Morgan Roman presented on how to standardize the use of secure patterns in frameworks to prevent common vulnerabilities. The approach is to first identify unsafe patterns, make the safe pattern the default, train developers, and use tools to enforce the safe pattern. Examples given were preventing regex denial of service by wrapping regex in a timeout class, preventing XML external entity injection in Java by making a safe XML parser factory the default, and preventing open redirects by using a safe redirect method. The goal is to make security the easiest option for developers.
Using Chef InSpec for Infrastructure SecurityMandi Walls
This document provides an overview of Chef InSpec and how it can be used for infrastructure security assurance. Chef InSpec allows users to create tests for security and compliance related to infrastructure and then run those tests on systems locally or remotely. The document demonstrates how to use Chef InSpec to check for compliance with a security baseline, remediate any issues found using Chef infrastructure automation, and then re-check compliance.
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
Chef InSpec can be used to test for system security and compliance by creating profiles of InSpec tests. Profiles allow complex compliance requirements to be tested across different teams and environments. The document demonstrates running the open source linux-baseline profile against a CentOS system using InSpec, remediating any failures using the corresponding Chef cookbook, and then wrapping the linux-baseline profile in a custom profile to skip a specific test.
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
July 24, 2017 slides and demo for Automating Compliance with InSpec. The associated GitHub repository is here: https://github.com/mattray/inspec-workshop
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
This document provides an overview of InSpec, which is a tool for creating automated tests for compliance and security. InSpec allows users to write tests in a human-readable language to check systems for vulnerabilities or configuration issues. It can test infrastructure locally or remotely. Profiles can be created to package and share test suites. InSpec integrates with tools like Test Kitchen and can be included in development workflows to continuously test systems.
This is an approximately 90-minute InSpec workshop covering basic InSpec resources and profiles and applying them to Linux Hardening. Delivered at DevSecCon 2017 in London, October 20, 2017
Using Chef InSpec for Infrastructure SecurityMandi Walls
This document provides an overview of Chef InSpec and how it can be used for infrastructure security assurance. Chef InSpec allows users to create tests for security and compliance related to infrastructure and then run those tests on systems locally or remotely. The document demonstrates how to use Chef InSpec to check for compliance with a security baseline, remediate any issues found using Chef infrastructure automation, and then re-check compliance.
Prescriptive Security with InSpec - All Things Open 2019Mandi Walls
Chef InSpec can be used to test for system security and compliance by creating profiles of InSpec tests. Profiles allow complex compliance requirements to be tested across different teams and environments. The document demonstrates running the open source linux-baseline profile against a CentOS system using InSpec, remediating any failures using the corresponding Chef cookbook, and then wrapping the linux-baseline profile in a custom profile to skip a specific test.
Automating Compliance with InSpec - Chef Singapore MeetupMatt Ray
July 24, 2017 slides and demo for Automating Compliance with InSpec. The associated GitHub repository is here: https://github.com/mattray/inspec-workshop
Adding Security and Compliance to Your Workflow with InSpecMandi Walls
This document provides an overview of InSpec, which is a tool for creating automated tests for compliance and security. InSpec allows users to write tests in a human-readable language to check systems for vulnerabilities or configuration issues. It can test infrastructure locally or remotely. Profiles can be created to package and share test suites. InSpec integrates with tools like Test Kitchen and can be included in development workflows to continuously test systems.
This is an approximately 90-minute InSpec workshop covering basic InSpec resources and profiles and applying them to Linux Hardening. Delivered at DevSecCon 2017 in London, October 20, 2017
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
This document discusses InSpec, an open-source testing framework for infrastructure and compliance. It can be used to test security configurations and compliance across operating systems, platforms, and cloud providers. InSpec allows users to write tests in a human-readable language and execute them locally or remotely. Tests can be packaged into reusable profiles that ensure configurations meet security and compliance requirements throughout the development lifecycle.
This document discusses InSpec, an open-source testing framework for infrastructure and compliance. It can be used to test configurations and ensure security best practices are followed. InSpec uses human-readable tests and comes with built-in resources to test common infrastructure components. It can test locally or remotely on Linux, Windows, and cloud platforms. Profiles allow packaging tests for reuse across environments. InSpec integrates with DevOps tools like Chef and Test Kitchen to enable compliance testing in development workflows.
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
This document discusses using InSpec to build security checks into development workflows. It provides an example of using InSpec to check that an SSH configuration is using version 2. InSpec makes it possible to write tests against system configurations and services in a human-readable format. Tests can be packaged into shareable profiles and run during development and deployment to automate compliance checking.
