconsidered and restyled in the light of GDPR. The way things are, an absolute GDPR compliance is impossible, but maximal compliance is doable. Technical writers can enforce it through the language graphic elements that are used for guiding the users around the API portals.

Learn More: video from API Days video from Write the Docs links and materials

June 2019

Security, privacy and cryptography at WWDC19

Anastasiia Voitova @ CocoaHeads Ukraine

mobile iOS dev security engineering

Apple made many announcements on WWDC 2019 about cryptography, cybersecurity and privacy. Anastasiia highlighted important changes for developers – including new CryptoKit framework, data privacy regulations, new app permissions.

Learn More: slides blog post interview

May 2019

Search over encrypted records: from academic dreams to production-ready tool

Artem Storozhuk @ NoNameCon

Acra secure search search over encrypted records encryption product engineering

The search over encrypted data is the modern cryptographic engineering problem. We will talk about existing approaches (both well-known and modern), and concentrate on practical solution based on blind index technique to search data in databases. What’s inside: cryptographic and functional schemes, implementation details, practical security evaluation (risk modelling and potential attacks). We will show how theoretical models turn into real, usable, maintainable, security tools. Search over encrypted records is part of Acra encryption proxy.

Learn More: slides video [ru] blog post

Artem Storozhuk @ NoNameCon

April-June 2019

"Defense in depth": trench warfare principles for building secure distributed applications

Anastasiia Voitova @ muCon London

defense in depth Acra web security engineering security architecture security patterns

"Defense in depth" is a security engineering pattern, that suggests building an independent set of security controls aimed at mitigating more risks even if the attacker crosses the outer perimeter. During the talk, Anastasiia modeled threats and risks for the modern distributed application, and improved it by building multiple lines of defence. She gave an overview of high-level patterns and exact tools how to build defense in depth for your distributed web applications.

Learn More: slides video from muCon blog post

March 2019

Code injections using ptrace

Alexei Lozovsky @ PeerLab Kyiv

system development hacking

Have you ever used dynamic libraries before? We're sure you did. Alexei explains how OS loads dynamic libraries and how to load another library instead (using LD_PRELOAD hooks). As it's easy to detect and mitigate LD_PRELOAD, Alexei digs deeper and talks about code injection on runtime. Learn how to use ptrace to search functions in a memory-mapped process and to manipulate the process's state and thread execution.

Learn More: video (ru)

March 2019

Secure software development: from rookie to hardcore in 90 minutes [workshop]

Anastasiia Voitova @ iOSCon London

mobile iOS dev encryption key management workshop

A workshop for iOS developers that illustrates typical mistakes they do trying to implement security into their apps. Anastasiia showed an actionable to-do list of things developers might want to improve in their apps, and gave a set of key management techniques for mobile apps.

Learn More: workshop repo slides

Anastasiia Voitova

March 2019

Delivering security products without shooting yourself in the foot

Dmytro Shapovalov @ SecurityBSides Kyiv and Pacemaker Conference

SSDLC product engineering DevSecOps Acra

Dmytro Shapovalov, our senior infrastructure engineer, talks about improving the infrastructure for developing, testing, and delivering security tools. Our experience of smoothing the difference between security idealism and engineering friendliness.

Learn More: video from BSides [ru] video from Pacemaker [ru] slides

Dmytro Shapovalov @ SecurityBSides Kyiv

Feb 2019

Teach your application eloquence. Logs, metrics, traces.

Dmytro Shapovalov @ RubyMeditation 26

web Acra DevSecOps logging, monitoring, tracing

Most modern applications live in a close cooperation with each other. Dmytro spoke about the ways to effectively use the modern techniques for monitoring the health of applications. Being an infrastructure engineer, Dmytro explain typical mistakes developers do when implement monitoring, and suggested a couple of approaches and tools that can help.

Learn More: video [ru] slides blog post

Dmytro Shapovalov @ RubyMeditation

Dec 2018

Data encryption for Ruby web applications

Dmytro Shapovalov @ RubyMeditation 25

ruby web Acra encryption

Making secure applications is not easy, especially when encryption tools are difficult and incomprehensible. Dmytro talked about typical data security problems in web apps and about proper implementation of encryption. Dmytro reviewed the cryptographic approaches and the exact tools that ensure that no sensitive data leaks from the application or the database.

