Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly

OWASP Kyiv
OWASP Kyiv
Mar. 4, 2018
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly
1 of 79

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly

Mar. 4, 2018
Download to read offline
Technology

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly

OWASP Kyiv
OWASP Kyiv

Recommended

Avoiding damage, shame and regrets data protection for mobile client-server a...Avoiding damage, shame and regrets data protection for mobile client-server a...
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy7.1K views65 slides
LambHack: A Vulnerable Serverless ApplicationLambHack: A Vulnerable Serverless Application
LambHack: A Vulnerable Serverless ApplicationJames Wickett583 views35 slides
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...
DevSecCon Singapore 2018 - Maginot Line – 6 Common AppSec Anti-Patterns Preve...DevSecCon137 views36 slides
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareAmit Serper659 views58 slides
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP372 views78 slides
REST API Pentester's perspectiveREST API Pentester's perspective
REST API Pentester's perspectiveSecuRing4.7K views72 slides

More Related Content

Slideshows for you

New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett18.3K views159 slides
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing702 views54 slides
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing3.9K views73 slides
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Lacework524 views46 slides
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSSSonatype 1.2K views17 slides
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/GreenSonatype 266 views66 slides

Slideshows for you(20)

New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
James Wickett18.3K views
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing702 views
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
SecuRing3.9K views
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework524 views
Automated Infrastructure Security: Monitoring using FOSSAutomated Infrastructure Security: Monitoring using FOSS
Automated Infrastructure Security: Monitoring using FOSS
Sonatype 1.2K views
Prepare to defend thyself with Blue/GreenPrepare to defend thyself with Blue/Green
Prepare to defend thyself with Blue/Green
Sonatype 266 views
Putting Rugged Into your DevOps ToolchainPutting Rugged Into your DevOps Toolchain
Putting Rugged Into your DevOps Toolchain
James Wickett1.8K views
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Frans Rosén1.6K views
Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: w...Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: w...
Lviv MD Day 2015 Анастасія Войтова "Data transfer security for mobile apps: w...
Lviv Startup Club542 views
Hardening Your Config Management - Security and Attack Vectors in Config Mana...Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Hardening Your Config Management - Security and Attack Vectors in Config Mana...
Peter Souter1K views
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon Boston 2018: Securing the Automated Pipeline: A Tale of Navigating ...
DevSecCon159 views
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
Adam Baldwin141 views
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani Goland
CODE BLUE406 views
Multi Factor Authetification - ZendCon 2017Multi Factor Authetification - ZendCon 2017
Multi Factor Authetification - ZendCon 2017
Philippe Gamache676 views
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
Frans Rosén2.8K views
Security as CodeSecurity as Code
Security as Code
Ed Bellis2.4K views
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes BackBSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework606 views
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon518 views
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
SecuRing2.9K views
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Yan Cui1.7K views

Similar to Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly

The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CDJames Wickett125.7K views96 slides
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...mdevtalk245 views69 slides
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-daysZoltan Balazs2.3K views49 slides
Threat stack awsThreat stack aws
Threat stack awsJen Andre1.6K views83 slides
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS BaggageJan Schaumann789 views51 slides
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018Steve Poole436 views105 slides

Similar to Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly(20)

