Protocol buffers are a flexible, efficient, automated mechanism for serializing structured data, it's used due to its simplicity and performance. It supports many languages and can be used with scala using Scala PB.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
Presentation at NetPonto community: "We’re going to discuss gRPC, Google’s open-source RPC framework. I’ll dive a bit into the history of RPC as a protocol, and what its historical use has been. I’ll also highlight some benefits to adopt gRPC and how its possible to swap out parts of gRPC and still take advantage of gRPC’s benefits. Finally I’ll answer the question that has been on many lips since gRPC was announced — what does this mean for REST?"
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP.
Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE.
He will cover Automating security tests using Selenium and OWASP ZAP.
In this intriguing meetup, you will learn:
1. Introduction to automated vulnerability scans and their limitations.
2. A short introduction to how functional tests can be useful in performing robust security tests.
3. Introduction to selenium and OWASP ZAP
4. Proxying selenium tests through OWASP ZAP
5. Invoking authenticated active scans using OWASP ZAP
6. Obtaining scan reports
… and more useful takeaways!
Protocol buffers are a flexible, efficient, automated mechanism for serializing structured data, it's used due to its simplicity and performance. It supports many languages and can be used with scala using Scala PB.
Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.
Presentation at NetPonto community: "We’re going to discuss gRPC, Google’s open-source RPC framework. I’ll dive a bit into the history of RPC as a protocol, and what its historical use has been. I’ll also highlight some benefits to adopt gRPC and how its possible to swap out parts of gRPC and still take advantage of gRPC’s benefits. Finally I’ll answer the question that has been on many lips since gRPC was announced — what does this mean for REST?"
Automating security test using Selenium and OWASP ZAP - Practical DevSecOpsMohammed A. Imran
In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP.
Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE.
He will cover Automating security tests using Selenium and OWASP ZAP.
In this intriguing meetup, you will learn:
1. Introduction to automated vulnerability scans and their limitations.
2. A short introduction to how functional tests can be useful in performing robust security tests.
3. Introduction to selenium and OWASP ZAP
4. Proxying selenium tests through OWASP ZAP
5. Invoking authenticated active scans using OWASP ZAP
6. Obtaining scan reports
… and more useful takeaways!
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
Introduction to React-Native
- Difference between React & ReactNative
- Why one should use ReactNative?
- Basic Components
- Life Cycle of Component
- Environment Setup
API testing is a type of software testing that involves testing application programming interfaces (APIs) directly and as part of integration testing to determine if they meet expectations for functionality, reliability, performance, and security.
An introduction to KrakenD, the ultra-high performance API Gateway with middlewares. An opensource tool built using go that is currently serving traffic in major european sites.
There might be two different scenarios while API testing. One when you are consuming API from other providers and the other one when you are designing API for your own application.
When you are developing API for your application, you should start for white box testing. The basic approaches are : unit testing, integration testing, edge test cases and security testing.
DevOps has become possible largely due to a combination of new operations tools and established agile engineering practices, but these are not enough to realise the benefits of DevOps. Even with the best tools, DevOps is just a buzzword if you don't have the right culture. Join Rouan as he explores what DevOps culture looks like and how it supports rapid, scalable production releases. He'll talk about collaboration and how important shared responsibility is to enable it. He'll cover the cultural shifts that need to happen within an organisation in order to support DevOps, including supporting autonomous teams and breaking down silos. He'll also provide some insight into the culture of successful teams in a DevOps environment, by showing you how they build quality in, focus on feedback and automate (almost) everything.
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
View webinar: http://www.eurostarconferences.com/community/member/webinar-archive/webinar-81-api-testing-the-heart-of-functional-testing
An API, or Application Programming Interface, is a collection of functions that provide much of the functional capabilities in complex software systems. Most customers are accustomed to interacting with a graphical user interface on the computer. But, many customers do not realize the much of the functionality of a program comes from APIs in the operating system or program's dynamic-link libraries (DLL). So, if the business logic or core functionality is exposed via an API call then and if we want to find functional bugs sooner than API testing may be an approach that provides additional value in your overall test strategy. Additionally, API testing can start even before the user interface is complete so functional capabilities can be tested while designers are hashing out the "look and feel." API testing will not replace testing through the user interface, but it can augment your test strategy and provide a solid foundation of automated tests that increase your confidence in the functional quality of your product.