Learn More: video [ru] slides

Dec 2018

Cryptography & data security: protecting the data while reducing cost in distributed systems

Eugene Pilyankevich @ SecurityBSides Kharkiv

security for senior managers cryptography to reduce costs distributed apps enterprise security

Using cryptography for data protection is not exclusively reserved for “secure chats” and financial products. Modern cryptographic tools help to comply with the regulations and laws, help to improve control over the infrastructure, to prevent data leakages, and to reduce the risk of incidents. Eugene talked about the way modern cryptographic tools allow technology companies to reduce the security budget and to remain protected at the same time.

Anastasiia Voitova @ JavaZone

Dec 2018

Defensive team – who are the security engineers and how they help teams to develop secure applications

Anastasiia Voitova @ Women in Appsec Kyiv Winter Meetup 2018

cybersec domains security engineering

Who are the people in the "blue team" and how do they prevent business risks for company assets? What is secure development, secure architecture, secure coding? A lecture for Women in Appsec Kyiv community and infosec students.

Learn More: slides

Cossack Labs people @ NoNameCon

Sept-Dec 2018

Marrying usability and security in large-scale infrastructures

Eugene Pilyankevich @ OSDN Kyiv and UA.SC

security for senior managers usability vs security high level cryptography success and fail stories

Usability is often thought of as the opposite of security. However, most of the security controls inside operating systems and most of the security tools that run there are designed for being operated by humans. This talk is a summary of Eugene's experience in building and seeing engineers integrate the security tooling – how security controls and tools are mis-designed and fail once used, how poorly integrated controls decrease the overall security of a system, and how lessons learned in reliability/infrastructure engineering apply to security tooling to fix that.

Learn More: video from OSDN Kyiv [ru]

Sept 2018

Protecting sensitive data in modern multi-component systems

Anastasiia Voitova @ JavaZone and DevExperience 2019

distributed apps security patterns high level cryptography zero knowledge architectures SSDLC

A talk for solution architects and technical leads, in which we took a deep look into data lifecycle, risk, trust, and how they affect security architecture, encryption, and key management techniques. We illustrated typical SDL patterns: narrowing trust, monitoring intrusions, zero knowledge architectures, distributing trust. The goal of the talk was to provide a general thinking framework and enough ideas about tools for senior engineers for them to be able to plan their solutions securely, in relation to the sensitive data inside.

Learn More: video from JavaZone slides

Karen Sawrey @ API The Docs Amsterdam

June-Aug 2018

Zero Knowledge Architecture Approach for Mobile Developers [workshop]

Anastasiia Voitova @ SwiftAveiro 2018

mobile iOS dev encryption e2ee zero knowledge architectures workshop

A workshop for iOS developers that illustrates how to implement end-to-end encryption of Firebase notes application. Zero knowledge algorithms and protocols ensure that no keys, passwords, files, or any other sensitive material ever gets transferred in an unencrypted or reversible form. Workshop code contains two encryption schemes and set of general recommendations of improving security of any iOS application.

Learn More: workshop repo

June 2018

Making security usable: product engineer perspective

Anastasiia Voitova @ QConNYC

usability vs security product engineering naming

This is a story of going over the typical security challenges: how to build products that reliably deliver security guarantees, how to avoid the typical pitfalls, and how to create tools that could be usable and predictable for real users. It's a tale of balancing religious adherence to security practices while keeping the customers' needs in mind all the time, inside the development team; a story of listening to the customers and observing the actual user behaviour outside in the wild, and trying to make the best decisions when it comes to empowering the customers with easy tools for encrypting data in their apps, securely and without pain. Presented for senior software engineers at QConNYC.

Learn More: video slides

May 2018

Getting secure against challenges or getting security challenges done

Eugene Pilyankevich @ NoNameCon

security for senior managers cost of security decisions security solutions

What it takes to make security decisions in a business environment, from the perspectives of both vendor and client, urging security engineers not only to think outside the technical box but also outside the box of engineering thinking when faced with real humans on the other side of the wire. Presented for security engineers at NoNameCon.

Learn More: video [ru] slides

Eugene Pilyankevich

May 2018

Documenting the secret

Karen Sawrey @ API The Docs Amsterdam

security documentation technical writers

A talk for Women Techmakers Lviv on creating and maintaining documentation for cryptographic software. Besides the issues of information security, such things as basic self-care and sanity were also brought up. This talk was also given in December 2017 at the one-day API The Docs Amsterdam conference.

May 2018

X things you need to know before implementing cryptography

Anastasiia Voitova @ UIKonf and CocoaHeads Kyiv

mobile iOS devs encryption security controls

A "tips and tricks" talk for mobile developers. Even when developers create apps with security in mind, (at least try to) protect user secrets, and don’t reveal unencrypted data, attackers can still find ways to bypass these security measures by exploiting architectural weaknesses and non-obvious, yet very simple vulnerabilities. The talk is about all the tiny bits and pieces that are necessary for making your app secure against simple attacks way before focusing on the hard things (like cryptography).