The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett125.7K views
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
mdevtalk245 views
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
Threat stack awsThreat stack aws
Threat stack aws
Jen Andre1.6K views
The Razors Edge - Cutting your TLS BaggageThe Razors Edge - Cutting your TLS Baggage
The Razors Edge - Cutting your TLS Baggage
Jan Schaumann789 views
Anatomy of Java Vulnerabilities - NLJug 2018Anatomy of Java Vulnerabilities - NLJug 2018
Anatomy of Java Vulnerabilities - NLJug 2018
Steve Poole436 views
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett4.3K views
The DevSecOps Builder’s Guide to the CI/CD PipelineThe DevSecOps Builder’s Guide to the CI/CD Pipeline
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett609 views
You wanna crypto in AEMYou wanna crypto in AEM
You wanna crypto in AEM
Damien Antipa3.1K views
The Emergent Cloud Security Toolchain for CI/CDThe Emergent Cloud Security Toolchain for CI/CD
The Emergent Cloud Security Toolchain for CI/CD
James Wickett329 views
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
Nikhil Praharshi547 views
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
SBWebinars479 views
Secure Channels PresentationSecure Channels Presentation
Secure Channels Presentation
Richard Blech569 views
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
Chris Gates4.6K views
KiwiCon 2016 - Kicking Orion's AssetsKiwiCon 2016 - Kicking Orion's Assets
KiwiCon 2016 - Kicking Orion's Assets
Rob Fuller30.7K views
Making Security Usable: Product Engineer PerspectiveMaking Security Usable: Product Engineer Perspective
Making Security Usable: Product Engineer Perspective
C4Media159 views
Pre-Quiz Symantec Endpoint EncryptionPre-Quiz Symantec Endpoint Encryption
Pre-Quiz Symantec Endpoint Encryption
Matt Dawdy730 views
Cqcon2015Cqcon2015
Cqcon2015
Antonio Sanso3.2K views
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile apps
Stanfy2.8K views
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün736 views

More from OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv246 views34 slides
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостямиOWASP Kyiv197 views21 slides
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv153 views31 slides
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv600 views12 slides
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv466 views17 slides
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityOWASP Kyiv2.4K views25 slides

More from OWASP Kyiv(20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
OWASP Kyiv246 views
Software Supply Chain Security та компоненти з відомими вразливостямиSoftware Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
OWASP Kyiv197 views
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv153 views
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
OWASP Kyiv600 views
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
OWASP Kyiv466 views
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
OWASP Kyiv2.4K views
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
OWASP Kyiv432 views
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
OWASP Kyiv525 views
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
OWASP Kyiv362 views
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
OWASP Kyiv590 views
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
OWASP Kyiv344 views
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
OWASP Kyiv815 views
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
OWASP Kyiv343 views
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
OWASP Kyiv1.1K views
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
OWASP Kyiv647 views
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
OWASP Kyiv1.5K views
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
OWASP Kyiv636 views
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
OWASP Kyiv412 views
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
OWASP Kyiv370 views
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
OWASP Kyiv548 views

Recently uploaded

Artificial Intelligence (AI).pptxArtificial Intelligence (AI).pptx
Artificial Intelligence (AI).pptxSharifulShishir49 views26 slides
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptxSnehaAggarwal40119 views20 slides
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptxAlok Ranjan51 views12 slides
Daily Scrum, Sprint Review & Retrospective.pptxDaily Scrum, Sprint Review & Retrospective.pptx
Daily Scrum, Sprint Review & Retrospective.pptxMd. Rakib Trofder90 views12 slides
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...DianaGray1067 views14 slides
Mitigating Common CloudStack Instance Deployment FailuresMitigating Common CloudStack Instance Deployment Failures
Mitigating Common CloudStack Instance Deployment FailuresShapeBlue109 views18 slides

Recently uploaded(20)