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
This document discusses how to build security into your workflow using InSpec. InSpec is a human-readable specification language for testing security and compliance across infrastructure. It can be used to test configurations and identify issues. The document provides an example of using an InSpec profile to test that SSH is configured securely on a system before and after applying a security hardening cookbook. It emphasizes how InSpec helps automate security testing and ensures compliance is maintained over time as systems change.
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
Presented at the Chef NYC meetup on April 20, 2017, this presentation reviews how to automate compliance scanning and reporting with InSpec by Chef and wrapped up with a hands-on workshop.
Analysis of the quality of libraries in the Packagist universe. Introduction to some tools for assessing package quality. Concepts associated with quality.
Php Dependency Management with Composer ZendCon 2017Clark Everetts
Composer is a dependency manager for PHP projects that allows installing dependencies and managing them per project. It determines a project's dependencies from the composer.json file, then recursively gets those and their dependencies, and installs them in the vendor folder. When composer install is run, it also generates a composer.lock file locking down the exact versions of each dependency.
InSpec is a tool that allows users to write security and compliance tests as human-readable code (or "profiles") that can be run on systems to check configurations and identify issues. Profiles can test for things like required SSH settings, file permissions, and package/patch levels. Profiles are run using the InSpec command line tool and can test local systems or remote targets like Linux servers. When profiles detect failures, they return non-zero exit codes to fail automation jobs. This allows InSpec to integrate with configuration management and infrastructure as code tools for continuous compliance monitoring.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
The document discusses Yelp's use of Docker containers and microservices on their open source PaaSTA platform. It describes how Yelp uses Jenkins build pipelines with multiple steps, including a security-check step that runs tests to check for things like up-to-date packages, best practices for Docker containers, and known vulnerabilities. Any failures in the security tests will create a Jira ticket and notify teams so issues can be addressed quickly. The takeaways are that organizations can implement similar security testing in their own build pipelines to help service owners keep their software secure.
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
The document provides an introduction to infrastructure as code using Chef. It begins with an introduction by Nathen Harvey and outlines the sys admin journey from manually managing servers to using automation and policy-driven configuration management. It then discusses how infrastructure as code with Chef allows treating infrastructure like code by programmatically provisioning and configuring components. The document demonstrates configuring resources like packages, services, files and more using Chef.
This document discusses strategies for securely operating Docker containers. It begins by acknowledging valid security concerns with Docker and advocating understanding threat models and limitations. The document then explores issues of trust in Docker images and potential solutions like auditing tools and private registries. It outlines opportunities to automate security configuration checks and generate AppArmor profiles. Finally, it presents a vision for a registry of security profiles that could reduce the burden of container hardening. Overall, the document takes an empathetic approach to security concerns while highlighting practical steps and potential technical improvements.
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
As the pace of development increases, testing has more to do and less time in which to do it. Software testing must evolve to meet delivery goals while continuing to meet quality objectives. Gene Gotimer explores how tools like Vagrant and Puppet work together to provide on-demand, disposable test environments that are delivered quickly, in a known state, with pre-populated test data and automated test fixture provisioning. With a single command, Vagrant provisions one or more virtual machines on a local box, in a private or public cloud. Puppet then takes over to install and configure software, setup test data, and get the system or systems ready for testing. Since the process is automated, anyone on the team can use the same Vagrant and Puppet scripts to get his own virtual environment for testing. When you are finished with it, Vagrant tears it back down and restores it to the same original state.
The document discusses automated infrastructure testing. It explains that infrastructure testing involves automating the testing of code, infrastructure as code, and deployed infrastructure. This is done through unit, functional, integration and monitoring tests. The document recommends collaborating with operations and building thorough monitoring and analytics. Automating tests helps ensure battle tested code and infrastructure health. Cloud infrastructure also requires more testing across providers. Lessons include starting with most time consuming tasks and understanding domain concepts.
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
InSpec is a tool for defining infrastructure and security compliance tests in human-readable code. It can test systems locally or remotely. Profiles allow packaging and sharing InSpec test code. When used with configuration management tools like Chef, InSpec helps enforce security compliance and reduces risk of failures or vulnerabilities over time.
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
This document discusses using Chef Automate to enable continuous compliance through a three step process of detecting issues, correcting problems, and automating compliance. It notes that many organizations currently assess compliance inconsistently or after deploying code to production. Chef Automate allows detecting and correcting issues across infrastructure in a single platform using the same language for both DevOps and InfoSec teams. This enables deploying applications with confidence while maintaining security and compliance.