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...Athens Big Data
Title: MLOps Workshop: The Full ML Lifecycle - How to Use ML in Production
Speakers: Spyros Cavadias (https://www.linkedin.com/in/spyros-cavadias/), Konstantinos Pittas (https://www.linkedin.com/in/konstantinos-pittas-83310270/), Thanos Gkinakos (https://www.linkedin.com/in/thanos-gkinakos-03582a128/)
Date: Saturday, December 17, 2022
Event: https://www.meetup.com/athens-big-data/events/289927468/
AManaging Kong API Gateway with TerraformByungjin Park
2018년 10월 23일 진행된 하시코프 한국 사용자 모임 두 번째 밋업 발표 자료 입니다.
# Terraform으로 Kong API Gateway 관리하기
박병진, Site Reliability Engineer @ Kasa
Abstract:
Kong은 Nginx와 Lua를 기반으로 하는 오픈소스 API Gateway입니다. 본 세션에서는 API Gateway가 무엇인지, Kong을 선택한 이유와 사용 방법, Terraform을 이용하여 Kong을 관리한 경험을 공유합니다.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
With Apache Kafka’s rise for event-driven architectures, developers require a specification to design effective event-driven APIs. AsyncAPI has been developed based on OpenAPI to define the endpoints and schemas of brokers and topics. For Kafka applications, the broker’s design to handle high throughput serialized payloads brings challenges for consumers and producers managing the structure of the message. For this reason, a registry becomes critical to achieve schema governance. Apicurio Registry is an end-to-end solution to store API definitions and schemas for Kafka applications. The project includes serializers, deserializers, and additional tooling. The registry supports several types of artifacts including OpenAPI, AsyncAPI, GraphQL, Apache Avro, Google protocol buffers, JSON Schema, Kafka Connect schema, WSDL, and XML Schema (XSD). It also checks them for validity and compatibility.
In this session, we will be covering the following topics:
● The importance of having a contract-first approach to event-driven APIs
● What is AsyncAPI, and how it helps to define Kafka endpoints and schemas
● The Kafka challenges on message structure when serializing and deserializing
● Introduction to Apicurio Registry and schema management for Kafka
● Examples of how to use Apicurio Registry with popular Java frameworks like Spring and Quarkus
We like the architecture of our applications to revolve around the business logic, not around technical details (and especially not around the database).
In my team at Sky Network Services we use the Clean Architecture and it has given us a great deal of benefits: the business logic is explicit, we are free to change our technical decisions, the app is easy to test, working on it is faster and scalable, it’s hard to do the wrong thing, and many more.
But it comes at a cost, of course. In this talk I’ll tell you the story of our experience with Clean Architecture and give you some tips to get the most out of it.
Example Project
https://github.com/mattia-battiston/clean-architecture-example
Downloads
Online: https://goo.gl/DTxftJ
PDF: https://goo.gl/ZAtdBN
Powerpoint: https://goo.gl/D54wdZ (but you need to install these fonts to see it properly: https://goo.gl/iH8SO5)
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
The Attached slide was presented at Null Open Security/OWAP/G4H combined community event, the document shared here is a representation of Independent study on usage of Metasploit on purpose built vulnerable machine Metasploitable3. With New attack vectors such as Elastic Search API and Jenkins servers -21/01/2017
Contains
1. Introduction to Metasploit (why metasploit?)
2. Demo Setup and talked on how to- Using Metasploitable3
3. Networking with VirtualBox for personal lab
4. Auxiliary Modules (Scanners and Servers ) - Demo of snmp_enum
5. Exploit Module (searching exploits)
6. Payload types
7. Exploit Demo 1 - /exploit/multi/elasticsearch/script_mvel_rce
8. Exploit Demo 2 -
/exploit/multi/http/jenkins_script_console
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
Introduction to React-Native
- Difference between React & ReactNative
- Why one should use ReactNative?
- Basic Components
- Life Cycle of Component
- Environment Setup
API testing is a type of software testing that involves testing application programming interfaces (APIs) directly and as part of integration testing to determine if they meet expectations for functionality, reliability, performance, and security.
An introduction to KrakenD, the ultra-high performance API Gateway with middlewares. An opensource tool built using go that is currently serving traffic in major european sites.
There might be two different scenarios while API testing. One when you are consuming API from other providers and the other one when you are designing API for your own application.
