SlideShare a Scribd company logo

Construye tu stack de ciberseguridad con open source

Software Guru
Software Guru

Construir software de forma ágil pero segura no es trivial. En esta sesión compartiré algunas recomendaciones de cómo construir un stack para desarrollar aplicaciones de forma segura utilizando herramientas open source en un stack de integración continua. Presentado por Eryx Paredes en SG Virtual Conference 2020

Technology
1 of 38
Building your cybersecurity stack with Open-Source HECTOR ERYX PAREDES CAMACHO TECH MANAGER @ HELIX RE UNIDOS COMPARTIENDO Y APRENDIENDO #SGVIRTUAL AND CONTRIBUTE TO A SAFER WORLD
Open Source México Advocates of “OpenSourceFirst” culture to increase innovation and economic growth at Mexico
Open Source México Join us ! • Monthly meet ups • Upcoming Events • Networking • News Networks: https://twitter.com/amigososom https://www.linkedin.com/groups/12137251/ https://www.instagram.com/opensourcemexico/ https://github.com/orgs/OpenSOurceMexico/teams https://www.meetup.com/Open-SOurce-Mexico-OSOM/ https://www.facebook.com/OSOM-Open-Source-Mexico-354538278660417
CCOSS Cumbre contribuidores opensource https://sg.com.mx/buzz/asi-fue-la- 1er-cumbre-de-contribuidores-de- open-source-software
What you should take in the next 50 minutes: • NO MATTER HOW HARD IT COULD LOOK, YOU SHOULD BE AWARE OF INFORMATION SECURITY TOOLS, FRAMEWORKS AND PROCESSES TO PROTECT YOURSELF AND YOUR ORGANIZATION
Topics ☛ Cybersecurity ☛ Open Source and how it works ☛ Tools ☛ How to decide
Cybersecurity
Defining Cybersecurity is hard Context is important. Requires deep understanding of core concepts like: • Authorization • Confidentiality • Integrity • Availability Sources: https://www.enisa.europa.eu/publications/definition-of-cybersecurity https://csrc.nist.gov/glossary/term/cybersecurity • The prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems. • The process of protecting information by preventing, detecting, and responding to attacks
Implementing Cybersecurity is harder…
Cybersecurity example (A) “…We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection…includes usernames, email addresses, salted, hashed passwords….” BTW, they were using phpBB 3.1, an OpenSource forum board. The attack could be mitigated using an updated version of phpBB. Source: https://ethhack.com/2019/09/xkcd-forum-hacked-over-562000-users-account-details-leaked/
Cybersecurity example (B) Mexico's Pemex Oil Suffers Ransomware Attack, $4.9 Million Demanded “Security researchers were able to find the malware sample which confirms the DoppelPaymer infection …Pemex was probably targeted by an initial infection of the Emotet Trojan which eventually provided network access…then have used Cobalt Strike and PowerShell Empire to spread the ransomware…” Emotet uses a modular based architecture which includes open source tools. Signatures of Emotet botnet can be found by the Cuckosanbox open source malware analysis tool. Source: https://www.bleepingcomputer.com/news/security/mexicos-pemex-oil-suffers-ransomware-attack-49-million-demanded/
Cybersecurity example (C) A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response “In his research into reverse RDP attacks, Eyal Itkin found that for mstsc.exe, this technique, also referred to as lazy lateral movement, was possible through the clipboard sharing channel.” “Check Point Research recently discovered multiple vulnerabilities in (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional… There are also some popular open-source clients for the RDP protocol that are used mainly by Linux and Mac users.” Source: https://www.microsoft.com/security/blog/2019/08/07/a-case-study-in-industry-collaboration-poisoned-rdp-vulnerability-disclosure-and-response/ https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/
Common Denominator Popular website • Forum • Opensource tool • Non patched Large corporation • Spear phishing • Established foothold • Install ransomware • Known malware signatures • Opensource modules • Public signatures opensource Windows Remote Desktop Protocol • Enterprise client analyzed • Opensource clients analyzed • Static Analysis to identify vulnerabilities
(free) Open Source Software
FOSS is… Collaboration Openness Meritocracy Born in hacking culture
