This document summarizes research into bypassing application whitelisting technologies. It describes how the researchers were able to bypass protections from McAfee, Bit9, and Windows AppLocker through techniques like DLL hijacking, watering hole attacks, modifying file types, and abusing trusted processes. It notes these vulnerabilities still pose problems and additional avenues for bypassing protections through techniques like dynamic code loading, WinHTTP, and security identifier modifications. The document concludes by discussing ideas for developing a Metasploit module to automate the exploitation of these application whitelisting bypasses.
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.
David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Introduction to Microsoft Security Development Lifecycle.
1. What is Microsoft Security Development Lifecycle (SDL)?
2. Understanding various phases of SDL
3. Threat Modeling
4. Security & Privacy Bugs
5. SDL Training
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
Shift Risk Left: Security Considerations When Migrating Apps to the CloudBlack Duck by Synopsys
In this session, we'll start with the basics of application security for an environment where development teams are able to push code into production at will. We quickly cover the basics and move on to the advanced topics of tests and models for long-term application security. We'll cover real-world Black Duck CI examples including keeping apps up-to-date in Pivotal Cloud Foundry environments, and end with tips for advocating for long-term security structures.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
We take a deep dive into security researchers Charlie Miller and Chris Valasek’s keynote at last week’s FLIGHT 2017 conference. What is “Hidden Cobra” and is it targeting US aerospace, telecommunications and finance industries? Both banks and the Pentagon are making big moves into open source. And why it’s smart to assume that every application is an on-premise application.
The best of November’s application security and open security news (so far) follows in this week’s edition of Open Source Insight.
Black Duck and Tech Contracts Academy discussed the implications of open source software in tech contracts. The topic of open source has been at the forefront of the technology industry for many years, but as the use of open source in commercial applications explodes, so do concerns about addressing license and ownership issues in contract negotiations.
David Tollen is the founder of Tech Contracts Academy (www.TechContracts.com) and of Sycamore Legal P.C., in San Francisco. He’s the author of The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople. He will dive into these topics from the perspective of both buyers and sellers and aims to educate on Intellectual Property (IP) protection and other terms and how they should work during contract negotiations.
Introduction to Microsoft Security Development Lifecycle.
1. What is Microsoft Security Development Lifecycle (SDL)?
2. Understanding various phases of SDL
3. Threat Modeling
4. Security & Privacy Bugs
5. SDL Training
DevOps purists may chafe at the DevSecOps term given that security and other important practices are supposed to already be an integral part of routine DevOps workflows. But the reality is that security often gets more lip service than thoughtful and systematic integration into open source software sourcing, development pipelines, and operations processes--in spite of an increasing number of threats.
In this session, we’ll look at successful practices that distributed and diverse teams use to iterate rapidly. We’ll discuss how a container platform can serve as the foundation for DevSecOps in your organization. We'll also consider the risk management associated with integrating components from a variety of sources--a consideration that open source software has had to deal with since the beginning. Finally, we'll show ways by which automation and repeatable trusted delivery of code can be built directly into a DevOps pipeline.
Leveraging Black Duck Hub to Maximize Focus - Entersekt’s Approach to Empower...Black Duck by Synopsys
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by empowering teams and automating open source security risk management throughout the Software Development Lifecycle (SDLC).
Security in the Development Lifecycle - lessons learnedBoaz Shunami
In this presentation, I delivered in the OWASP IL conference on September 2012.
I discuss the lessons learned from several years of Implementing Application Security into the development lifecycle on organizations in IL, EU and US. I cover some different approaches to the subject and also different types of organizations. Concluding with some recommendations.
Feel free to contact me if you have any questions:
boaz (at) komodosec.com
check out our website and services on:
www.komodosec.com
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
Open source software presents a huge opportunity for public sector organisations in the UK. Adopting open source solutions allows assets to be shared and re-used; freeing organisations from massively expensive, inflexible “lock-in” solutions. To ensure that this potential is realised, it is imperative that organisations adopt a process for managing potential licensing, security and encryption content associated with open source code.
Join us as we share our tips for streamlining the open source adoption and management process and removing uncertainties around third party software vulnerabilities.