When you are developing API for your application, you should start for white box testing. The basic approaches are : unit testing, integration testing, edge test cases and security testing.
DevOps has become possible largely due to a combination of new operations tools and established agile engineering practices, but these are not enough to realise the benefits of DevOps. Even with the best tools, DevOps is just a buzzword if you don't have the right culture. Join Rouan as he explores what DevOps culture looks like and how it supports rapid, scalable production releases. He'll talk about collaboration and how important shared responsibility is to enable it. He'll cover the cultural shifts that need to happen within an organisation in order to support DevOps, including supporting autonomous teams and breaking down silos. He'll also provide some insight into the culture of successful teams in a DevOps environment, by showing you how they build quality in, focus on feedback and automate (almost) everything.
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
View webinar: http://www.eurostarconferences.com/community/member/webinar-archive/webinar-81-api-testing-the-heart-of-functional-testing
An API, or Application Programming Interface, is a collection of functions that provide much of the functional capabilities in complex software systems. Most customers are accustomed to interacting with a graphical user interface on the computer. But, many customers do not realize the much of the functionality of a program comes from APIs in the operating system or program's dynamic-link libraries (DLL). So, if the business logic or core functionality is exposed via an API call then and if we want to find functional bugs sooner than API testing may be an approach that provides additional value in your overall test strategy. Additionally, API testing can start even before the user interface is complete so functional capabilities can be tested while designers are hashing out the "look and feel." API testing will not replace testing through the user interface, but it can augment your test strategy and provide a solid foundation of automated tests that increase your confidence in the functional quality of your product.
22nd Athens Big Data Meetup - 1st Talk - MLOps Workshop: The Full ML Lifecycl...Athens Big Data
Title: MLOps Workshop: The Full ML Lifecycle - How to Use ML in Production
Speakers: Spyros Cavadias (https://www.linkedin.com/in/spyros-cavadias/), Konstantinos Pittas (https://www.linkedin.com/in/konstantinos-pittas-83310270/), Thanos Gkinakos (https://www.linkedin.com/in/thanos-gkinakos-03582a128/)
Date: Saturday, December 17, 2022
Event: https://www.meetup.com/athens-big-data/events/289927468/
AManaging Kong API Gateway with TerraformByungjin Park
2018년 10월 23일 진행된 하시코프 한국 사용자 모임 두 번째 밋업 발표 자료 입니다.
# Terraform으로 Kong API Gateway 관리하기
박병진, Site Reliability Engineer @ Kasa
Abstract:
Kong은 Nginx와 Lua를 기반으로 하는 오픈소스 API Gateway입니다. 본 세션에서는 API Gateway가 무엇인지, Kong을 선택한 이유와 사용 방법, Terraform을 이용하여 Kong을 관리한 경험을 공유합니다.
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
APIs are a foundational innovation in today’s app-driven world - and increasingly becoming the main target for attackers. How do you protect yourself? Matt Tesauro, Distinguished Engineer, will walk you through how attackers use techniques like broken object level authorization (BOLA) attacks against an API, and how attackers gain access to critical data. Understand how attackers find and exploit vulnerabilities so you can gain insight into why many traditional security approaches fail against a modern API attack. Lastly, discover what this same hack looks like on the defender’s side so you can proactively secure your APIs enabling your dev teams to go fast without breaking things.
With Apache Kafka’s rise for event-driven architectures, developers require a specification to design effective event-driven APIs. AsyncAPI has been developed based on OpenAPI to define the endpoints and schemas of brokers and topics. For Kafka applications, the broker’s design to handle high throughput serialized payloads brings challenges for consumers and producers managing the structure of the message. For this reason, a registry becomes critical to achieve schema governance. Apicurio Registry is an end-to-end solution to store API definitions and schemas for Kafka applications. The project includes serializers, deserializers, and additional tooling. The registry supports several types of artifacts including OpenAPI, AsyncAPI, GraphQL, Apache Avro, Google protocol buffers, JSON Schema, Kafka Connect schema, WSDL, and XML Schema (XSD). It also checks them for validity and compatibility.
In this session, we will be covering the following topics:
● The importance of having a contract-first approach to event-driven APIs
● What is AsyncAPI, and how it helps to define Kafka endpoints and schemas
● The Kafka challenges on message structure when serializing and deserializing
● Introduction to Apicurio Registry and schema management for Kafka
● Examples of how to use Apicurio Registry with popular Java frameworks like Spring and Quarkus
We like the architecture of our applications to revolve around the business logic, not around technical details (and especially not around the database).