THE Hacking Culture particularly creative people who define themselves partly by rejection of ‘normal’ values and working habits a subculture of individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes a manner in which it is done and whether it is something exciting and meaningful Source: https://en.wikipedia.org/wiki/Hacker_culture http://catb.org/jargon/html/introduction.html <- PLEASE READ THIS BOOK, “THE CATHEDRAL AND THE BAZAAR BY ERIC. S RAYMOND
Cyber Security community embraces Collaboration Openness Meritocracy DERIVED ON IT’S HACKING SUBCULTURE(S)
How to choose the right tool for the right job
HUGE HUGE HUGE LIST OF FOSS TOOLS ON CYBERSEC This Photo by Unknown Author is licensed under CC BY-NC-ND
Where to find OpenSource security tools GitHub / Gitlab Sourceforge Academic institutions Carnegie Mellon University SEI: https://www.sei.cmu.edu/publications/sof tware-tools/ Organizations promoting Security OWASP: https://owasp.org National Security Agency: https://github.com/nationalsecurityagency Within Enterprise Security Tools Some products are based on Core Open Source projects
Now: Let Me Google That For You •Intrusion Protection System Snort •Original engine of Nessus Network Scanner OpenVAS •The good old school network scanner Nmap •Community version of Nagios network/infra monitor Nagios Core •Simulate MITM attacks Ettercap •Simulate a Breach and Attack scenario with super GUI Infection Monkey •Framework to automate vulnerabilities testing (EXPLOITS) Metasploit •Malware Analysis sandbox Cuckoo Sandbox •GUI Forensic tools for HD Autopsy •List Unix tools, versions and vulnerabilities Lynis Source:https://www.darkreading.com/threat-intelligence/10-open-source-security-tools-you-should-know/d/d-id/1331913
For the Hoody h4x0r on the room Join: https://t.me/bugbountyes
OWASP Zed Attack Proxy Project The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security. Can help to automatically find security vulnerabilities web applications. • Possibly to integrate it in a CI/CD pipeline Great tool for experienced pen testers to use for manual security testing.
SAST Static Application Security Testing https://snyk.io/ https://www.sonarqube.org/sonarqube-8-0/ https://docs.renovatebot.com/ https://github.com/archerysec https://github.com/hawkeyesec https://coreos.com/clair/docs/latest/ https://www.whitesourcesoftware.com/open-source-security/ Source:https://blog.vulcan.io/vulnerability-remediation-in-the-ci-cd-pipeline-not-just-a-coding-issue Disclamer: Not all these tools are open source, but most of them are offered freely for opensource projects
WITH SO MANY OPTIONS, WHAT CAN I DO! HOW TO DECIDE
Define GOAL & Expected OUTCOME What is the purpose of : Scanning your code Analyzing your dependencies Running a vulnerability proxy Scan your network Scan endpoints/devices Monitor your network traffic Run a forensic analysis on a HDD Add a key management tool Results must become deliverables with Quantifiable data Baselining Key Performance Indicators Useful for security audits & compliance Tailored to the cybersecurity landscape of the systems • Retro feedback Threat & Risk Analysis
Training Comprehensive official documentation (contributors love documenting, right?) Find the creators Check if they are open to help Github issues are a great way to learn StackOverflow… Blog posts YouTube videos BOOKS O’Reilly has a huge library of books covering how-to on many open source tools From time to time companies or individuals close to the project provide on-site/on-line training: got for it!
Features Need a GUI? Need a CLI? Integration Matches the current CI/CD pipeline Reports Single run Historical data Extensible Plugin architecture Modular architecture Codebase easy to maintain
Support Remember, must open source license provide no warranty Only community support Supported by a company Premium support available Is it an active community? Check if there are recent commits Communication channels •Slack •Mailing lists •Github issues
Integration
Strategy 1: Pre Commit Hooks
Strategy 2: On Artifact Build
Strategy 3: On Deploy to lower environments
Using a mix of strategies can leverage multiple benefits BUT… might require larger maintenance, extra resources ($), increased complexity
Most security tools can be integrated with a CI/CD pipeline
Scanners can be configured to run automatically on cloud/on-premise infrastructure
Thank you!