There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector.
All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy
Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
Fujitsu Network Communication (FNC) was historically an closed-source development organization. Today, FNC is not only a consumer of open source in their software development, but also an active open source contributor with the release of Warrior (http://warriorframework.org). In this session, FNC Open Source champion, Karan Marjara will walk through FNC's move toward embracing the open source model as a strategic benefit, and demonstrate how they are leveraging open source with Warrior.
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Security in the Development Lifecycle - lessons learnedBoaz Shunami
In this presentation, I delivered in the OWASP IL conference on September 2012.
I discuss the lessons learned from several years of Implementing Application Security into the development lifecycle on organizations in IL, EU and US. I cover some different approaches to the subject and also different types of organizations. Concluding with some recommendations.
Feel free to contact me if you have any questions:
boaz (at) komodosec.com
check out our website and services on:
www.komodosec.com
Leveraging Open Source Opportunity in the Public Sector Without the RiskProtecode
Open source software presents a huge opportunity for public sector organisations in the UK. Adopting open source solutions allows assets to be shared and re-used; freeing organisations from massively expensive, inflexible “lock-in” solutions. To ensure that this potential is realised, it is imperative that organisations adopt a process for managing potential licensing, security and encryption content associated with open source code.
Join us as we share our tips for streamlining the open source adoption and management process and removing uncertainties around third party software vulnerabilities.
There are multiple reasons why Open Source Software OSS is a benefit for all organisations and in particular in Public Sector.
All of the organisations represented on this call will be tasked with delivering solutions for specific requirements and at great speed. Why create those solutions from generic platforms and be dependent on their long release cycles to evolve the solutions when you can develop just what is needed and then share that with other PS orgs who can modify to suit their requirements which makes for rapid development and lack of redundancy
Ultimately you will be able to control your own destiny and set your own pace for delivering exactly what is needed.
In the world of DevSecOps as you may predict we have three teams working together. Development, the Security team and Operations.
The “Sec” of DevSecOps introduces changes into the following:
• Engineering
• Operations
• Data Science
• Compliance
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
Leverage DevOps & Agile Development to Transform Your Application Testing Pro...DevOps.com
Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.
We discuss the role software plays in information security and compare and contrast how many of the unique attributes of open source can present particular security challenges as opposed to proprietary/commercial software. We will examine the role open source has played in several high profile security incidents, drawing lessons learned from those incidents. We will also review the standards of “reasonableness” established by widely adopted security standards published by NIST and others and discuss the application of those standards to open source.
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Black Duck by Synopsys
The Black Duck blog and Open Source Insight become part of the Synopsys Software Integrity blog in early April. You’ll still get the latest open source security and license compliance news, insights, and opinions you’ve come to expect, plus the latest software security trends, news, tips, best practices, and thought leadership every week. Don’t delay, subscribe today! Now on to this week’s open source security and cybersecurity news.
Making the Strategic Shift to Open Source at Fujitsu Network CommunicationBlack Duck by Synopsys
Fujitsu Network Communication (FNC) was historically an closed-source development organization. Today, FNC is not only a consumer of open source in their software development, but also an active open source contributor with the release of Warrior (http://warriorframework.org). In this session, FNC Open Source champion, Karan Marjara will walk through FNC's move toward embracing the open source model as a strategic benefit, and demonstrate how they are leveraging open source with Warrior.
Lysa Bryngelson, Sr. Product Manager for Black Duck Binary Analysis at Synopsys presented on a recent webinar. During the webinar, she discussed one of the biggest challenges companies face with third-party software is lack of visibility into the open source libraries used in the software they embed in their products. Over the last year, major security breaches have been attributed to exploits of vulnerabilities in open source frameworks used by Fortune 100 companies in education, government, financial services, retail, and media. For more information, please visit our website at www.synopsys.com/blackduck
Companies are constantly seeking ways to ensure their application code is secure and effectively managed. For example, M&A assessors conduct one-time code audits on companies they are buying to avoid legal, operational or security pitfalls. Other organizations are proactive, using an ongoing solution to make sure their application code is secure and well managed on a day-to-day basis. Increasingly, many companies are opting to use both approaches.Join Bob Genshaft, Director Strategic Programs at Wolters Kluwer, and Black Duck's VP and General Manager On-Demand Audits Phil Odence for a discussion that will address key open source security and management questions:
· When is it appropriate to conduct an audit?