Artificial Intelligence (AI).pptxArtificial Intelligence (AI).pptx
Artificial Intelligence (AI).pptx
SharifulShishir49 views
GDSC23 - Info Session GDSC KIET (1).pptxGDSC23 - Info Session GDSC KIET (1).pptx
GDSC23 - Info Session GDSC KIET (1).pptx
SnehaAggarwal40119 views
Common - Concerns Around OpenAI.pptxCommon - Concerns Around OpenAI.pptx
Common - Concerns Around OpenAI.pptx
Alok Ranjan51 views
Daily Scrum, Sprint Review & Retrospective.pptxDaily Scrum, Sprint Review & Retrospective.pptx
Daily Scrum, Sprint Review & Retrospective.pptx
Md. Rakib Trofder90 views
AI and ML Series - Generative Extraction and Classification of Documents in S...AI and ML Series - Generative Extraction and Classification of Documents in S...
AI and ML Series - Generative Extraction and Classification of Documents in S...
DianaGray1067 views
Mitigating Common CloudStack Instance Deployment FailuresMitigating Common CloudStack Instance Deployment Failures
Mitigating Common CloudStack Instance Deployment Failures
ShapeBlue109 views
NoSQL Database Migration Masterclass - Session 3: Migration LogisticsNoSQL Database Migration Masterclass - Session 3: Migration Logistics
NoSQL Database Migration Masterclass - Session 3: Migration Logistics
ScyllaDB27 views
AI and ML Series - Introduction to Generative AI and LLMs - Session 1AI and ML Series - Introduction to Generative AI and LLMs - Session 1
AI and ML Series - Introduction to Generative AI and LLMs - Session 1
DianaGray10179 views
GDSC23 SAC - Info Session GDSC.pptxGDSC23 SAC - Info Session GDSC.pptx
GDSC23 SAC - Info Session GDSC.pptx
SAC221 views
Workshop on IoT and Basic Home Automation_BAIUST.pptxWorkshop on IoT and Basic Home Automation_BAIUST.pptx
Workshop on IoT and Basic Home Automation_BAIUST.pptx
Redwan Ferdous27 views
ECE ANURANAN 2023ECE ANURANAN 2023
ECE ANURANAN 2023
Bishal20Hazarika103448 views
NTGapps DTB Platform.pdfNTGapps DTB Platform.pdf
NTGapps DTB Platform.pdf
Mustafa Kuğu165 views
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
zkStudyClub - Lasso/Jolt (Justin Thaler, GWU/a16z)
Alex Pruden17 views
Generative AI PotentialGenerative AI Potential
Generative AI Potential
Kapil Khandelwal (KK)25 views
dvss.pptdvss.ppt
dvss.ppt
SaikrishnaCheruvu1354 views
GDSC_Info_Session_KITTiptur.pptxGDSC_Info_Session_KITTiptur.pptx
GDSC_Info_Session_KITTiptur.pptx
RadhikaNA38 views
Asterisk UpdateAsterisk Update
Asterisk Update
OpenDireito15 views
Info Session GDSC Mepco Sechenk Chapter.pptxInfo Session GDSC Mepco Sechenk Chapter.pptx
Info Session GDSC Mepco Sechenk Chapter.pptx
DURAIVIGNESHC15 views
GDSC Final PPT.pptxGDSC Final PPT.pptx
GDSC Final PPT.pptx
DishaSharma73798420 views
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
OpenFOAM benchmark for EPYC server -Influence of coarsestLevelCorr in GAMG so...
takuyayamamoto180014 views