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
This document promotes secure software development practices and advertises an upcoming security conference. It discusses the speaker's background in security research and hacking competitions. It then outlines some common security issues like weak passwords, SQL injection, and open redirects. To demonstrate secure development, it proposes a hands-on exercise of attacking, fixing, and rewriting the codebase of a sample legacy online spaceflight booking application. The document emphasizes the importance of considering security throughout the entire software development lifecycle from design to deployment. It invites the reader to join the security conference conversation.
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
An introduction to InSpec and its motivations for teams looking for a security and compliance tool for their organizations. May 2017 edition. Atmosphere.pl Krakow and Netways OSDC Berlin.
Habitat is an open source application automation platform that allows development and operations teams to build, deploy, and manage any application on any infrastructure. It implements automation best practices like immutable infrastructure, declarative deployments, and configuration as code. Habitat provides tools for building packages, running services, and managing applications across platforms in a standardized way. The Habitat community is open source and supports many languages and platforms.
Drupal Continuous Integration with Jenkins - DeployJohn Smith
This document describes setting up Jenkins jobs to automate deploying code from a Git repository to different environments. It includes:
1. Creating a simple job that deploys code to a single server/environment using a deployment script.
2. Creating a generic job that deploys code to multiple servers/environments using parameters for the repository, branch, and environment.
3. A sample deployment script that would run on servers to check out the appropriate code from Git based on the job parameters.
The document discusses standardizing how developers use potentially dangerous aspects of frameworks securely. It recommends making the secure pattern the default by: 1) Identifying bad patterns that could lead to vulnerabilities like XSS, XXE, ReDoS, open redirects or SSRF; 2) Creating safe default alternatives that prevent the vulnerability; 3) Training developers to use the safe default; and 4) Implementing tools to enforce use of the safe pattern. Examples provided include how React prevents XSS by default and how .NET addresses XXE vulnerabilities. The approach aims to guide developers towards secure practices without extra effort.
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
DevSecCon Seatlle 2019 - Workshop
The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:
Introspection: information disclosure
/graphql as a single point of failure (DoS attacks)
IDOR
Broken Access control
Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
Inspec: Turn your compliance, security, and other policy requirements into au...Kangaroot
This document discusses InSpec, an open-source testing framework for infrastructure and compliance. It can be used to test security configurations and compliance across operating systems, platforms, and cloud providers. InSpec allows users to write tests in a human-readable language and execute them locally or remotely. Tests can be packaged into reusable profiles that ensure configurations meet security and compliance requirements throughout the development lifecycle.
This document discusses InSpec, an open-source testing framework for infrastructure and compliance. It can be used to test configurations and ensure security best practices are followed. InSpec uses human-readable tests and comes with built-in resources to test common infrastructure components. It can test locally or remotely on Linux, Windows, and cloud platforms. Profiles allow packaging tests for reuse across environments. InSpec integrates with DevOps tools like Chef and Test Kitchen to enable compliance testing in development workflows.
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
This document discusses using InSpec to build security checks into development workflows. It provides an example of using InSpec to check that an SSH configuration is using version 2. InSpec makes it possible to write tests against system configurations and services in a human-readable format. Tests can be packaged into shareable profiles and run during development and deployment to automate compliance checking.
InSpec Workflow for DevOpsDays Riga 2017Mandi Walls
This document discusses how to build security into your workflow using InSpec. InSpec is a human-readable specification language for testing security and compliance across infrastructure. It can be used to test configurations and identify issues. The document provides an example of using an InSpec profile to test that SSH is configured securely on a system before and after applying a security hardening cookbook. It emphasizes how InSpec helps automate security testing and ensures compliance is maintained over time as systems change.
Compliance Automation with InSpec - Chef NYC Meetup - April 2017adamleff
Presented at the Chef NYC meetup on April 20, 2017, this presentation reviews how to automate compliance scanning and reporting with InSpec by Chef and wrapped up with a hands-on workshop.
Analysis of the quality of libraries in the Packagist universe. Introduction to some tools for assessing package quality. Concepts associated with quality.
Php Dependency Management with Composer ZendCon 2017Clark Everetts
Composer is a dependency manager for PHP projects that allows installing dependencies and managing them per project. It determines a project's dependencies from the composer.json file, then recursively gets those and their dependencies, and installs them in the vendor folder. When composer install is run, it also generates a composer.lock file locking down the exact versions of each dependency.