When should your company consider an ongoing solution?
· What are the benefits of doing both?
. What does an effective Open Source Policy look like?
This annual review will highlight the most significant legal developments related to open source software in 2019, including:
•Evolution of open source: control, sustainability, and politics
•Litigation update: Cambium and Artifex cases
•Patents and the open source community
•Impacts of government sanctions
•The shift left for compliance and rise of bug bounty programs
•And much, much more
For more information, please visit https://www.synopsys.com/software-integrity/managed-services/open-source-software-audit.html
Mobile apps are the main source of security concerns in every software solution nowadays. But it doesn't have to be like that: In this session we will explore best practices, tips and tricks from OWASP MASVS that will take your app to a next level! Just remember: You don't need to be an expert to make an app secure.
Top 10 Software to Detect & Prevent Security Vulnerabilities from BlackHat US...Mobodexter
BlackHat USA 2015 got recently concluded and we head a bunch of news around how BlackHat brought to light various security vulnerabilities in day-to-day life like ZigBee protocol, Device for stealing keyless cars & ATM card skimmers. However the presenters, who are also ethical hackers, also gave a bunch of tools to help software community to detect & prevent security holes in the hardware & software while the product is ready for release. We have reviewed all the presentations from the conference and give you here a list of Top 10 tools/utilities that helps in security vulnerability detection & prevention.
Strategies on How to Overcome Security Challenges Unique to Cloud-Native AppsVMware Tanzu
As IT organizations build and release software continuously, how do security teams become enablers of this pace? How can you ensure that the higher rate of change is not leading to lesser security?
Join our webinar to learn how Pivotal and Signal Sciences work together to make app deployments faster *and* safer in cloud-native environments.
This webinar will cover:
- Best practices for implementing new security programs and incentivizing their adoption
- How to simplify application layer security deployments across a variety of apps, teams and cloud infrastructures
- How threat visibility and real time attack telemetry brings security context into DevOps teams, and improves response times.
Presenters: Zane Lackey, Signal Sciences and Kamala Dasika, Pivotal
Learn more about how organizations prevented downtime with #BigFix in the wake of #wannacry. References and Use Cases along with a review of our BigFix Solution.
https://www.ibm.com/connect/ibm/ca-en/resources/tomjs/
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
How to (Not) Get Hacked - A Webinar by Greg Shields that discusses how activities such as Network Scanning, Vulnerability Scanning and Patch Management can ensure that your Network Security never gets breached.
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
Informational article which will discuss the issues with code signing solutions as they relate to ci/cd workflows (including DIY and HSM solutions).
Targeted Persona: mostly technical decision makers and operational champions (devops/devsecops).
Asset Discovery in India – Redhunt LabsRedhuntLabs2
Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe.
We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
After the completeness of over 50 Penetration Testing and Application Security projects during the 2020 year and many more since 2014, the BSG team shares its expertise in finding security vulnerabilities across many business verticals and industries.
On the webinar, we will talk about:
1. Typical threat model of a modern business organization.
2. How the COVID-19 pandemic has changed that threat model?
3. What is Threat Modeling, and how it works for the BSG clients?
4. What is DARTS and how we secure sensitive customer data?
5. What is the BSG Web Application Pentester Training and why?
6. Top 10 critical cybersecurity vulnerabilities we found in 2020.
We help our customers address their future security challenges: prevent data breaches and achieve compliance.
*Slides - English language
*Webinar - Ukrainian language
The link on the webinar: https://youtu.be/fkdafStSgZE
BSG 2020 Business Outcomes and Security Vulnerabilities Report: https://bit.ly/bsg2020report
Contact details:
https://bsg.tech
hello@bsg.tech
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Open Source Insight: Security Breaches and Cryptocurrency Dominating NewsBlack Duck by Synopsys
This week in Open Source Insight we examine blockchain security and the cryptocurrency boom. Plus, take an in depth look at open source software in tech contracts with a legal expert from Tech Contracts Academy, Adobe Flash Player continues to be a security concern, the Open Source Initiative turns 20, and step by step instructions for migrating to Docker on Black Duck Hub. Cybersecurity and security breach news also dominates this week, as Synopsys examines security breaches in 2017 and how they were preventable.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.