Recommended

Maven Nexus
Maven NexusMaven Nexus
Maven Nexus
ericndunn
 
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
Daniel Bryant
 
White Paper: Concepts and Benefits of Repository Management
White Paper: Concepts and Benefits of Repository ManagementWhite Paper: Concepts and Benefits of Repository Management
White Paper: Concepts and Benefits of Repository Management
Sonatype
 
Enabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows ContainersEnabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows Containers
VMware Tanzu
 
The Tao of Docker - ITES 2018
The Tao of Docker - ITES 2018The Tao of Docker - ITES 2018
The Tao of Docker - ITES 2018
Patrick Chanezon
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
Jasmine Conseil
 
4 Outcomes of an Advanced Repo Manager Strategy
4 Outcomes of an Advanced Repo Manager Strategy4 Outcomes of an Advanced Repo Manager Strategy
4 Outcomes of an Advanced Repo Manager Strategy
Sonatype
 
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - PirosOpenbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar
 

Recommended

Maven Nexus
Maven NexusMaven Nexus
Maven Nexus
ericndunn
 
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
CNCF Webinar Series: "Creating an Effective Developer Experience on Kubernetes"
Daniel Bryant
 
White Paper: Concepts and Benefits of Repository Management
White Paper: Concepts and Benefits of Repository ManagementWhite Paper: Concepts and Benefits of Repository Management
White Paper: Concepts and Benefits of Repository Management
Sonatype
 
Enabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows ContainersEnabling Cloud Native Buildpacks for Windows Containers
Enabling Cloud Native Buildpacks for Windows Containers
VMware Tanzu
 
The Tao of Docker - ITES 2018
The Tao of Docker - ITES 2018The Tao of Docker - ITES 2018
The Tao of Docker - ITES 2018
Patrick Chanezon
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
Jasmine Conseil
 
4 Outcomes of an Advanced Repo Manager Strategy
4 Outcomes of an Advanced Repo Manager Strategy4 Outcomes of an Advanced Repo Manager Strategy
4 Outcomes of an Advanced Repo Manager Strategy
Sonatype
 
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - PirosOpenbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar 7 - Leuven - OpenShift - The Enterprise Container Platform - Piros
Openbar
 
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
Daniel Oh
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
Vietnam Open Infrastructure User Group
 
DevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of ContainersDevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of Containers
DevOps Indonesia
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Julien Barbier
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
Yoshan madhumal
 
Cloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse CheCloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse Che
Martin (高馬丁) Skarsaune
 
sahithi_Build_Release_Resume
sahithi_Build_Release_Resumesahithi_Build_Release_Resume
sahithi_Build_Release_Resume
deepthichowdary devineni
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
Basav Nagur
 
Sai krishna
Sai krishnaSai krishna
Sai krishna
Saikrishna1547
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Louis Jacomet
 
Resume ram-krishna
Resume ram-krishnaResume ram-krishna
Resume ram-krishna
Ram Krishna | BitHostIn
 
SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8
Rajwinder Singh
 
Using Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform gameUsing Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform game
Patrick Chanezon
 
Resume
ResumeResume
Resume
Ramakrishna J
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
Microsoft Azure in der Praxis
Microsoft Azure in der PraxisMicrosoft Azure in der Praxis
Microsoft Azure in der Praxis
Yvette Teiken
 
Micro Frontend Platforms for Kubernetes
Micro Frontend Platforms for KubernetesMicro Frontend Platforms for Kubernetes
Micro Frontend Platforms for Kubernetes
Entando
 
OpenShift As A DevOps Platform
OpenShift As A DevOps PlatformOpenShift As A DevOps Platform
OpenShift As A DevOps Platform
Lalatendu Mohanty
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 

More Related Content

What's hot

[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
Daniel Oh
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
Vietnam Open Infrastructure User Group
 
DevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of ContainersDevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of Containers
DevOps Indonesia
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Julien Barbier
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
Yoshan madhumal
 
Cloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse CheCloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse Che
Martin (高馬丁) Skarsaune
 
sahithi_Build_Release_Resume
sahithi_Build_Release_Resumesahithi_Build_Release_Resume
sahithi_Build_Release_Resume
deepthichowdary devineni
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
Basav Nagur
 
Sai krishna
Sai krishnaSai krishna
Sai krishna
Saikrishna1547
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Louis Jacomet
 
Resume ram-krishna
Resume ram-krishnaResume ram-krishna
Resume ram-krishna
Ram Krishna | BitHostIn
 
SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8
Rajwinder Singh
 
Using Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform gameUsing Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform game
Patrick Chanezon
 
