Coming into a code base can be overwhelming. Taking responsibility for the security of a project can be truly terrifying. This talk will describe a set of common scenarios for a project, and how to counteract them. Hopefully, this will help to move your codebase and project to a state where you will be more prepared to handle incoming vulnerability reports. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent.
Make it fixable, designing for change
Our users trust us. They trust that we will protect them and lead them down the right path. Doing that right the first time is practically impossible. From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture for fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. It will also show examples of how difficult it is to design the user experience of security.
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects. This talk describes some of the most common challenges and how to counteract them.
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects.
This talk describes some of the most common challenges and how to counteract them.
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects.
This talk describes some of the most common challenges and how to counteract them.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.
From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.
Make it fixable, designing for change
Our users trust us. They trust that we will protect them and lead them down the right path. Doing that right the first time is practically impossible. From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture for fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. It will also show examples of how difficult it is to design the user experience of security.
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects. This talk describes some of the most common challenges and how to counteract them.
Make It Fixable, Living with Risk (NDC London 2018)Patricia Aas
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects.
This talk describes some of the most common challenges and how to counteract them.
Trying to prepare your project or organisation to be able to receive vulnerability reports is a daunting task. And often far more complex and cross disciplinary than one first expects.
This talk describes some of the most common challenges and how to counteract them.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.
From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.
Code Review: How and When - Tulsa TechFest 2016Paul Gower
You want to improve your software skills. That's a given. You may be a mentor or a manager who needs to improve the knowledge sharing among your software developers across different projects. Code Reviews can do just that while improving code quality in your projects. Code Review not only builds developer team spirit but also offers new ways to improve a software solution. You'll walk away from this session with in-depth understanding of Code Review to strengthen your team.
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
This is an introduction to Capture The Flag (CTF) hacking competitions. Everything you need to know about CTFs, and how to prepare for them.
This video covers:
Generic CTF prep
Strategic Security CTF prep
Incident Response
System Hardening
System Logging
Intrusion Detection System
Attacking Systems
Maintaining Access
New Era of Software with modern Application Security (v0.6)Dinis Cruz
Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.
The v.06 was presented at London Software Craftsmanship Community on 18/Feb/2016 - http://www.meetup.com/london-software-craftsmanship/members/184071944/
The v.0.6 was presented at the OWASP London Chapter meeting on 25t/Feb/2016
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
It takes a company an average of 35 days to detect when they have been compromised. For some, it can take years. As fast as software changes and new vulnerabilities are discovered, waiting for an annual penetration test is just not enough. In this talk, I will show you how we perform self-audits on our own network on a continual basis. You will learn about the tools that we use so that you can audit your own network to determine if your technical and physical controls will detect a security incident. I will show you how our self-audits and 'fire drills' engage our IT team, allowing us to learn both how to detect when an incident is occurring and how to react. I will also share some mistakes I've made and give you tips on performing a self-assessment without disrupting your business. You will see how this has strengthened our awareness education and our overall security posture. If you've never performed a self-audit this talk will be a great introduction. It's okay to touch your...network.
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
CSA Raleigh application security and deception in the cloudPhillip Maddux
Presented on January 17, 2019 at Raleigh/Durham/RTP - Cloud Security Alliance Chapter (https://www.meetup.com/Raleigh-Durham-RTP-Cloud-Security-Alliance-Chapter/).
Over the last several years there has been a steady and increasing march towards shifting applications to the cloud. To keep pace with this cloud adoption, in some cases multi-cloud adoption, security teams need consistent real-time threat visibility over their web applications production. In this talk, we'll discuss some of the foundational concepts that comprise a practical approach to threat visibility and securing applications in the cloud. In addition, extending visibility to breaches in progress, deception can be a valuable layer in your defense in depth strategy. We'll discuss the concept of deception and how it can be deployed in the cloud. Overall, the audience will gain a greater insight into application security and deception for the cloud. As we head into 2019, we need to prepare for a year that will prove these concepts are critical for defending deployments in the cloud.