You will learn what is Security Development Lifecycle (SDL).
You will understand why SDL is important.
You will dive in details of SDL and you will see tips for each SDL phase.
You will realize how to roll out an SDL in your organization.
Finally, you will have all skills to deliver a secure product.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
3. Curt Shaffer
Curt Shaffer has been in the IT field for 15 years. His experience is diverse across the
IT field from ISP network design and installation, to server engineering for small
and medium business as well as a number of local and US federal international
agencies as well as intrusion analysis, incident response and malware reverse
engineering. His change over the past 5 years has been his security focus. A majority
of his security work most recently has been building internal threat intelligence for
federal agencies and in his current position as the Owner of and Sr. Threat
Researcher, for Symbiotic Network Technologies, LLC he analyzes current and new
trends in that attack landscape in order to provide organizations with a realistic
view of how they are being attacked and what can be done about it.
He holds a number of industry standard certifications including CISSP, SANS:GREM,
GCIA, GCIH, GPEN, GSEC and a number of CompTIA and Microsoft certifications.
4. Judah Plummer
Works at Foreground Security - SOC Analyst Extraordinaire
Math and Comp. Sci. Degree from University of Pittsburgh
He has worked on validating these findings (found a 0 day once),
and has assisted with the deployment and management of these
applications in large deployments.
Also, found a DLC License bypass for Xbox (possible upcoming
NovaHackers talk?).
6. Put to the Test
McAfee – Popular choice for government and
others
Bit9 – Popular due to ease of deployment
App Locker – Built in/No extra cost
7. Previously …with
some updates
Windows File Protection
Didn’t work
Java
Exploits
All day long
Payloads
Iexpress
Didn’t Work
9. Previously …with
some updates
Other findings:
Intercepting the Bit9 Client traffic (Fiddler FTW!)
Rubber Ducky Powershell injections
Disabling the Service
10. Why Is This Still a
Problem?
“While we believe Bit9 is the most effective protection you can have
on your endpoints. “
https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
11. 30 days to life?
The 90's called, they want their trial bypass back
15. New Bypasses?
DLL Hijacking
Watering Hole Attacks
Modifying Executable File Types
Dynamic Annotation techniques and similar dynamic building
techniques
Microsoft Winhttp
Security ID Modifications
16. DLL Hijacking
DLL Hijacking has been used in the past as a persistence method.
We tested to see if we could trick the whitelisting solution into
executing the hijacked DLL with our own malicious code.
Worked like a champ!
17. Watering Hole Attack
Have become more popular in advanced attacks
There is a huge range of techniques that can be taken advantage
of and growing with new technologies such as HTML5.
Files can be called/executed by trusted applications and their plugins.
18. Modifying Executable File
Types
Change file types, such as .txt files to be executable
Changing the “Magic Number” of files, to be repaired later, after it
has been overlooked due to being non-standard filetype and thus
being ignored by Bit9.
19. Dynamic Annotation
New technique for some interesting malware applications.
Build MOF executable from samples scripts pulled from trusted
sites, such as Microsoft’s Technet, and build them on the fly with
VB is one example we have seen used in the wild
We are working on a talk for later this year on the topic with a POC
botnet.
20. Winhttp
Our guess: not a lot of work has been put into protecting the new
WinHTTP remote administration components of Windows.
Execute malicious code through this trusted process.
Any other system/admin tools that need to be trusted?
21. Security ID Modifications
Is whitelisting on a per user basis?
Have all types of users, including null user SIDs, been taken into
account?
We didn’t have a lot of time to test modifying the SIDS of services
and files, but it’s our guess this would work rather well.
22. Chris John Riley’s PySC
Shellcode from DNS TXT records
Or via Internet Explorer (using SSPI)
Works on the latest version we tested!
Thanks Chris!
Code link in the notes.