InSpec is a tool that allows users to write security and compliance tests as human-readable code (or "profiles") that can be run on systems to check configurations and identify issues. Profiles can test for things like required SSH settings, file permissions, and package/patch levels. Profiles are run using the InSpec command line tool and can test local systems or remote targets like Linux servers. When profiles detect failures, they return non-zero exit codes to fail automation jobs. This allows InSpec to integrate with configuration management and infrastructure as code tools for continuous compliance monitoring.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
The document discusses Yelp's use of Docker containers and microservices on their open source PaaSTA platform. It describes how Yelp uses Jenkins build pipelines with multiple steps, including a security-check step that runs tests to check for things like up-to-date packages, best practices for Docker containers, and known vulnerabilities. Any failures in the security tests will create a Jira ticket and notify teams so issues can be addressed quickly. The takeaways are that organizations can implement similar security testing in their own build pipelines to help service owners keep their software secure.
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
The document provides an introduction to infrastructure as code using Chef. It begins with an introduction by Nathen Harvey and outlines the sys admin journey from manually managing servers to using automation and policy-driven configuration management. It then discusses how infrastructure as code with Chef allows treating infrastructure like code by programmatically provisioning and configuring components. The document demonstrates configuring resources like packages, services, files and more using Chef.
This document discusses strategies for securely operating Docker containers. It begins by acknowledging valid security concerns with Docker and advocating understanding threat models and limitations. The document then explores issues of trust in Docker images and potential solutions like auditing tools and private registries. It outlines opportunities to automate security configuration checks and generate AppArmor profiles. Finally, it presents a vision for a registry of security profiles that could reduce the burden of container hardening. Overall, the document takes an empathetic approach to security concerns while highlighting practical steps and potential technical improvements.
Create Disposable Test Environments with Vagrant and PuppetGene Gotimer
As the pace of development increases, testing has more to do and less time in which to do it. Software testing must evolve to meet delivery goals while continuing to meet quality objectives. Gene Gotimer explores how tools like Vagrant and Puppet work together to provide on-demand, disposable test environments that are delivered quickly, in a known state, with pre-populated test data and automated test fixture provisioning. With a single command, Vagrant provisions one or more virtual machines on a local box, in a private or public cloud. Puppet then takes over to install and configure software, setup test data, and get the system or systems ready for testing. Since the process is automated, anyone on the team can use the same Vagrant and Puppet scripts to get his own virtual environment for testing. When you are finished with it, Vagrant tears it back down and restores it to the same original state.
The document discusses automated infrastructure testing. It explains that infrastructure testing involves automating the testing of code, infrastructure as code, and deployed infrastructure. This is done through unit, functional, integration and monitoring tests. The document recommends collaborating with operations and building thorough monitoring and analytics. Automating tests helps ensure battle tested code and infrastructure health. Cloud infrastructure also requires more testing across providers. Lessons include starting with most time consuming tasks and understanding domain concepts.
OSDC 2017 | Building Security Into Your Workflow with InSpec by Mandi WallsNETWAYS
InSpec is a tool for defining infrastructure and security compliance tests in human-readable code. It can test systems locally or remotely. Profiles allow packaging and sharing InSpec test code. When used with configuration management tools like Chef, InSpec helps enforce security compliance and reduces risk of failures or vulnerabilities over time.
DevOpsDays Singapore - Continuous Auditing with Compliance as CodeMatt Ray
This document discusses using Chef Automate to enable continuous compliance through a three step process of detecting issues, correcting problems, and automating compliance. It notes that many organizations currently assess compliance inconsistently or after deploying code to production. Chef Automate allows detecting and correcting issues across infrastructure in a single platform using the same language for both DevOps and InfoSec teams. This enables deploying applications with confidence while maintaining security and compliance.
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
This document promotes secure software development practices and advertises an upcoming security conference. It discusses the speaker's background in security research and hacking competitions. It then outlines some common security issues like weak passwords, SQL injection, and open redirects. To demonstrate secure development, it proposes a hands-on exercise of attacking, fixing, and rewriting the codebase of a sample legacy online spaceflight booking application. The document emphasizes the importance of considering security throughout the entire software development lifecycle from design to deployment. It invites the reader to join the security conference conversation.
Adding Security to Your Workflow with InSpec (MAY 2017)Mandi Walls
An introduction to InSpec and its motivations for teams looking for a security and compliance tool for their organizations. May 2017 edition. Atmosphere.pl Krakow and Netways OSDC Berlin.
Habitat is an open source application automation platform that allows development and operations teams to build, deploy, and manage any application on any infrastructure. It implements automation best practices like immutable infrastructure, declarative deployments, and configuration as code. Habitat provides tools for building packages, running services, and managing applications across platforms in a standardized way. The Habitat community is open source and supports many languages and platforms.