A Research Study into DevOps Bottlenecks as presented at Codemash 2018Baruch Sadogursky
By Baruch Sadogursky
We asked the Fortune 500 software delivery leaders what holds them back. This talk is the analysis of their insights on what bottlenecks they encountered in their DevOps journey.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Modern systems pose a number of thorny challenges and securing the transformation from legacy monolithic systems to distributed systems demands a change in mindset and engineering toolkit. The security engineering toolkit is unfortunately out-of-style and outdated with today's approach to building, security and operating distributed systems.
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works.
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests.
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Code Review: How and When - Tulsa TechFest 2016Paul Gower
You want to improve your software skills. That's a given. You may be a mentor or a manager who needs to improve the knowledge sharing among your software developers across different projects. Code Reviews can do just that while improving code quality in your projects. Code Review not only builds developer team spirit but also offers new ways to improve a software solution. You'll walk away from this session with in-depth understanding of Code Review to strengthen your team.
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
This is an introduction to Capture The Flag (CTF) hacking competitions. Everything you need to know about CTFs, and how to prepare for them.
This video covers:
Generic CTF prep
Strategic Security CTF prep
Incident Response
System Hardening
System Logging
Intrusion Detection System
Attacking Systems
Maintaining Access
New Era of Software with modern Application Security (v0.6)Dinis Cruz
Description: This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive way.
The v.06 was presented at London Software Craftsmanship Community on 18/Feb/2016 - http://www.meetup.com/london-software-craftsmanship/members/184071944/
The v.0.6 was presented at the OWASP London Chapter meeting on 25t/Feb/2016
It's Okay To Touch Yourself - DerbyCon 2013Ben Ten (0xA)
It takes a company an average of 35 days to detect when they have been compromised. For some, it can take years. As fast as software changes and new vulnerabilities are discovered, waiting for an annual penetration test is just not enough. In this talk, I will show you how we perform self-audits on our own network on a continual basis. You will learn about the tools that we use so that you can audit your own network to determine if your technical and physical controls will detect a security incident. I will show you how our self-audits and 'fire drills' engage our IT team, allowing us to learn both how to detect when an incident is occurring and how to react. I will also share some mistakes I've made and give you tips on performing a self-assessment without disrupting your business. You will see how this has strengthened our awareness education and our overall security posture. If you've never performed a self-audit this talk will be a great introduction. It's okay to touch your...network.
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
Security at Scale - Lessons from Six Months at YahooAlex Stamos
This is my talk on building security at scale from Black Hat USA 2014. In it I outline the lessons I've learned from six months as Yahoo's CISO and share ideas for how the security industry can better address problems at web scale.
CSA Raleigh application security and deception in the cloudPhillip Maddux
Presented on January 17, 2019 at Raleigh/Durham/RTP - Cloud Security Alliance Chapter (https://www.meetup.com/Raleigh-Durham-RTP-Cloud-Security-Alliance-Chapter/).
Over the last several years there has been a steady and increasing march towards shifting applications to the cloud. To keep pace with this cloud adoption, in some cases multi-cloud adoption, security teams need consistent real-time threat visibility over their web applications production. In this talk, we'll discuss some of the foundational concepts that comprise a practical approach to threat visibility and securing applications in the cloud. In addition, extending visibility to breaches in progress, deception can be a valuable layer in your defense in depth strategy. We'll discuss the concept of deception and how it can be deployed in the cloud. Overall, the audience will gain a greater insight into application security and deception for the cloud. As we head into 2019, we need to prepare for a year that will prove these concepts are critical for defending deployments in the cloud.