23. Future Considerations
Macintosh Bypasses
More HTML5 Features
Trusted Directory or Trusted User Abuse
Hash Collision Fun
Metasploit Module
24. Metasploit Module
Codename: “The Alan P@rs0ns Project: Sharks with friggin
lasers”
Menu Options/Functionality:
Operating System Version
Vendor Choice
Exploit/Bypass Style, Choice
Payload Choice
Post Exploitation
To answer the question on the first slide, it is our belief that these solutions are still easily bypassed, and in some cases using the exact same methods discussed previously in the Raising the White Flag talk 2 years ago. The number of findings we uncovered would show, while they fixed some of the egregious problems pointed out before, they have not gotten much better overall and still have a lot of work to do.
We wanted to bring up first that most of this talk is on the findings on Bit9 Parity 7.1.3, not because we have an agenda against them, but because frankly they kept us busy enough to fill up info for a talk in itself. We hope to add how the others have done in the next version when we release the details of the Bit9 bypasses we found.
When we say something “worked” or “didn’t work” in the slides here, we are speaking from the context of the attacker. So worked means we were able to bypass, and did not work means that the application whitelisting stopped the attempt. We also thought it was necessary for us to cover the previous findings at least at a high level for those who may not have caught the first talk on this 2 year ago at Shmoocon.
Windows File Protection Attacks did not appear to work for our testing. Even if we were able to modify the WFP protected files, the hash would change, thus requiring other techniques to utilize this method. We aren’t saying it wouldn’t be successful in those cases, just by default it didn’t work for this reason. We tried to utilize an old malware technique that was successfully used by malware in Windows XP in the past. The idea was that in Windows XP, if you started a process (i.e lets say calc.exe) with a name of one of the files in WFP (i.e. lets say winlogon.exe), you would not be able to kill the process because it was “protected” by Windows. We saw some inconsistent results in testing this in the previous research. We did not spend much time on this for this talk as we tested on Windows 7 and Window 8 only which utilize hashes for these protections now rather than just the name as Windows XP did.
Java again worked in both exploits that lead to further payloads to be run such as Java Meterpreter (can we request railgun access via this method please?? Maybe call it jailgun :P)
Java payloads also worked. It should be noted that this works and will continue to work based on organizations requiring obsolete Java code in their environment. We actually have been told by at least one customer that the flaw in the version they required in their code was a function they relied on and thus would allow for legacy applications! This is more of an organization issue rather than a Bit9 or other white listing flaw.
Iexpress is a packaging utility that actually digitally signs the outer most component with a certificate by Microsoft! We found this to work in earlier versions of App Locker due to the lack of subsequent checks on the files inside the singed exterior pacakge. From our analysis this is no longer possible on any of the tested applications.
Adobe Flash and PDFs worked in both exploits and the payloads used once again. The main problem here, as you will hear us say over and over, is that it is now and will continue to be, an exploitation of required trust in an application that will be the way in by attackers. More granularity would be needed to fix this problem in our opinion. (thinking of like per function analysis or something)
Javascript worked to execute payloads due to the inherent trust of the browser. We were able to bypass these solutions by executing local Javascript via Browser plugins or in conjunction with other methods (such as HTML5 local storage, Shellcode, and Powershell).
VBA worked in a few different ways. The one that was most notable was by executing direct shellcode from the VBA (as discussed by Dider Stevens and others http://blog.didierstevens.com/programs/shellcode/)
Shellcode worked for us to bypass Bit9 using the VBA loading method as well as using Power Syringe (as can be found http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html among other places. )
Bit9 still does not appear to be insisting the SSL certificate to be more than trusted from our analysis. We were still able to intercept the traffic by using an overall trusted certificate. This was possible due to Bit9 checking the certificate be valid, but that is all. We were also able to use Fiddler (http://www.telerik.com/fiddler) to do the same actions utilizing the ever so awesome feature that Fiddler uses to do the interception at the API level! Once we had access to the unencrypted sessions, we were able to just execute the commands on the client to shut the protection off, or permit new files for x amount of time or even trust our hash. Essentially anything that is capable from the server interface, we could do by faking or intercepting traffic to the client from the server. Again, not sure what the best fix is for Bit9 in this case other than looking for some more specific in the cert or some sort of further validation of the communication streams.