Drupal Continuous Integration with Jenkins - DeployJohn Smith
This document describes setting up Jenkins jobs to automate deploying code from a Git repository to different environments. It includes:
1. Creating a simple job that deploys code to a single server/environment using a deployment script.
2. Creating a generic job that deploys code to multiple servers/environments using parameters for the repository, branch, and environment.
3. A sample deployment script that would run on servers to check out the appropriate code from Git based on the job parameters.
The document discusses standardizing how developers use potentially dangerous aspects of frameworks securely. It recommends making the secure pattern the default by: 1) Identifying bad patterns that could lead to vulnerabilities like XSS, XXE, ReDoS, open redirects or SSRF; 2) Creating safe default alternatives that prevent the vulnerability; 3) Training developers to use the safe default; and 4) Implementing tools to enforce use of the safe pattern. Examples provided include how React prevents XSS by default and how .NET addresses XXE vulnerabilities. The approach aims to guide developers towards secure practices without extra effort.
Attacking and defending GraphQL applications: a hands-on approachDavide Cioccia
DevSecCon Seatlle 2019 - Workshop
The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:
Introspection: information disclosure
/graphql as a single point of failure (DoS attacks)
IDOR
Broken Access control
Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
(SEC202) Best Practices for Securely Leveraging the CloudAmazon Web Services
Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continual. As with any paradigm shift, cloud computing requires different rules and a different way of thinking. This presentation will highlight best practices to build and secure scalable systems in the cloud and capitalize on the cloud with confidence and clarity.
In this session we will cover:
Key market drivers and advantages for leveraging cloud architectures.
Foundational design principles to guide strategy for securely leveraging the cloud.
The “Defense in Depth” approach to building secure services in the cloud, whether it’s private, public, or hybrid.
Real-world customer insights from organizations who have successfully adopted the ""Defense in Depth"" approach.
Session sponsored by Sumo Logic.
DevSecCon Seattle 2019: Liquid Software as the real solution for the Sec in D...DevSecCon
The document discusses the challenges of delivering software and security fixes to customers. It describes the three phases of identifying vulnerabilities, fixing them, and getting fixes to customers. Getting fixes to customers often takes a long time due to long testing cycles, customers distrusting patches that may introduce bugs, and the challenges of deploying large patches. The document proposes the concept of "Liquid Software" which is continuously updating software with small changes, similar to how water is constantly flowing. This could allow for more frequent updates in smaller chunks to continuously patch vulnerabilities and add features. Various patterns are discussed for implementing continuous updates, such as canary releases, rollback capabilities, zero downtime updates, and automating processes.
This document contains slides from a presentation by Kev McCabe on software craftsmanship. The presentation discusses agile development and its focus on individuals, interactions, working software over documentation, and responding to change. However, McCabe notes many agile projects are producing mediocre software due to a lack of technical practices and professionalism. He advocates for an emphasis on software craftsmanship principles like clean code, testing, code reviews and continuous integration to help developers build high quality software through practice and experience. The document contains numerous slides on specific techniques and practices to achieve software craftsmanship.
During a recent webinar, Lewis Ardem, senior security consultant at Synopsys presented "Reviewing Modern JavaScript Applications. " For more information, please visit our website at www.synopsys.com/software
The document provides an agenda and materials for a responsive web development workshop. The 3 hour workshop will cover topics like responsive web design, media queries, CSS preprocessors, grids, and developing for devices and older browsers. It includes 105 slides and exercises for attendees to complete as they learn. The workshop will be led by Amelia Schmidt, a lead front-end developer, and aims to be interactive with questions encouraged. Attendees are provided a list of software they should have installed like Sublime Text, Xcode, Git, and virtual machines for testing across platforms.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the 11th Annual Northern Kentucky University Cybersecurity Symposium on 10/12/2018.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
This document outlines an agenda for an Automating SecDevOps workshop on November 10-11, 2017 in Bangalore, India. The agenda covers various topics related to automating security in DevOps environments like securing custom code, third party code issues, static and dynamic code analysis, continuous monitoring, and configuration and infrastructure as code. It also discusses how automation can help address challenges with adversaries using automation against organizations and the need to automate security. Breaks, demonstrations, and questions are included in the schedule.
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the Ohio Information Security Forum (OISF) Anniversary Conference on 07/14/2018 in Dayton, Ohio.
Title: Active Defense - Helping threat actors hack themselves!