A Research Study into DevOps Bottlenecks as presented at Codemash 2018Baruch Sadogursky
By Baruch Sadogursky
We asked the Fortune 500 software delivery leaders what holds them back. This talk is the analysis of their insights on what bottlenecks they encountered in their DevOps journey.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
Modern systems pose a number of thorny challenges and securing the transformation from legacy monolithic systems to distributed systems demands a change in mindset and engineering toolkit. The security engineering toolkit is unfortunately out-of-style and outdated with today's approach to building, security and operating distributed systems.
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works.
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests.
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Reading Other Peoples Code (Web Rebels 2018)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models? In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully you will walk away with a plan on how to approach a new code base. But even more I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
DevSecOps for Developers: How To StartPatricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring."
We can do a lot to secure our web-app backends, but ultimately our users email and password are the front door, and they're notoriously insecure. This talk quickly shows you how to mitigate this attack vector by detecting and responding to login anomalies using ThisData's Login Intelligence API.
This talk was originally presented as at Ruby Nights Auckland on March 24 2016: http://www.meetup.com/aucklandruby/events/228852539/
WirSindOhana24 - Monitor your Salesforce orgs with open-source only !Nicolas Vuillamy
Panic, the Salesforce production org is down! But it was working perfectly fine yesterday, what happened? What if you had access to a daily monitoring of all your org metadata configuration, to see the detailed differences since yesterday? What if you could install and schedule it in 5 minutes by org? What if it was provided by free and open-source tools? What if it contained additional checks like Apex and Flows quality health, suspiscious user activity, analysis of the consistency between object model and permission sets, detection of deprecated API versions usage, detection of unused flows, and many extra features ? What is the check results could be sent as slack notifications? Let us show you how with a live demo!
Undefined Behavior and Compiler Optimizations can result in programs that display surprising behavior. In this presentation we look at some examples, and I hope to convince you that you should not reason about Undefined Behavior and that you should take care and use your tools.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
iPhone backup software help user to create backup. you can create backup of any data such as music, movies. With it's user interface you can run software easily.
NCET Tech Bite - Cloud Storage and Data Backup - June 2015Archersan
Darren McBride, CEO of Sierra Computer Group shares with you the most common reason for data loss; the 20 common backup mistakes resulting in data loss during an emergency; why the time to restore your server may be several days longer than you want; and how the cloud can help in your backup strategy. Darren also shares ways to test the backup system and ways to reduce the impact of human error.
Dayton Microcomputer Association (DMA):
April 2020 - Online Meeting
Date: April 28, 2020
Topic: Stupid Cyber Criminal Tricks and How to Combat Them
Speaker: Matt Scheurer
This talk covers various techniques used by cyber criminals, and how to spot them. This is the accompanying slide deck for a presentation that covers live demos. Who does not love a good cyber-crime story?
Similar to Make it Fixable, Living with Risk (Paranoia 2017) (20)
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.
Return Oriented Programming, an introductionPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of.
In this talk you will learn how it works, and we will go through how it can be used to execute code in contexts where the stack is not executable.
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
Making software products can be fraught with conflicts, where people in different roles may feel sabotaged by others. In this talk I present a model for thinking about the problems we solve and how we solve them, and using that I hope to convince you that team excellence comes from our differences, rather than in spite of them. Hopefully you'll walk away with a deeper understanding of that colleague that never writes tests, or the one that constantly complains that all you do is "make bugs".
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
C++ has been slow to settle on standardized tools for building and dependency management. In recent years CMake has emerged as the de facto standard for builds, but dependency management still has no clear winner. In this talk I will look into what dependency management might look like in modern C++ projects and how that relates to security.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.
We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
Being the only woman on your team can be hard. Many times it’s difficult to know what is only your experience and what is common. In this talk we’ll go through 24 tips (and a few bonus tips) based on well over a decade of experience being the only woman in several teams. If you’re a woman hopefully you’ll walk out with some ideas you can put to work right away, if you’re a man hopefully you’ll walk out with a new perspective and start noticing things in your day-to-day that you didn’t notice before.
https://patricia.no/2018/09/06/survival_tips_for_women_in_tech.html
More and more we see technology, both hardware and software, intersect with fundamental issues like privacy, democracy and human rights. The opaqueness of tech makes it a handy instrument of oppression and manipulation. We have taught the population to trust us. We have constructed a world in which they have to exist, with little to no oversight or transparency. We build critical infrastructure on hardware and software that even we cannot audit. How can we wield that responsibility? How do we protect those that speak up? How do we protect the population?