In my team at Sky Network Services we use the Clean Architecture and it has given us a great deal of benefits: the business logic is explicit, we are free to change our technical decisions, the app is easy to test, working on it is faster and scalable, it’s hard to do the wrong thing, and many more.
But it comes at a cost, of course. In this talk I’ll tell you the story of our experience with Clean Architecture and give you some tips to get the most out of it.
Example Project
https://github.com/mattia-battiston/clean-architecture-example
Downloads
Online: https://goo.gl/DTxftJ
PDF: https://goo.gl/ZAtdBN
Powerpoint: https://goo.gl/D54wdZ (but you need to install these fonts to see it properly: https://goo.gl/iH8SO5)
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
The Attached slide was presented at Null Open Security/OWAP/G4H combined community event, the document shared here is a representation of Independent study on usage of Metasploit on purpose built vulnerable machine Metasploitable3. With New attack vectors such as Elastic Search API and Jenkins servers -21/01/2017
Contains
1. Introduction to Metasploit (why metasploit?)
2. Demo Setup and talked on how to- Using Metasploitable3
3. Networking with VirtualBox for personal lab
4. Auxiliary Modules (Scanners and Servers ) - Demo of snmp_enum
5. Exploit Module (searching exploits)
6. Payload types
7. Exploit Demo 1 - /exploit/multi/elasticsearch/script_mvel_rce
8. Exploit Demo 2 -
/exploit/multi/http/jenkins_script_console
Gathering all the profiling information unconditionally for all processing comprising a distributed service can be quite overwhelming and costly. Especially when most of that information might not be relevant or actionable.
The idea of contextual profiling is to utilize the context captured by tracers to drive the collection and representation of the profiling data in a way that relates directly to the customer's application and business processes.
This talk will shed more light on how the contextual profiling is implemented in Datadog Java Profiler and muse the idea of bringing the concept to OpenJDK JFR such it may be used by all Java users.
The OWASP Zed Attack Proxy (ZAP) is possibly the single most widely used open source dynamic application testing (DAST) platform across security engineering teams. The ZAP engineering team and the frequently contributing community have ensured that the platform is consistent with the dynamic application landscape that it is intended to be used upon. However, despite its ever-increasing awareness and acceptance, ZAP’s full extent of capabilities is seldom utilised. This webinar would focus on one specific “under the hood” feature of the platform - the ZAP API.
The API provided is an extremely powerful feature that can be used to automate a major chunk of security test cases, ranging from reconnaissance to discovering security vulnerabilities. The ZAP API is particularly helpful when security teams are looking to leverage ZAP to scale testing in accordance to frequent release cycles in an agile environment. Having a good understanding on the capabilities of ZAP through its API helps teams in integrating automated DAST scans within the deployment pipeline. Further, ZAP is probably the first place one would look to in the context of bridging functional automation scripts with security testing. Another unique feature of ZAP is its ability to design and consume scripts. Scripting gives a tester the ability to access the internal data structures of ZAP to create custom functionalities which, in effect, can augment the capability of ZAP.
In this webinar Praveen Kumar(twitter-@iprav33nk) illustrates, with the help of live demonstrations, the gamut of possibilities that ZAP API and scripting brings for development and security engineering teams alike.
Who is this for:
1. AppSec professionals looking to leverage more out of ZAP
2. Developer and QA engineering teams looking to integrate functional automation scripts with ZAP
3. Teams who have or at the cusp of making a commercial investment in a DAST, but would want to see what ZAP has to offer first ;)
RSYSLOG v8 improvements and how to write plugins in any language.Rainer Gerhards
RSYSLOG is a next generation log processing tool. In the frist part, we will explain the new RSYSLOG v8 engine, its motivation and its benefits. Learn, for example, why writing to Elasticsearch is much faster with the new engine. We will describe the tuning parameters vital for making best use of the new features.
In the second part we will explain how to write RSYSLOG plugins in any language. Traditionally, writing rsyslog plugins has been considered quite hard, with at least C knowledge necessary. In v8, we have introduced new interfaces which make it possible to write plugins in any language - be it Python, Perl or Java. Even bash will do. In essence, this is a great tool for any admin to add special needs with just a bit of scripting. We will proivde concrete instructions on how to write a plugin, point to read-to-copy samples and tell how to integrate this into rsyslog.