Abstract:
Have you ever received one of those data breach notification letters in the mail? The short-term amends provided for having your personal data compromised is typically in the form of free short-term credit monitoring services. An entire Information Security industry segment has sprung up around Data Loss Prevention (DLP) aimed at stopping confidential data from being "leaked" out of an organization's boundaries for unauthorized use. What if the data breach perpetrators got a healthy dose of their own medicine instead of your private data? We cannot "hack back" legally today, but perhaps we can lure these malicious threat actors into actually hacking themselves... This presentation covers "Active Defense" techniques designed to frustrate data bandits attempting to steal and ex-filtrate our data.
The focus of this presentation is on actively defending a live public facing website. We begin by covering methods to shield innocent users by protecting them from our active defenses. We take advantage of malicious visitor’s impulse to evade all the rules by setting traps designed to ensnare those attempting to steal our data. The techniques covered involve faking accidental exposure and baiting traps using fictitious files and data too irresistible for cyber thieves to ignore. I then demonstrate deployable techniques used to fight back without launching a single attack.
PHP Mega Meetup, Sep, 2020, Anti patterns in phpAhmed Abdou
PHP is one of the easiest programming languages to use ever and powers more than half of the internet.
With this ease of use, certain common patterns emerge that become harmful. This is especially true when your product or service is not expected to die soon. Some anti-patterns are coding, others are related to operating your service, especially with new docker stacks. We will go over some of the most common pitfalls with a focus on enterprise development.
This document summarizes best practices for building an application security program at a startup. It recommends getting organizational buy-in, building a security team by networking and attending events, and shifting security left by training developers. It also discusses implementing threat modeling, carefully vetting security vendors, embedding security engineers with developer teams, and continuing to improve processes over time. The overall message is that security is a collaborative effort involving the whole company.
The document discusses JavaScript and the issues with cross-site scripting (XSS) attacks on the web. It argues that XSS is a fundamental problem caused by a confusion of interests in the browser model. The document calls for resetting the HTML5 proposal to make solving XSS the top priority and developing a new "safe mode" with a simpler DOM and capabilities model to protect all interests.
This document provides best practices for developing SDKs. It discusses defining the SDK's purpose and services, planning the public API with an easy to use builder pattern and exceptions, planning the internal architecture with minimal dependencies and permissions, writing code with unique prefixes and lifecycle considerations, including sample apps and documentation, packaging as an AAR file, and tools for testing like Battery Historian and Stetho.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
How to Incorporate a Security-First Approach to Your Products by spiderSlik C...Product School
This document discusses how product managers, engineers, and business stakeholders can incorporate security-first approaches into their work. It provides background on the speaker and outlines several trends in cybersecurity, such as misconfigurations becoming a major risk. It then offers specific actions each group can take, such as product managers nominating a security champion, engineers following the OWASP Top 10 guidelines and limiting permissions, and business stakeholders developing an emergency plan. Useful resources for further learning are also included.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Banfootguns devseccon 2019
1. Seattle | September 16-17, 2019
Ban Footguns:
How to standardize how developers use dangerous
aspects of your framework
MORGAN ROMAN
2. Seattle | September 16-17, 2019
About Me
Currently work on the application security team at
DocuSign
Special thanks to Hailey Dhanens, John Heasman,
Krishna Rai, Rui Tu, Josh Estalilla, and Skyler Berg
We were tired of playing whack-a-mole with bugs
Note: My examples may use one particular library or framework,
but this strategy is independent of any
framework/language/library.
3. Seattle | September 16-17, 2019
The problem
A B
The easy way
Validation
Encoding
Logging
The secure way
4. Seattle | September 16-17, 2019
The solution
A B
Make the easy way the secure way
5. Seattle | September 16-17, 2019
This is BAD!
A B
The easy way
Validation
Encoding
Logging
The secure way
6. Seattle | September 16-17, 2019
This is GOOD!
A B
Make the easy way the secure way
7. Seattle | September 16-17, 2019
If you make the easy way the secure way
● Developers will do whatever is simplest, which is secure
● You will need less developer training
● Training will be more effective
● Security will not impede development
9. Seattle | September 16-17, 2019
Example: Reducing XSS thanks to React
• By Default: HTML will not encode user input by default
• It relies on the developer to encode the user input
• The app will ‘work’ without proper encoding
• This leads to XSS
• React/JSX makes it safe by default
• By default it encodes
• If you want to go unsafe, you have a scary name!
• Result: developers usually do it the safe way
10. Seattle | September 16-17, 2019
Example: Eliminating the dangers of string concatenation
● Dynamic SQL can end up with SQL injection
● ORMs (Object relational mapper) removes the need for dynamic SQL
● Result: Developers do it the safe way!
The developers just wanted to query the database
And then they shoot themselves in the foot!
Set it to ‘alice OR 1=1’ and you’ll dump the whole DB!