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
Can you describe a situation that caused you to realize you were privileged?
I have asked many people that question now, and what I have learned is that privilege is an Unconscious Incompetence. Being privileged is a non-event. When we become conscious of it we realize that our privileged experience is not applicable to less privileged people. What happens to them does not happen to us. Only when we become Consciously Incompetent do we realize the need to listen. We need to learn.
In this talk I hope to make you realize that we all have privilege and to start a journey through self reflection to becoming Consciously Incompetent. I hope also to give some indicators and patterns that you can look for in your daily lives to recognize and maybe even to correct imbalances you see.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
4. Patricia Aas
Programmer - mainly in C++ and Java
Currently : Vivaldi Technologies
Previously : Cisco Systems, Knowit, Opera Software
Master in Computer Science
Twitter : @pati_gallardo
6. Just Remember :
- You live in the real world
- Take one step at a time
- Make a Plan
@pati_gallardo
7. You Need A Security
“Hotline”
security@company.com
Symbiotic relationship
Be polite
Be grateful
Be professional
Be efficient and transparent @pati_gallardo
8. Risk Management - Make it Fixable
- Unable to Roll Out Fixes
- No Control over Dependencies
- The Team is Gone
- It’s in Our Code
- My Boss Made Me Do It
@pati_gallardo
10. Unable to
Roll out Fixes
● Relying on User Updates
● Unable to Build
● Unable to Deploy
● Regression Fear
● No Issue Tracking
● No Release Tags
● No Source
● Issue in infrastructure
@pati_gallardo
11. Internet of Things
Toys: My Friend Cayla, i-Que
Intelligent Robots, Hello Barbie
Mirai: Botnets created with IOT
devices, users don’t update
“Shelfware”
No Maintenance contract
Abandonware
Closed source - no way to fix/fork
@pati_gallardo
Unable to Roll Out Fixes.
12. Fix : Ship It!
Code
● Get the Code
● Use Version Control
● Keep Build Environment
● Write Integration Tests
Holy Grail : Auto Update
Configuration Management
● Have Security Contact
● Track issues
● Make a Deployment Plan
● Control Infrastructure @pati_gallardo
13. Internet of Things
- Auto-update
- Different default passwords
- Unboxing security
“Shelfware”
- Get maintenance contract
- Change supplier
- Do in-house
- Use only Open Source Software
@pati_gallardo
Fix : Ship It!
15. No Control over
Dependencies
● Too Many Dependencies
● Frameworks are Abandoned
● Libraries Disappear
● Insecure Platform APIs
● Insecure Tooling
● End-of-Life OS (Windows)
● Licenses expire/change
● Known Issues not Fixed
● OS Not Updated (Android)
@pati_gallardo
16. Stagefright
Bugs in the multimedia library on
android
Heartbleed
Bug in openssl
Left-Pad
Developer unpublished a mini-Js
library
@pati_gallardo
No Control over Dependencies
17. Fix: Control It!
Be conservative
● Is it needed?
● Do you understand it?
Goal : Dependency Control
Be cautious
● Audit your upstream
● Avoid forking
● Have an upgrade plan
● Have someone responsible @pati_gallardo
18. Stagefright
- Workaround in apps calling
into stagefright
Heartbleed
- Control over production
environment
Left-Pad
- Removing unnecessary
dependency
@pati_gallardo
Fix: Control It!