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use It Properly

  1. DON’T WASTE TIME ON LEARNING CRYPTOGRAPHY: BETTER USE IT PROPERLY #owaspkyiv @vixentael
  2. @vixentael Product Engineer Feel free to reach me with any mobile security questions. I do check my inbox :)
  3. We want to protect our users’ data
  4. We want developers to protect data
  5. We want to protect our users’ data HOW? We want developers to protect data
  6. WE HAVE USER DATA. WHAT SHALL WE DO?
  7. #owaspkyiv @vixentael 1. DEFINING THE DATA SCOPE sensitive user data GDPR / HIPAA / PCI DSS tech data (keys, logs)
  8. #owaspkyiv @vixentael 1. DEFINING THE DATA SCOPE sensitive user data GDPR / HIPAA / PCI DSS tech data (keys, logs) mistake 1. wrong scope definition
  9. #owaspkyiv @vixentael 2. SELECTING ALGORITHM twofish sha1 des md5
  10. twofish sha1 des md5 #owaspkyiv @vixentael 2. SELECTING ALGORITHM mistake 2. bad algo selection
  11. #owaspkyiv @vixentael THINGS TO DECIDE ON KEY LENGTHDATA SCOPE ALGORITHM
  12. #owaspkyiv @vixentaelhttps://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM
  13. #owaspkyiv @vixentaelhttps://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM
  14. #owaspkyiv @vixentaelhttps://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption 3. USING ALGORITHM mistake 3. wrong params
  15. #owaspkyiv @vixentael THINGS TO DECIDE ON PADDING KEY LENGTH MODE DATA SCOPE ALGORITHM IV
  16. #owaspkyiv @vixentael 4. KEY MANAGEMENT user password keys KDF
  17. #owaspkyiv @vixentael 4. KEY MANAGEMENT user password keys KDF mistake 4. bad key management
  18. #owaspkyiv @vixentael THINGS TO DECIDE ON PADDING KEY LENGTH KEY ROTATION MODE KEY DERIVATION KEY STORAGE KEY EXCHANGE DATA SCOPE ALGORITHM IV KEY REVOCATION
  19. #owaspkyiv @vixentael 5. INFRASTRUCTURE
  20. #owaspkyiv @vixentael PADDING KEY LENGTH KEY ROTATION MODE KEY DERIVATION KEY STORAGE THINGS TO DECIDE ON KEY EXCHANGE BACKUPSPLATFORMS DATA SCOPE ALGORITHM IV KEY REVOCATION
  21. #owaspkyiv @vixentaelhttps://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf 269 CVEs from 2011-2014 17% 83% bugs inside crypto libs misuses of crypto libs by individual apps
  22. AS USERS WE WANT… more ciphers? #owaspkyiv @vixentael
  23. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA #owaspkyiv @vixentael
  24. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA OFB SHARK RC4 DSS ECB CTR SEED #owaspkyiv @vixentael Blowfish
  25. AES DES 3DES CBC CFB SEAL Salsa20 RSA DSA OFB Blowfish SHARK RC4 DSS ECB CTR Twofish Camelia SEED Rabbit ECDSA #owaspkyiv @vixentael
  26. AS USERS WE WANT… more ciphers! more vulnerabilities! more side channel attacks! more attacks! more constant time checks :) more protocols! more patches! #owaspkyiv @vixentael
  27. EXCITING, BUT FOR CRYPTO RESEARCHERS ONLY
  28. AS USERS WE WANT… more ciphers! BORING CRYPTO #owaspkyiv @vixentael
  29. BORING CRYPTO #owaspkyiv @vixentael — crypto that simply works, solidly resists attacks, never needs any upgrades https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Daniel J. Bernstein
  30. BORING CRYPTO #owaspkyiv @vixentael PLUG & PLAY
  31. WHAT DO WE WANT? instead of adjusting our resources — SOLVE USE-CASES!
  32. WHAT DO WE WANT? — HIGH-LEVEL FUNCTIONS I want to store data securely I want to send data securely I want to verify data integrity #owaspkyiv @vixentael
  33. WHAT DO WE WANT? store data securely send data securely verify data integrity key derivation key exchange key rotation sign/verify ephemeral keys encr / decr #owaspkyiv @vixentael — HIGH-LEVEL FUNCTIONS
  34. NOBODY READS DOCS #owaspkyiv @vixentael
  35. NOBODY READS DOCS #owaspkyiv @vixentael “docs are for experts” “I just want to try” “gimme code!”
  36. 1. HOW TO START? #owaspkyiv @vixentael pod try BoringSSL cmake -DANDROID_ABI=armeabi-v7a -DCMAKE_TOOLCHAIN_FILE=../third_party/ android-cmake/android.toolchain.cmake -DANDROID_NATIVE_API_LEVEL=16 -GNinja .. https://boringssl.googlesource.com/boringssl/+/HEAD/BUILDING.md
  37. #owaspkyiv @vixentael easy, architecture-independent installation 1. HOW TO START?
  38. 2. SUPPORTED PLATFORMS? #owaspkyiv @vixentael *nix OSX web browsers embedded iOS Android Windows minimum expected:
  39. #owaspkyiv @vixentael cross-platform is not an option anymore cross-platform is a must have 2. SUPPORTED PLATFORMS?
  40. OPTIONS WE HAVE