Resume
ResumeResume
Resume
Ramakrishna J
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
John Zaccone
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
Microsoft Azure in der Praxis
Microsoft Azure in der PraxisMicrosoft Azure in der Praxis
Microsoft Azure in der Praxis
Yvette Teiken
 
Micro Frontend Platforms for Kubernetes
Micro Frontend Platforms for KubernetesMicro Frontend Platforms for Kubernetes
Micro Frontend Platforms for Kubernetes
Entando
 
OpenShift As A DevOps Platform
OpenShift As A DevOps PlatformOpenShift As A DevOps Platform
OpenShift As A DevOps Platform
Lalatendu Mohanty
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
SeniorStoryteller
 

What's hot (20)

[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications[RHFSeoul2017]6 Steps to Transform Enterprise Applications
[RHFSeoul2017]6 Steps to Transform Enterprise Applications
 
CICD with Jenkins
CICD with JenkinsCICD with Jenkins
CICD with Jenkins
 
DevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of ContainersDevOps Indonesia #5 - The Future of Containers
DevOps Indonesia #5 - The Future of Containers
 
Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014Docker, the Future of Distributed Applications | Docker Tour de France 2014
Docker, the Future of Distributed Applications | Docker Tour de France 2014
 
Continuous integration
Continuous integrationContinuous integration
Continuous integration
 
Cloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse CheCloud Collaboration with Eclipse Che
Cloud Collaboration with Eclipse Che
 
sahithi_Build_Release_Resume
sahithi_Build_Release_Resumesahithi_Build_Release_Resume
sahithi_Build_Release_Resume
 
Play 2 Java Framework with TDD
Play 2 Java Framework with TDDPlay 2 Java Framework with TDD
Play 2 Java Framework with TDD
 
Sai krishna
Sai krishnaSai krishna
Sai krishna
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
 
Resume ram-krishna
Resume ram-krishnaResume ram-krishna
Resume ram-krishna
 
SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8SanDiego_DevOps_Meetup_9212016-v8
SanDiego_DevOps_Meetup_9212016-v8
 
Using Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform gameUsing Open Source and Open Standards in the Platform game
Using Open Source and Open Standards in the Platform game
 
Resume
ResumeResume
Resume
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
 
Microsoft Azure in der Praxis
Microsoft Azure in der PraxisMicrosoft Azure in der Praxis
Microsoft Azure in der Praxis
 
Micro Frontend Platforms for Kubernetes
Micro Frontend Platforms for KubernetesMicro Frontend Platforms for Kubernetes
Micro Frontend Platforms for Kubernetes
 
OpenShift As A DevOps Platform
OpenShift As A DevOps PlatformOpenShift As A DevOps Platform
OpenShift As A DevOps Platform
 
Leveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOpsLeveraging Nexus Repository Manager at the Heart of DevOps
Leveraging Nexus Repository Manager at the Heart of DevOps
 

Similar to Construye tu stack de ciberseguridad con open source

Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Websec México, S.C.
 
Prasoon
PrasoonPrasoon
Prasoon
Prasoon
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
Tao Xie
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
Rogue Wave Software
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
Suyati Technologies
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Building SharePoint Online applications using Napa Office 365 Development Tools
Building SharePoint Online applications using Napa Office 365 Development ToolsBuilding SharePoint Online applications using Napa Office 365 Development Tools
Building SharePoint Online applications using Napa Office 365 Development Tools
Gunnar Peipman
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
Massimo Menichinelli
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Question of trust
Question of trustQuestion of trust
Question of trust
ssuserd8f6cf1
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Introduction to Open Source for Libraries
Introduction to Open Source for LibrariesIntroduction to Open Source for Libraries
Introduction to Open Source for Libraries
Nicole C. Engard
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007
ssorden
 

Similar to Construye tu stack de ciberseguridad con open source (20)

Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Prasoon
PrasoonPrasoon
Prasoon
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Continuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycleContinuous security: Bringing agility to the secure development lifecycle
Continuous security: Bringing agility to the secure development lifecycle
 
09 Myths About Open Source Software
09 Myths About Open Source Software09 Myths About Open Source Software
09 Myths About Open Source Software
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Building SharePoint Online applications using Napa Office 365 Development Tools
Building SharePoint Online applications using Napa Office 365 Development ToolsBuilding SharePoint Online applications using Napa Office 365 Development Tools
Building SharePoint Online applications using Napa Office 365 Development Tools
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
Open Design Communities - MAKlab Glasgow (UK) 16/09/2011
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
 