The last two items here require physical access. I think we can all agree that physical access to a system is generally game over for any protection in most cases. There is nothing new to report here on the techniques discussed in the previous talk other than they continue to work as before.
We mentioned the above statement as an example of the marketing of some of these companies were leading people to believe they were a silver bullet to stop all badness. After the talk we gave this year at the Shmoocon Epilogue the CSO of Bit9 said they changed the wording of their marketing in order to make this apparent. We found the following document http://www.torusinc.com/partners/bit9/ that states, to quote the article, "That stops all forms of malware”. This had a data from this year according to our Google searches on the topic.
We have stated many times that we are not saying whitelisting is not a step in the right direction. In fact the speakers on this version of the talk were part of one of the largest full lock down deployments of Bit9, at the time of the initial research, that spanned 135 sites internationally. Even though we were able to see bypasses working in the logs of Bit9 Parity, the fact that we were able to see these things assisted in completely identifying one of the largest incidents either of the speakers of seen in their IR experience to date. This included finding one of the 5 persistence methods being used by the attacker which showed the attacker had modified the sethc.exe (sticky keys exe) on all of the domain controllers to be cmd.exe which provided System level access to the DCs by pulling up an RDP session, hit shift 5 times and bingo! System shell on the DC.
The visibility was enough to make the product worth it in this case, so we don’t want to seem like bashers of the product.
So due to Juddah (sorry for calling you out dude ;) ) forgetting to take a snapshot before installing the Bit9 software, we found an interesting trail bypass. He suggested, we should just try to uninstall and reinstall and see if that works. I said something to the effect of that hasn’t worked since the 90s but we have nothing to loose. Turns out, just uninstall and reinstall the software and your trial is restarted. No modifications to existing policies, rules, approvals etc were done. Picked right back up where we left off only with 29 more days of trail open to us. Didn’t even need to reboot!
We realize this isn’t a vulnerability per say, but couldn’t help but saying the 90s called and wants their trial bypass back!
The sysinfo output is included on the right here and in the next slide to show it was the same system.
They did fix the vulnerability we talked about in Raising The White Flag it appears. This vulnerability was found based on previous research a few years before the talk was given where the attacker was able to inject into the parity.exe process and obtain full execution. Curt found that this was fixed in the 6.0 version tested, but the child process of parity.exe, named notifier.exe was not protected and provided full execution to the attacker yet again! This included the ability to run any file whitelisted or not, and even specifically blacklisted files, due to exploiting the chain of trust of the processes.
The screenshot above was to show that it appears they have fixed this problem in the lastest version tested. We will admit, we didn’t track down and test all of the other possible children processes to ensure it was a full fix this time so it may still be possible on another child process!
We did not release a lot of information on these findings yet as we have not had time to fully disclose them to the vendor via our standard method and timeframe. We do plan on doing a follow up on this talk later in the year which we will release the full details and the proposed Metasploit module. We Would like to add that we did test Chris John Riley’s PySC (https://github.com/ChrisJohnRiley/PySC) and that was successful as well. We forgot to mention that in the talk but wanted to ensure that we brought it out.
We do want to ensure it is understood by the community and the vendor that these techniques were successful and repeatable. The astute in the audience can probably put 2 and 2 together and figure out the details based on what we mentioned here.
This was tested and documented fully by Judah and myself. This technique works very well. https://www.mandiant.com/blog/dll-search-order-hijacking-revisited/ Thanks to Mandiant for the initial research!
This attack is becoming very common, especially among advanced attackers. Simulating such an attack allowed the one test of modifying the executable file PE Header (Discussed in the next slide) to work in bypassing the protections. We have not explored HTML5 fully yet, but our thought is that is where watering hole techniques will move to in the future and will only add to the success of these attacks on organizations running whitelisting solutions.
The first option here we did’t fully test mainly because of the requirement to have access to the system at an advanced level before launching an attack. We suppose that if an attacker used one of the other techniques used to gain the initial access, this would be a very efficient persistence method to maintain access on the compromised system.