Learn More: video from UIKonf [eng] video from CocoaHeads [ru] video from mDevTalk [eng] slides

Apr 2018

Encryption without magic, risk management without pain

Anastasiia Voitova @ QCon London, Codemotion Milan and Security BSides Ukraine

high level cryptography risk management security patterns security architecture Acra

An in-depth technical inquiry about cryptography in a wider context: how it helps to narrow more significant risks to controllable attack surfaces, enables efficient and elegant risk management, and how tools and algorithms sit in a broader context of managing infrastructure-wide risks associated with handling the sensitive data.

Learn More: video from QCon video from Security BSides [ru] slides

Karen Sawrey

Apr 2018

The Bad, The Ugly, The Good

Karen Sawrey @ API The Docs Paris

security documentation technical writers GitHub wiki vs Doc Server

Karen Sawrey, our technical writer, gave a talk on refactoring the existing GitHub documentation of our products and moving it to our own proprietary documentation server.

Learn More: video

Apr 2018

GDPR – Get security done

Karen Sawrey and Eugene Pilyankevich @

GDPR security documentation

We co-organised a security meetup for Ukrainian companies to discuss the various technical aspects of GDPR. Our speakers gave two talks, outlining various aspects of GDPR demands and possible compliance tactics.

Learn More: facebook event Karen slides

Eugene Pilyankevich @ OSDN Kyiv explaining Data encryption

Oct 2017

Zero-knowledge architectures for mobile applications

Anastasiia Voitova @ MobiConf and DevFest Baltics

mobile iOS dev zero knowledge architectures security architecture high level cryptography

The talk focused on real-world problems that ZKA counters, typical cryptographic designs and progress in different spheres of ZKA. The talk also explained the practical approaches useful for mobile developers (implementing data sharing and user collaboration on data in a cloud in a way that makes a mobile app provably secure).

Learn More: video from DevFestBaltics video from MobiConf slides blog post

Oct 2017

Why decentralized social services fail

Eugene Pilyankevich

state security blockchain security architecture

It often feels like distributed and federated services provide better resiliency, risk management, and privacy than typical star-topology systems. However, Facebook et al. provide and maintain huge, single-point-of-entry, solely owned, walled gardens with hostile privacy policies, and yet they successfully serve millions of users, attracting some of the best engineering talents along the way.

Learn More: blog post

Anastasiia Voitova @ NoNameCon

Apr 2017

Key management approaches for mobile applications

Anastasiia Voitova @ AppBuilders

mobile iOS dev key management encryption

Trust is built around various trust tokens: keys, passwords, secrets, biometric properties, things you have and things you know. Key management is complicated when done the right way.

Learn More: video from AppBuilders 17 slides blog post

Apr 2017

DevOps and security: from the trenches to command centers

Eugene Pilyankevich

DevSecOps SSDLC security patterns security architecture

DevOps movement emerged as an attempt to build the bridge between people who write code, people who maintain the infrastructure for running it, and people who make the business decisions. These changes have put the emphasis on the new set of techniques and values. These techniques and values can either be beneficial or problematic for the security posture.

Learn More: blog post

Nov 2016

End-to-end data turnover: building Zero-knowledge software

Eugene Pilyankevich

zero knowledge architectures security architecture high level cryptography security for senior managers

Our CTO's talk on the evolution of end-to-end software, survival within the "everything will be broken" model with the help of employing proper cryptography and trust management, plus a disclosure of some ideas and concepts behind Hermes.

Learn More: blog post

Eugene Pilyankevich

May 2016

Everything will be broken

Eugene Pilyankevich @ SecurityBSides Kyiv

security architecture high level cryptography security for senior managers risk management

Our CTO's talk about the classic and emerging threat models, a proper understanding of security risks, perception of technical infrastructures ranging from idealistic to realistic, and adopting stronger techniques in the face of the vanishing perimeter and the (sadly) lowering standards of security tools and overall quality of the produced software.

Learn More: blog post

Aug 2016

Evolution of password-based authentication systems

Ignat Korchagin @ DefCon Crypto Village

password authentication cryptography zero knowledge architectures

These are the slides that accompanied the talk of our core scientific contributor. The talk is focused on on evolving from regular authentication to Zero-Knowledge Proofs (including with Secure Comparator) at DefCon Crypto Village.

Learn More: Secure Comparator slides