NOTE: This is my LinuxTag Berlin 2014 talk.
Extending OpenShift Origin: Build Your Own Cartridge with Bill DeCoste of Red...OpenShift Origin
Extending OpenShift Origin: Build Your Own Cartridge
Presenters: Bill DeCoste
Cartridges allow developers to provide services running on top of the Red Hat OpenShift Platform-as-a-Service (PaaS). OpenShift already provides cartridges for numerous web application frameworks and databases. Writing your own cartridges allows you to customize or enhance an existing service, or provide new services. In this session, the presenter will discuss best practices for cartridge development and the latest changes in the OpenShift cartridge support.
* Latest changes made in the platform to ease cartridge development
* OpenShift Cartridges vs. plugins
* Outline for development of a new cartridge
* Customization of existing cartridges
* Quickstarts: leveraging a cartridge or cartridges to provide a complete application
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.
Photoshop is to Gimp, Illustrator is to Inkscape, Microsoft Office is to Open Office - since 2005, Open Source Flash refers to building knowledge/tools/programs for the Flash platform. Their main website is osflash.org and they serve as a wiki/forum/vehicle to generate awareness and contain useful resources. In the talk I hope to share history and knowledge of a few useful tools that can be used in/developed on linux. Example - compilers, development environments, etc.
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
Similar to 2017 DevSecCon ZAP Scripting Workshop (20)
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
2020 ADDO Spring Break OWASP ZAP AutomationSimon Bennetts
A deep dive into OWASP ZAP Automation and Authentication. The slides are from a 3 hour workshop delivered as part of the All Day DevOps Spring Break conference help in April 2020
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation as part of the 2013 OWASP EU Tour in Amsterdam.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation at AppSec Dublin 2012.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
2. ●
Session 1 : 2pm
– Introduction
– Standard Scripts (JavaScript, Python, Ruby)
– Proxy and Http Sender Scripts
– Passive and Active Scan rule Scripts
●
Session 2 : 3pm
– Zest Scripts
– Standalone and Targeted Scripts
The Plan
3. ●
Session 3 : 4pm
– How to use scripts in automation
– How to add scripting support in add-ons (overview)
– Authentication Scripts
– More chance to write any or all of the above types
●
Session 4 : 5pm
– Optional – keep writing scripts, ask more questions...
The Plan
4. ●
We want more script examples
● Submit PRs to https://github.com/zaproxy/community-scripts
●
Can be anything useful – eg copies of existing scripts in different
languages :)
●
Anything useful will earn a ZAP Contributor sticker (max one per
person)
●
Lots of useful scripts will earn a ZAP T-shirt!
●
Only valid for this workshop
Competition Time!
5. ●
Advantages:
– Quick to write and test
– Full access to ZAP classes and data structures
– No need for separate development environment
●
Disadvantages
– Documentation could be (much) better
– No auto complete
– No sandbox – only run scripts you trust!
Introduction – why do we need scripts?
6. ●
JavaScript – built in
●
Python – optional add-on
●
Ruby – optional add-on
●
Zest – built in, macro language on steroids
●
JSR 223 languages relatively easy to add
●
Beanshell – optional, no longer really maintained
Introduction – What languages are supported?
7. ●
Stand Alone
– Run manually
●
Targeted
– Run manually against a specified requests
●
Proxy
– Change proxied browser requests on the fly
●
HTTP Sender
– Change any request on the fly (proxy, spider, active scanner ...)