Question of trust
Question of trustQuestion of trust
Question of trust
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
Introduction to Open Source for Libraries
Introduction to Open Source for LibrariesIntroduction to Open Source for Libraries
Introduction to Open Source for Libraries
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007
 

More from Software Guru

Hola Mundo del Internet de las Cosas
Hola Mundo del Internet de las CosasHola Mundo del Internet de las Cosas
Hola Mundo del Internet de las Cosas
Software Guru
 
Estructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso realesEstructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso reales
Software Guru
 
Building bias-aware environments
Building bias-aware environmentsBuilding bias-aware environments
Building bias-aware environments
Software Guru
 
El secreto para ser un desarrollador Senior
El secreto para ser un desarrollador SeniorEl secreto para ser un desarrollador Senior
El secreto para ser un desarrollador Senior
Software Guru
 
Cómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto idealCómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto ideal
Software Guru
 
Automatizando ideas con Apache Airflow
Automatizando ideas con Apache AirflowAutomatizando ideas con Apache Airflow
Automatizando ideas con Apache Airflow
Software Guru
 
How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:
Software Guru
 
Introducción al machine learning
Introducción al machine learningIntroducción al machine learning
Introducción al machine learning
Software Guru
 
Democratizando el uso de CoDi
Democratizando el uso de CoDiDemocratizando el uso de CoDi
Democratizando el uso de CoDi
Software Guru
 
Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0
Software Guru
 
Taller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJSTaller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJS
Software Guru
 
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
Software Guru
 
¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?
Software Guru
 
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Software Guru
 
Pruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOpsPruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOps
Software Guru
 
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivosElixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Software Guru
 
Así publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stressAsí publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stress
Software Guru
 
Achieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goalsAchieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goals
Software Guru
 
Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19
Software Guru
 
De lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseñoDe lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseño
Software Guru
 

More from Software Guru (20)

Hola Mundo del Internet de las Cosas
Hola Mundo del Internet de las CosasHola Mundo del Internet de las Cosas
Hola Mundo del Internet de las Cosas
 
Estructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso realesEstructuras de datos avanzadas: Casos de uso reales
Estructuras de datos avanzadas: Casos de uso reales
 
Building bias-aware environments
Building bias-aware environmentsBuilding bias-aware environments
Building bias-aware environments
 
El secreto para ser un desarrollador Senior
El secreto para ser un desarrollador SeniorEl secreto para ser un desarrollador Senior
El secreto para ser un desarrollador Senior
 
Cómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto idealCómo encontrar el trabajo remoto ideal
Cómo encontrar el trabajo remoto ideal
 
Automatizando ideas con Apache Airflow
Automatizando ideas con Apache AirflowAutomatizando ideas con Apache Airflow
Automatizando ideas con Apache Airflow
 
How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:How thick data can improve big data analysis for business:
How thick data can improve big data analysis for business:
 
Introducción al machine learning
Introducción al machine learningIntroducción al machine learning
Introducción al machine learning
 
Democratizando el uso de CoDi
Democratizando el uso de CoDiDemocratizando el uso de CoDi
Democratizando el uso de CoDi
 
Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0Gestionando la felicidad de los equipos con Management 3.0
Gestionando la felicidad de los equipos con Management 3.0
 
Taller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJSTaller: Creación de Componentes Web re-usables con StencilJS
Taller: Creación de Componentes Web re-usables con StencilJS
 
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...El camino del full stack developer (o como hacemos en SERTI para que no solo ...
El camino del full stack developer (o como hacemos en SERTI para que no solo ...
 
¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?¿Qué significa ser un programador en Bitso?
¿Qué significa ser un programador en Bitso?
 
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.Colaboración efectiva entre desarrolladores del cliente y tu equipo.
Colaboración efectiva entre desarrolladores del cliente y tu equipo.
 
Pruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOpsPruebas de integración con Docker en Azure DevOps
Pruebas de integración con Docker en Azure DevOps
 
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivosElixir + Elm: Usando lenguajes funcionales en servicios productivos
Elixir + Elm: Usando lenguajes funcionales en servicios productivos
 
Así publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stressAsí publicamos las apps de Spotify sin stress
Así publicamos las apps de Spotify sin stress
 
Achieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goalsAchieving Your Goals: 5 Tips to successfully achieve your goals
Achieving Your Goals: 5 Tips to successfully achieve your goals
 
Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19Acciones de comunidades tech en tiempos del Covid19
Acciones de comunidades tech en tiempos del Covid19
 
De lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseñoDe lo operativo a lo estratégico: un modelo de management de diseño
De lo operativo a lo estratégico: un modelo de management de diseño
 

Recently uploaded

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

Recently uploaded (20)

Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 

Construye tu stack de ciberseguridad con open source

  • 1. Building your cybersecurity stack with Open-Source HECTOR ERYX PAREDES CAMACHO TECH MANAGER @ HELIX RE UNIDOS COMPARTIENDO Y APRENDIENDO #SGVIRTUAL AND CONTRIBUTE TO A SAFER WORLD
  • 2. Open Source México Advocates of “OpenSourceFirst” culture to increase innovation and economic growth at Mexico
  • 3. Open Source México Join us ! • Monthly meet ups • Upcoming Events • Networking • News Networks: https://twitter.com/amigososom https://www.linkedin.com/groups/12137251/ https://www.instagram.com/opensourcemexico/ https://github.com/orgs/OpenSOurceMexico/teams https://www.meetup.com/Open-SOurce-Mexico-OSOM/ https://www.facebook.com/OSOM-Open-Source-Mexico-354538278660417
  • 5. What you should take in the next 50 minutes: • NO MATTER HOW HARD IT COULD LOOK, YOU SHOULD BE AWARE OF INFORMATION SECURITY TOOLS, FRAMEWORKS AND PROCESSES TO PROTECT YOURSELF AND YOUR ORGANIZATION
  • 6. Topics ☛ Cybersecurity ☛ Open Source and how it works ☛ Tools ☛ How to decide
  • 8. Defining Cybersecurity is hard Context is important. Requires deep understanding of core concepts like: • Authorization • Confidentiality • Integrity • Availability Sources: https://www.enisa.europa.eu/publications/definition-of-cybersecurity https://csrc.nist.gov/glossary/term/cybersecurity • The prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems. • The process of protecting information by preventing, detecting, and responding to attacks
  • 10. Cybersecurity example (A) “…We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection…includes usernames, email addresses, salted, hashed passwords….” BTW, they were using phpBB 3.1, an OpenSource forum board. The attack could be mitigated using an updated version of phpBB. Source: https://ethhack.com/2019/09/xkcd-forum-hacked-over-562000-users-account-details-leaked/
  • 11. Cybersecurity example (B) Mexico's Pemex Oil Suffers Ransomware Attack, $4.9 Million Demanded “Security researchers were able to find the malware sample which confirms the DoppelPaymer infection …Pemex was probably targeted by an initial infection of the Emotet Trojan which eventually provided network access…then have used Cobalt Strike and PowerShell Empire to spread the ransomware…” Emotet uses a modular based architecture which includes open source tools. Signatures of Emotet botnet can be found by the Cuckosanbox open source malware analysis tool. Source: https://www.bleepingcomputer.com/news/security/mexicos-pemex-oil-suffers-ransomware-attack-49-million-demanded/
  • 12. Cybersecurity example (C) A case study in industry collaboration: Poisoned RDP vulnerability disclosure and response “In his research into reverse RDP attacks, Eyal Itkin found that for mstsc.exe, this technique, also referred to as lazy lateral movement, was possible through the clipboard sharing channel.” “Check Point Research recently discovered multiple vulnerabilities in (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional… There are also some popular open-source clients for the RDP protocol that are used mainly by Linux and Mac users.” Source: https://www.microsoft.com/security/blog/2019/08/07/a-case-study-in-industry-collaboration-poisoned-rdp-vulnerability-disclosure-and-response/ https://research.checkpoint.com/2019/reverse-rdp-attack-code-execution-on-rdp-clients/