20. The Team Is Gone
● Team were consultants
● They were downsized
● The job was outsourced
● “Bus factor”
● “Binary blob”
● Abandonware
@pati_gallardo
21. @pati_gallardo
“Public Sector”
- Leaves the code with
subcontractor
- No build environment
- Third-party access to
production environment
Abandoned frameworks
- Framework interdependency
- Unable to upgrade
- Known bugs
The Team is Gone
22. Fix : Own It!
Take it on yourselves
● Build competence in-house
● Fork, take control
● “Barely Sufficient” Docs
● Ship It and Control It
Goal : Regain Control
Outsource
● Maintenance Contract
● Add Security Clause
● Own deployment channel
@pati_gallardo
23. Fix : Own It!
“Public Sector”
- Backsourcing - Bring back
work previously outsourced
Abandoned frameworks
- Replace with equivalent (OSS)
- Remove dependency
- Fork
@pati_gallardo
25. It’s in Our Code
● Injection
● Exploited crash etc
● Debug code in production
● Server compromised
● Outdated platform
● Intercepted traffic
● Mined local data
● Good old fashioned BUG
@pati_gallardo
26. REMA 1000 Æ App
- Reporter: Hallvard Nygård
(@hallny)
- All user data could be
retrieved
- Badly handled report
- “Bug” (Lack of security) in App
BEST CASE SCENARIO@pati_gallardo
It’s in Our Code
27. Fix : Live It!
Prevent
● Sanitize your input
● Send crash reports
● Code review + tests
● Review server security
● Encrypt all traffic
● Review local storage
● Work around old platform
● Sign and check
Goal : Prevent & Cure
Cure
● Ship it! @pati_gallardo
28. Browsers are very experienced
- But boring ;)
gitlab.com
- “rm -rf”
- Sysadmin maintenance
- Cascading errors as backups
fail
- All logged Publicly in real
time
Transparency@pati_gallardo
Fix : Live It!
30. My Boss Made Me Do It
The Feature
is the Bug
How?
● Security Problem
● Privacy Problem
● Unethical
● Illegal
@pati_gallardo
31. Capcom's Street Fighter V
- Installed a driver
- “anti-crack solution”
“...disables supervisor-mode
execution protection and then
runs the arbitrary code passed in
through the ioctl buffer with
kernel permissions..”
- Reddit user extrwi
@pati_gallardo
My Boss Made Me Do It
32. Fix : Protect It!
Prevent : Protect your team
● Workers rights
● Build trust
Goal : Protect your user
Cure : Protect your company
● Find a Powerful Ally
● Do Risk Analysis : Brand
Reputation, Trust
● Use the Law
LAST RESORT : Whistleblowing & Quitting @pati_gallardo
33. Statoil
- Internal reports of security
incidents after outsourcing
- Only public after serious IRL
incidents
Nødnett
- Transitive outsourcing
- National Security
These are often the Unsung Heros
(Last Resort : Edward Snowden)@pati_gallardo
Fix : Protect It!
38. The Users Won’t Read
Error blindness
Most users will mentally erase
permanent error notifiers - they
won’t read
“Just click next”
Most users will accept the defaults
- they won’t read
“Make it go away”
The user will try to make the error
dialog go away - they won’t read
@pati_gallardo
39. Fix : Less is More
Don’t leave it to the user
Just do the right thing, you don’t
have to ask
Have good defaults
Make sure that clicking next will
leave the user in a good place
Be very explicit when needed
If the user is in a “dangerous”
situation - design carefully and if
you have to explain : use language
the user can understand
@pati_gallardo
40. They Trust You
With Personal information
They trust you to protect them from
both hackers and governments
With Data
They trust you to protect their
pictures, documents, email ...
With Money
They trust you to protect their
payment information and passwords
@pati_gallardo
41. Fix : Be Trustworthy
Only store what you have to
Try to use end-to-end encryption,
so that even you don’t have access.
Otherwise, encrypt as much as you
can
Back up everything
Your users can’t afford to lose
their baby pictures
Use third party payment
Avoid having responsibility for
their money
@pati_gallardo