Script types (built in)
8. ●
Passive Scan Rule
– Detect potential issues just by looking
●
Active Scan Rule
– Detect potential issues by attacking
●
Authentication
– Automatically login to sites
●
Script Input Vector
– Define exactly what ZAP will attack
Script types (built in)
9. ●
Fuzzer HTTP Processor
– Called before and after HTTP messages are fuzzed
●
Fuzzer Websocket Processor
– Called before and after Websocket messages are fuzzed
●
Payload Generator
– Generate attacks to be used in the fuzzer
●
Payload Processor
– Change fuzzer payloads before they are used
●
Sequence
– Define sequences of requests to be attacked (alpha)
Script types (add-ons)
10. ●
All roughly equivalent
●
All have good Java integration
●
JavaScript (ECMAScript)
– Java 7 – Rhino
– Java 8 – Nashhorn
– Can write to local filestore via Java classes
– Use load("nashorn:mozilla_compat.js"); for Rhino scripts in Nashorn
●
JavaScript Nashhorn – supports loading scripts from files
– https://wiki.openjdk.java.net/display/Nashorn/Nashorn+extensions
●
Python – supports modules path
‘Standard’ Script languages
11. ● Scripts group: https://groups.google.com/group/zaproxy-scripts
● Dev group: https://groups.google.com/group/zaproxy-develop
● Community Scripts: https://github.com/zaproxy/community-scripts
● JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
Useful links
12. ●
Fire up ZAP
●
Check for Updates (Help / Check for Updates...)
●
Update everything
●
Install Community Scripts
●
Optionally install Python / Ruby Scripting
●
Demo: “Hello world”
Getting started
13. ●
Scripts tab
– Shows all of the scripts an templates
– Allows you to select, add, remove, duplicate, enable, disable and save scripts
– Icons show state – enabled / disabled, error and not saved
●
Script Console tab
– Top pane – edit scripts
– Bottom pane – output and error messages
– Run and Stop buttons – enabled when appropriate
– Output pane buttons – control that pane
– Right click for lots more options!
The tabs
14. ●
Proxy Scripts
– Only affect requests and responses proxied via a browser
●
HTTP Sender Scripts
– Affect all requests and responses (proxy active scan, spider …)
– Initiator param gives the component that initiated the request
– Provides helper to make new requests
●
Both
– Must enable scripts before they will take effect
– Will be disabled on error
Proxy and HTTP Sender scripts
15. ●
Key ZAP class: org/parosproxy/paros/network/HttpMessage.html
●
Provides methods like
– getRequestBody()
– getRequestHeader()
– getResponseBody()
– getResponseHeader()
● See JavaDocs: https://javadoc.io/doc/org.zaproxy/zap/2.6.0
● Or the code: https://github.com/zaproxy/zaproxy
Script parameter: HttpMessage - msg
16. ●
Proxy Scripts
– Replace in request or response body.js
– Drop requests not in scope.js
– Return fake response.js
●
HTTP Sender Scripts
– Alert in HTTP Response Code Errors.js
– Alert on Unexpected Content Types.js
– Capture and Replace Anti CSRF Token.js
Proxy and HTTP Sender scripts - examples
17. Suggestions:
●
Replace headers
●
Auto redirect from one page to another
●
Do different things based on content, eg:
– Replace different content
– Redirect to different pages
Exercise – write Proxy &/ HTTP Sender scripts
18. ●
Passive Rule Scripts
– Can only view requests and responses (should not change anything)
●
Active Rule Scripts
– Attack nodes or specific parameters
– Can do pretty much anything you like :)
– Must Enable Script Input Vectors
●
Both
– Can raise alerts
– Must enable scripts before they will take effect
– Will be disabled on error
Passive and Active Rule scripts
19. ●
Passive Rule Scripts
– Server Header Disclosure.js
– Find emails.js
●
Active Rule Scripts
– User defined attacks.js
– gof_lite.js
●
Demo: testing passive and active rule scripts
Passive and Active Rule scripts - examples
20. ●
Hacking ZAP Blog posts
– https://zaproxy.blogspot.com/2014/04/hacking-zap-3-passive-scan-rules.html
– https://zaproxy.blogspot.com/2014/04/hacking-zap-4-active-scan-rules.html
●
Java code
– https://github.com/zaproxy/zap-extensions
– master branch – org/zaproxy/zap/extension/ascanrules and pscanrules
– beta branch – org/zaproxy/zap/extension/ascanrulesBeta and pscanrulesBeta
– alpha branch – org/zaproxy/zap/extension/ascanrulesAlpha and pscanrulesAlpha
Passive and Active Rule links
21. ●
Global Variables
– Variables can be shared between all scripts
org.zaproxy.zap.extension.script.ScriptVars.setGlobalVar("var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getGlobalVar("var.name")
●
Script Variables
– Variables can be shared between separate invocations of the same script
org.zaproxy.zap.extension.script.ScriptVars.setScriptVar(
this.context, "var.name","value")
org.zaproxy.zap.extension.script.ScriptVars.getScriptVar(
this.context, "var.name")
Variables (all script types)
22. Suggestions:
●
Rewrite existing java rules (see previous links)
●
Alert on anything that ZAP doesn’t currently find :)
Exercise – write Passive &/ Active Rule scripts
23. ●
Domain Specific Language (DSL)
●
Its domain is security and automation
●
Closer to a macro language .. on steroids :)
●
Format – JSON :O
●
Intended to be ‘written’ graphically
●
Its tool independent (no access to ZAP internals)
●
Demo: “Hello world”
Zest Scripts
24. ●
Creating from templates
●
Duplicating existing script
●
Recording
●
Selecting and adding requests
●
Manually
●
Demo: playing with BodgeIt
Zest Scripts - creating
25. ●
Double click to edit nodes
●
Right click:
– Add and delete nodes
– Delete nodes
– Surround with loops, conditionals
– Cut, copy and paste
– Comment
– Move up / down
●
Drag and drop
●
Selecting and adding requests
Zest Scripts - editing
26. ●
Request – make requests (and make assertions)
●
Action – scan, script, print, fail, sleep
●
Assignment – assign things to variables
●
Client – launch and control browsers
●
Conditions – and, or, equals, length, etc ...