11. Seattle | September 16-17, 2019
Example XXE in .Net
• By default: XMLDocument uses document type definitions (DTD)
• This lead to XML external entity attacks
• To turn it off you had to set the ProhibitDtd property to true
• From .Net 4.6 onward it was safe by default
• If you really wanted, you can turn it back on
• Result: developers do it the safe way
The developers just wanted to parse XML!
And then they shoot themselves in the foot!
You can just read from the file system!
12. Seattle | September 16-17, 2019
How to make the easy way the secure way!
A B
13. Seattle | September 16-17, 2019
How to make it easy
1. Find the bad pattern
2. Make the the safe pattern the default one
3. Train the developers to use the safe pattern
4. Build tools to enforce the new rules
14. Seattle | September 16-17, 2019
ReDoS: Regex Denial of Service
● In some frameworks an inefficient regex can hold up a thread
perpetually
● The safe way is to ALWAYS wrap it in a timeout
Developers have to remember a timeout every time!
15. Seattle | September 16-17, 2019
ReDoS: Make it safe by default
● Create a wrapper class around regex
This gets technical
Do this once right so you don’t repeat yourself
16. Seattle | September 16-17, 2019
ReDoS: Sample training
If you use the default regex class, a poorly crafted regular expression can
result in executing with exponential time. Instead use the MySafeRegex
class since this bounds the execution to a reasonable amount of time.
17. Seattle | September 16-17, 2019
How to write training/documentation
• If you use <THE BAD WAY>, <BAD THING WILL HAPPEN>. Instead use the
<THE GOOD WAY> since <IT STOPS THE BAD THING>.
• DO NOT DO THIS:
• <EXAMPLE OF THE BAD WAY>
• DO THIS INSTEAD:
• <EXAMPLE OF THE GOOD WAY>
Explain it simply and clearly.
You do not need to use security lingo
like XXE/ReDoS/XSS/RCE etc.
First show an example on how the developer
intends to do it if you have one
Then show how they can do it correctly.
Make sure it is simple to do.
If you want, you can include more details and links to OWASP or another good resource.
18. Seattle | September 16-17, 2019
When should you train developers?
● When they get access to the repository
● Once a year, retrain for their specific department
19. Seattle | September 16-17, 2019
ReDoS Code Analysis
Simple way
Use a regex to find where your developers are using
the bad method:
I recommend using a tool like DevSkim, but you can
use any code searching tool like grep
https://github.com/microsoft/DevSkim
Complex and more accurate way
Use a static analyzer to find all instances of the base
regex class being used
Roslyn is a great tool for this. You can get the type of
all objects and then show results for banned classes.
20. Seattle | September 16-17, 2019
Example unsafe regex class rule for DevSkim
Clear description
Optional:
Link to documentation
Start with simple rules.
Go for 80%
Optional:
Have exclusions
21. Seattle | September 16-17, 2019
When to use this code analysis
● In the IDE is great, but difficult to get adoption
● Developers are open to feedback in pull requests before merge
• The target is developers. Include it as part of your existing CI/CD
pipeline
● On your own cadence for your entire code base
• The target is the security team. Schedule a regular cadence for this
22. Seattle | September 16-17, 2019
How we made it easy to stop ReDoS
1. Find the bad pattern
2. Make the the safe pattern the default one
3. Train the developers to use the safe pattern
4. Build tools to enforce the new rules
23. Seattle | September 16-17, 2019
XXE in Java: Bad Pattern and Safe Default
● By default the SAXParser XML parser for Java allows DTDs
● Create a wrapper factory
SAXParser is just an example Java library, I am not picking on it for any particular reason.
This is explained for other Java libraries on:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html accessed 07/29/2019
Wrap in your own class
Set to safe by default
24. Seattle | September 16-17, 2019
XXE in Java: Training
• If you use the standard XML parsers like SAXParser, you may allow an
attacker to remotely write files and control the server through the DTD.
Instead use the MySafeXMLParserFactory since it blocks the attacker
from setting DTD variables.
26. Seattle | September 16-17, 2019
How we made it easy to stop XXE
1. Find the bad pattern
2. Make the the safe pattern the default one
3. Train the developers to use the safe pattern
4. Build tools to enforce the new rules
27. Seattle | September 16-17, 2019
Imagine you get an email like…
Hello!
We need you to log into your bank account to verify your information since
we believe you may have been hacked.
Please go to https://somebigbank.com?redirect=http://evilphishingsite.com
and type in your username and password to stop Mr. Robot!
We take your security very seriously!