The second technique mentioned here worked in our testing in conjunction with watering hole scenarios where we dropped the file with a modified PE header (just a Z rather than MZ as would be expected) Then modifying the seemingly ignored file (ignored by the whitelisting solution), via future code from the watering hole site. It is expected that this “on the fly” modification would work with the drop happening on any of the stated bypasses and also include other methods discussed from the last talk such as using Firefox Plugins and local storage options via HTML5 and Javascript as well.
We won’t go into a lot of details on what Dynamic Annotation is or the depths in which we tested this. The main reason is because we plan on releasing a talk later in the year on this topic with a POC botnet utilizing this technique for not only bypassing whitelisting but bypassing a lot of protections on the endpoint. The main thing we will say is that this is basically the direct API access utilized by the Windows “Accessibility Options”. As you can imagine, that is pretty low level access and a big win from the attackers standpoint.
WinHTTP provides a HTTP interface to API access on systems. http://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx. To more fully clarify a member of the audience asked if we were referring to WinRM which provides HTTP via SOAP access to systems for remote management. http://msdn.microsoft.com/en-us/library/aa384426%28v=vs.85%29.aspx. We wanted to point out that WinRM utilizes the WinHTTP access to provide the remote management capability. So while based on the same idea, the two are not the same exact feature.
As with many of the bypasses, we expect administrators to see this as a valuable tool to script or automate administration of systems. While it needs to be turned on or configured as a “listener” before it is able to be used, we do not see that being a problem. The first flag we would bring out is please at least use HTTPS obviously but think twice before allowing this to be run on your systems as it will bypass whitelisting due to the inherent trust to the process.
This technique is most successful when an attacker is attempting to execute a file or service that is only permitted based on system or per user/group basis. Again previous access to the system must be gained in order to execute this bypass from our limited research. We suppose that if the SID is known before the file is dropped, there may be a possibility to drop the file with the necessary SID predefined and thus allowing execution.
We forgot to mention this on the day of the talk, but we did test Chris John Riley’s script PySC. This script downloads shellcode from a remote DNS server (using TXT records) or through Internet Explorer (using SSPI to utilize system-wide proxy settings and authorization tokens) and injects it into a specified process. Our testing on this was successful with the latest version. Again because of the exploitation of trust of the calling process. Thanks goes out to Chris on this script and the permission to use it in our research and findings! https://github.com/ChrisJohnRiley/PySC
We wanted to test the Mac client that Bit9 Parity added, but we did not have the version required (it is our belief that 7.1.4 is required and we only had access to 7.1.3). We may add findings on this side in the next version if we can get the proper version to test with.
We really want to explore how bad HTML5 makes it for these types of protections. I believe Kevin Johnson from Secure Ideas released a talk on the possibility of using HTML5 to play a recorded command at an audio level unable to be heard or understood by the human ear, but at a level the mic on the system could pick up and then execute the command on the system via the commands received by the mic. The built in ability of HTML5 to both play and listen via the mic for such things is an example of the badness we fear is waiting for us in the HTML5 arena.
We already know that many people that have chosen Bit9 is due to the ability to trust directories for automatic approval for things such as SCCM, Bigfix etc. We also know from experience our admins of such services do not often protect these directories as much as they should! Therefore we are certain there are fun things to play with to attempt getting our code approved for running on endpoints. They also, along with other vendors, provide the capability to trust executables running by a trusted “publisher”. We haven’t seen that backfire have we? :P https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
We plan on developing and releasing a Metasploit module do provide a menu driven capability for people to use these and future findings on internal pentests or testing their environments to see if they are vulnerable or not. This is much like what the guys are doing with the Veil Framework https://www.veil-framework.com. Only their focus is and will be Anti Virus and our focus is mainly whitelisting. We do see a crossing of the streams as far as the end goal, but for now I call them out only to provide an idea of what we look to accomplish with our tool.
I am trying to add as many of the questions that came out during the Q/A section of the talk here. If I miss someone thing that was asked, please feel free to email me. I’m happy to provide information other than full details until we feel the disclosure is proper. You can probably look forward to the next version later in the year at something like Derbycon or SecTor or something similar.