  • 13. Common Denominator Popular website • Forum • Opensource tool • Non patched Large corporation • Spear phishing • Established foothold • Install ransomware • Known malware signatures • Opensource modules • Public signatures opensource Windows Remote Desktop Protocol • Enterprise client analyzed • Opensource clients analyzed • Static Analysis to identify vulnerabilities
  • 15.
  • 17. THE Hacking Culture particularly creative people who define themselves partly by rejection of ‘normal’ values and working habits a subculture of individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes a manner in which it is done and whether it is something exciting and meaningful Source: https://en.wikipedia.org/wiki/Hacker_culture http://catb.org/jargon/html/introduction.html <- PLEASE READ THIS BOOK, “THE CATHEDRAL AND THE BAZAAR BY ERIC. S RAYMOND
  • 18. Cyber Security community embraces Collaboration Openness Meritocracy DERIVED ON IT’S HACKING SUBCULTURE(S)
  • 19. How to choose the right tool for the right job
  • 20. HUGE HUGE HUGE LIST OF FOSS TOOLS ON CYBERSEC This Photo by Unknown Author is licensed under CC BY-NC-ND
  • 21. Where to find OpenSource security tools GitHub / Gitlab Sourceforge Academic institutions Carnegie Mellon University SEI: https://www.sei.cmu.edu/publications/sof tware-tools/ Organizations promoting Security OWASP: https://owasp.org National Security Agency: https://github.com/nationalsecurityagency Within Enterprise Security Tools Some products are based on Core Open Source projects
  • 22. Now: Let Me Google That For You •Intrusion Protection System Snort •Original engine of Nessus Network Scanner OpenVAS •The good old school network scanner Nmap •Community version of Nagios network/infra monitor Nagios Core •Simulate MITM attacks Ettercap •Simulate a Breach and Attack scenario with super GUI Infection Monkey •Framework to automate vulnerabilities testing (EXPLOITS) Metasploit •Malware Analysis sandbox Cuckoo Sandbox •GUI Forensic tools for HD Autopsy •List Unix tools, versions and vulnerabilities Lynis Source:https://www.darkreading.com/threat-intelligence/10-open-source-security-tools-you-should-know/d/d-id/1331913
  • 23. For the Hoody h4x0r on the room Join: https://t.me/bugbountyes
  • 24. OWASP Zed Attack Proxy Project The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security. Can help to automatically find security vulnerabilities web applications. • Possibly to integrate it in a CI/CD pipeline Great tool for experienced pen testers to use for manual security testing.
  • 25. SAST Static Application Security Testing https://snyk.io/ https://www.sonarqube.org/sonarqube-8-0/ https://docs.renovatebot.com/ https://github.com/archerysec https://github.com/hawkeyesec https://coreos.com/clair/docs/latest/ https://www.whitesourcesoftware.com/open-source-security/ Source:https://blog.vulcan.io/vulnerability-remediation-in-the-ci-cd-pipeline-not-just-a-coding-issue Disclamer: Not all these tools are open source, but most of them are offered freely for opensource projects
  • 26. WITH SO MANY OPTIONS, WHAT CAN I DO! HOW TO DECIDE
  • 27. Define GOAL & Expected OUTCOME What is the purpose of : Scanning your code Analyzing your dependencies Running a vulnerability proxy Scan your network Scan endpoints/devices Monitor your network traffic Run a forensic analysis on a HDD Add a key management tool Results must become deliverables with Quantifiable data Baselining Key Performance Indicators Useful for security audits & compliance Tailored to the cybersecurity landscape of the systems • Retro feedback Threat & Risk Analysis
  • 28. Training Comprehensive official documentation (contributors love documenting, right?) Find the creators Check if they are open to help Github issues are a great way to learn StackOverflow… Blog posts YouTube videos BOOKS O’Reilly has a huge library of books covering how-to on many open source tools From time to time companies or individuals close to the project provide on-site/on-line training: got for it!
  • 29. Features Need a GUI? Need a CLI? Integration Matches the current CI/CD pipeline Reports Single run Historical data Extensible Plugin architecture Modular architecture Codebase easy to maintain
  • 30. Support Remember, must open source license provide no warranty Only community support Supported by a company Premium support available Is it an active community? Check if there are recent commits Communication channels •Slack •Mailing lists •Github issues
  • 32. Strategy 1: Pre Commit Hooks
  • 33. Strategy 2: On Artifact Build
  • 34. Strategy 3: On Deploy to lower environments
  • 35. Using a mix of strategies can leverage multiple benefits BUT… might require larger maintenance, extra resources ($), increased complexity
  • 36. Most security tools can be integrated with a CI/CD pipeline
  • 37. Scanners can be configured to run automatically on cloud/on-premise infrastructure