Some Big Bank
28. Seattle | September 16-17, 2019
Dangers of Open Redirects
● Open redirects can trick users into malicious phishing sites
● If you don’t block the protocol, you can get XSS if the payload is:
javascript:alert(1)
● We often recommend people to use a whitelist
Let’s play spot the bug!!!
mysafewebsitexcom.evilwebsite.com
evilwebsite.com?foo=mysafewebsite.com
javascript:alert(‘mysafewebsite.com’)
29. Seattle | September 16-17, 2019
Redirect safely once and for all!
● Make a Safe Redirect with:
○ An internal redirect method
■ Blocks all non-http(s) protocols
■ Only allows redirects to your
specific site
○ An external redirect method
■ Blocks all non-http(s) protocols
■ Requires a whitelist as an
argument
You can assume all internal redirects are safe
You can audit all uses of the external redirect to ensure it
has a good whitelist
30. Seattle | September 16-17, 2019
Example DevSkim Rules for Open Redirects
For ‘unsafe’ use cases
Aim for 80% on your rule
31. Seattle | September 16-17, 2019
Dangers of Server Side Request Forgery
Hacker
Vulnerable
Server
Victim
Server
Blocked
Bypasses the firewall
32. Seattle | September 16-17, 2019
What could you do with server side request forgery in C#?
● Get past the firewall by calling internal IP addresses
● Call external servers with long responses
● Do a file read file:C:pathtofile.txt
● Do a file write to file:C:inetpubwwwrootdefault.html
33. Seattle | September 16-17, 2019
Server Side Request Forgery
● Sometimes an application must perform web calls (This is a feature)
● You want to limit the damage of SSRFAAS (SSRF as a service)
○ Block internal IPs
○ Have a built in timeout for long running requests
○ Block calls to the file system (This can lead to LFI and RCE)
● Set up a safe version that inherits all the features of your web client
library
35. Seattle | September 16-17, 2019
1. Find the bad pattern
• Look for a common ‘sink’
that a kind of bug has to
reach
ReDoS must reach a regular expression!
XXE requires that you parse XML!
Open redirects require a redirect!
36. Seattle | September 16-17, 2019
2. Make the safe pattern the default one
• Make a safe default wrapper class for the unsafe method
• Have a coder do this once right
37. Seattle | September 16-17, 2019
3. Train the developers to use the safe pattern
• If you use <THE BAD WAY>, <BAD THING WILL HAPPEN>. Instead use the
<THE GOOD WAY> since <IT STOPS THE BAD THING>.
• DO NOT DO THIS:
• <EXAMPLE OF THE BAD WAY>
• DO THIS INSTEAD:
• <EXAMPLE OF THE GOOD WAY>
38. Seattle | September 16-17, 2019
4. Build tools to enforce the rules
● Use simple regex to find the bad pattern with tools like DevSkim
● Aim for 80% effective at first
● Run at a regular cadence
39. Seattle | September 16-17, 2019
Recap on how to do this
1. Find the bad pattern
2. Make the safe pattern the default one
3. Train the developers to use the safe pattern
4. Build tools to enforce the new rules
Make the easy way the secure way!
A B
DocuSign is a esignature platform. I was an SDET. I wrote web and api tests. I would help out the security team by creating regression tests for them occasionally. DocuSign has an amazing set of integration tests.
May add filter?
Is repeating bad?
Simple as possible to get it running
Hard to undo bad patterns
The default
Angular does it too!
DTD = document type definitions
The Gist of what we are doing
Bad pattern
Make it safe by default
Add image
Remember to explain DevSkim made by microsoft
Talk about blocking with these tools at the PR
How to convince devs:
Before they get git access
During PRs
Bad idea in the IDE
Format of the code {
"name": "Possible regex denial of service attack",
"id": "REDOS_1",
"description": "It is possible to perform a regex denial of service attack with the standard .Net regex library. ",
"recommendation": "Please use MySafeRegex class to generate this",
"applies_to": [
"csharp"
],
"severity": "important",
"patterns": [
{
"pattern": "new Regex\\(",
"type": "regex-word",
"scopes": [
"code"
]
}
],
"conditions": [
{
"pattern": {
"pattern": "new MySafeRegex\\(",
"type": "regex-word",
"scopes": [
"code"
]
},
"search_in": "finding-only",
"negate_finding": true
}
]
},
The Gist of what we are doing
Bad pattern
Make it safe by default
Note that you didn’t need exceptions in this one
The Gist of what we are doing
Bad pattern
Make it safe by default
Mysafewebsitexcom.evilwebsite.com would match
evilwebsite.com?foo=mysafewebsitexcom would match