●
Loop – though strings, files, integers, regexes, client elements
●
Comment – comment :)
●
Controls – return, break, next
Zest Scripts – statement types
27. ●
Paste Zest variables (right click in Zest text boxes)
●
Parameterize strings (right click in requests)
●
Redact strings (right click in requests)
●
Drag and drop
●
Change prefix – applies to all requests
●
Anti CSRF tokens – automatically handled
●
Generate Zest script from alert
Zest Scripts – hidden extras
28. ●
You have to start by launching a browser in Zest
●
No record option at the moment :(
●
Browser - View source / Inspect is your friend
●
Demo: Persona video …
Zest Scripts – client side
29.
30. Suggestions:
●
Passive script – alert on the presence of 2 strings
●
Rewrite a script you’ve just written in another language
●
Rewrite one of the existing a/pscan rules
●
Record a script and start changing it
Exercise – write Zest scripts
31. ●
Both run ‘on-demand’ only
●
Standalone – run from the console
●
Targeted – right click on requests
●
Standard scripts (not Zest) – can access ZAP internals, eg:
– Sites tree
– History
– Other extensions
Standalone and Targeted scripts
32. ●
Standalone Scripts
– loop through history table.js
– traverse sites tree.js
– domainFinder.js
– window_creation_template.js
●
Targeted Scripts
– Resend as a GET request.zst
– Find HTML comments.js
Standalone and Targeted scripts - examples
33. Suggestions:
●
Count number of static vs dynamic pages
●
Detect authentication, registration and password changing?
(1 2 and 3 password fields)
Exercise – Standalone and Targeted scripts
34. -config script.scripts(0).name="Remove STS"
-config script.scripts(0).engine="Mozilla Zest"
-config script.scripts(0).type=proxy
-config script.scripts(0).enabled=true
-config script.scripts(0).file="/scripts/Remove STS.zst"
-config script.scripts(1).name="Another one..."
Scripts in Automation – set via cmd line
35. zap.script.load("Remove STS", “proxy”, "Mozilla Zest",
"/scripts/Remove STS.zst")
zap.script.enable("Remove STS")
●
Pro Tip: Configure in the UI, look at whats set in config.xml ;)
Scripts in Automation – set via API
36. ●
Implement a script interface
●
Implement one or more templates / examples which implement
the interface
●
Register a new script type:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
extensionScript.registerScriptType(new ScriptType(
"newname", "i18nKey", icon, true, true));
Adding script support in add-ons
37. ●
Use the enabled scripts:
ExtensionScript extensionScript = Control.getSingleton().
getExtensionLoader().getExtension(ExtensionScript.class);
List<ScriptWrapper> scripts = extension.getScripts("newname");
for (ScriptWrapper script : scripts) {
try {
if (script.isEnabled()) {
MyScript s = extension.getInterface(
script, MyScript.class);
// Do something with it...
}
Adding script support in add-ons
38. ●
For when simple form based auth isnt enough
●
Need to configure context
●
Demo: BodgeIt authentication
● https://github.com/zaproxy/zaproxy/wiki/FAQformauth - auth FAQ
Authentication Scripts