  41. #owaspkyiv @vixentael HSM
  42. #owaspkyiv @vixentael HARDWARE SECURITY MODULE key generation provides cryptoprocessing key storage portable
  43. #owaspkyiv @vixentael TRUSTED PLATFORM MODULE key management disk protection trust anchor built-in remote attestation provides cryptoprimitives
  44. #owaspkyiv @vixentael HSM & TPM: PROS fast hardware crypto! trusted environment known security guarantees keys calculations
  45. #owaspkyiv @vixentael HSM & TPM: CONS vendor lock / vendor trust bad for interactive encryption complicated to maintain (install, upgrade, support, not cross-platform)
  46. #owaspkyiv @vixentael HSM & TPM: PRO & CONS HSM app plaintext data plaintext data is far away from the place it is used
  47. #owaspkyiv @vixentael SOFTWARE CRYPTO SYSTEMS https://github.com/sobolevn/awesome-cryptography any kind of encryption plaintext data is closer to its usage cross-platform
  48. #owaspkyiv @vixentael SOFTWARE CRYPTO SYSTEMS https://github.com/sobolevn/awesome-cryptography any kind of encryption plaintext data is closer to its usage cross-platform NO DEVICE TRUST
  49. #owaspkyiv @vixentael WEBBROWSER CRYPTO: CONS DOM, XSS, NO CODE TRUST
  50. #owaspkyiv @vixentael HSM/TPM + SOFTWARE CS keys calculations TPM / HSM own software cross-platform take best from both
  51. #owaspkyiv @vixentael cross-platform easy to install easy to use USING CRYPTO SHOULD BE LIKE.. audited open source time proven well-documented
  52. #owaspkyiv @vixentael crypto-libs crypto-systems boxed solutions
  53. #owaspkyiv @vixentael 1. CRYPTO-LIBS libsodium themis https://github.com/sobolevn/awesome-cryptography implements single or multiple security functions keyczar noise
  54. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/themis/wiki/Python-Howto secure messaging with forward secrecy
  55. #owaspkyiv @vixentael 2. CRYPTO-SYSTEMS axolotl hermes combines security functions for solving exact use-case SSL/TLS ZeroKit
  56. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/hermes-core/wiki/Python-tutorial data access control based on crypto-keys python docs/examples/python/hermes_client.py --id user1 --config=docs/examples/python/config.json --private_key user1.priv --doc testfile --read
  57. #owaspkyiv @vixentael 3. BOXED SOLUTIONS truecrypt ssh acra vault unites crypto-systems and user functions for solving problems
  58. #owaspkyiv @vixentael EXAMPLE https://github.com/cossacklabs/acra/wiki/Trying-Acra-with-Docker database proxy for encrypting / decrypting go run cmd/acra_genkeys/acra_genkeys.go docker-compose -f docker/docker-compose.yml up -d
  59. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… boxed solutions
  60. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… crypto-systems boxed solutions no :(
  61. #owaspkyiv @vixentael CAN I SOLVE MY USE-CASE USING… crypto-libs crypto-systems boxed solutions no :( no :(
  62. https://www.cossacklabs.com/choose-your-ios-crypto.html
  63. THE WORLD DOESN’T HAVE A PROBLEM WITH NEW CRYPTO-ALGORITHMS.
  64. THE WORLD DOESN’T HAVE A PROBLEM WITH NEW CRYPTO-ALGORITHMS. PROBLEM IS THAT THEY ARE NOT BORING ENOUGH
  65. #owaspkyiv @vixentael
  66. #owaspkyiv @vixentael VS
  67. #owaspkyiv @vixentael make the light controllable
  68. #owaspkyiv @vixentael
  69. #owaspkyiv @vixentael make the crypto security controllable
  70. #owaspkyiv @vixentael make the crypto security controllable and booooring
  71. #owaspkyiv @vixentael
  72. LINKS 1 Boring crypto, Daniel J. Bernstein https://cr.yp.to/talks/2015.10.05/slides-djb-20151005-a4.pdf Why does cryptographic software fail? https://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf API design for cryptography https://2017.hack.lu/archive/2017/hacklu-crypto-api.pdf
  73. LINKS 2 Encrypting strings in Android: Let’s make better mistakes https://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/ Awesome crypto papers https://github.com/pFarb/awesome-crypto-papers 12 And 1 Ideas How To Enhance Backend Data Security https://www.cossacklabs.com/backend-data-security-modern-ideas.html Attestation and Trusted Computing https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/bare.pdf
  74. MY OTHER SECURITY SLIDES https://github.com/ vixentael/my-talks …and more
  75. @vixentael Product Engineer Feel free to reach me with any mobile security questions. I do check my inbox :)