With a great ecosystem, comes great responsibility, and application security is not one to wave off. Let’s review some black clouds of security horror stories in the Node.js ecosystem, and learn how to mitigate them to build secure JavaScript and Node.js applications.
"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak
Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.
The document discusses securing Ruby on Rails applications. It covers topics like transport layer security (TLS and SSL), session hijacking, content security policy, cross-site scripting protection, and static code analysis tools. Gems like secure_headers, Brakeman, codesake-dawn and gauntlt can help audit code and build attacks to test vulnerabilities. Maintaining TLS is important to protect against man-in-the-middle attacks and securely transmit sensitive data like passwords.
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
The document discusses generating return-oriented programming (ROP) payloads using numbers found in memory. It proposes a technique called "number stitching" which involves representing shellcode as increasing numeric deltas, finding numbers in memory to build those values, and using them to reconstruct the shellcode on a controlled stack. This solves the problem of finding long byte sequences or gadgets, by instead stitching together smaller numbers available in memory. The document outlines solving the "coin change problem" to efficiently find combinations of numbers that sum to each shellcode chunk value.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Lessons Learned in Automating Compliance for ContainersAll Things Open
This document discusses open source software compliance for containers. It explains that container images are made up of layered filesystems, so the dependencies and licenses of each layer need to be determined. However, determining this information can be challenging as Dockerfiles and container build processes do not always provide full transparency. The document introduces the Tern tool, which aims to automate open source software compliance for containers by analyzing package managers, files, and layers to provide package versions, licenses, and software sources used.
Securing your Container Environment with Open SourceMichael Ducy
Cloud Native platforms such as Kubernetes and Cloud Foundry help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
"Black Clouds and Silver Linings in Node.js Security" Liran TalJulia Cherniak
Remember eslint-scope and event-stream incidents? As an energetic member of the Node.js Foundation's Security Working Group, Liran will provide a 360 perspective of some black clouds of security horror stories in the JavaScript & Node.js ecosystem and educate on mitigating and building secure applications. We will deep-dive into practical Node.js vulnerabilities and how to protect against them, and cover some of OWASP Top 10. Liran will also introduce initiatives the Node.js Security WG have been undertaking to secure the ecosystem and recent security updates in npm.
The document discusses securing Ruby on Rails applications. It covers topics like transport layer security (TLS and SSL), session hijacking, content security policy, cross-site scripting protection, and static code analysis tools. Gems like secure_headers, Brakeman, codesake-dawn and gauntlt can help audit code and build attacks to test vulnerabilities. Maintaining TLS is important to protect against man-in-the-middle attacks and securely transmit sensitive data like passwords.
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
The document discusses generating return-oriented programming (ROP) payloads using numbers found in memory. It proposes a technique called "number stitching" which involves representing shellcode as increasing numeric deltas, finding numbers in memory to build those values, and using them to reconstruct the shellcode on a controlled stack. This solves the problem of finding long byte sequences or gadgets, by instead stitching together smaller numbers available in memory. The document outlines solving the "coin change problem" to efficiently find combinations of numbers that sum to each shellcode chunk value.
Open source security tools for Kubernetes.Michael Ducy
Cloud Native platforms such as Kubernetes help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important.
In this talk, we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain a secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Lessons Learned in Automating Compliance for ContainersAll Things Open
This document discusses open source software compliance for containers. It explains that container images are made up of layered filesystems, so the dependencies and licenses of each layer need to be determined. However, determining this information can be challenging as Dockerfiles and container build processes do not always provide full transparency. The document introduces the Tern tool, which aims to automate open source software compliance for containers by analyzing package managers, files, and layers to provide package versions, licenses, and software sources used.
Securing your Container Environment with Open SourceMichael Ducy
Cloud Native platforms such as Kubernetes and Cloud Foundry help developers to easily get started deploying and running their applications at scale. But as this access to compute starts to become ubiquitous, how you secure and maintain compliance standards in these environments becomes extremely important. In this talk we'll cover the basics of securing Cloud Native platforms such as Kubernetes. We will also cover open source tools - such as Clair, Anchore, and Sysdig Falco - that can be used to maintain secure computing environment. Attendees will walk away with a good understanding of the challenges of securing a Cloud Native platform and practical advice on using open source tools as part of their security strategy.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
Practical non blocking microservices in java 8Michal Balinski
How to write application in Java 8 that do not waste resources and which can maximize effective utilization of CPU/RAM. Comparison of blocking and non-blocking approach for I/O and application services. Based on microservices implementing simple business logic in security/cryptography/payments domain. Demonstration of following aspects:
* NIO at all edges of application
* popular libraries that support NIO
* single instance scalability
* performance metrics (incl. throughput and latency)
* resources utilization
* code readability with CompletableFuture
* application maintenance and debugging
All above based on our experiences gathered during development of software platforms at Oberthur Technologies R&D Poland.
The document discusses symmetric encryption in Java. It shows how to generate a symmetric key, use it to encrypt a message with DESede encryption, and output the encrypted bytes as a base64 encoded string. Securely transmitting the symmetric key between parties is identified as a challenge for symmetric encryption.
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
Target Group: SysAdmins, Developer, DevOps
Focus: technical
Talk language: English
Abstract
**********
What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker?
About the Speaker:
*********************
Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.
This document discusses security linters Bandit and Gosec. It provides information on what each linter is, the types of security issues it can detect in Python and Go code respectively, how to configure and use each linter, examples of integrating the linters into development tools and workflows, and how to contribute to the open source projects. It also describes a yet-to-be-named GitHub App the presenter is working on that will automatically scan pull requests with Bandit and Gosec.
Ведущий: Александр Попов
В настоящем докладе будет рассмотрен успешный опыт использования отладочного механизма KASan (Kernel address sanitizer) для автономного гипервизора. Докладчик расскажет, как удалось усилить KASan по сравнению с его реализацией в ядре Linux.
Monitoring & Securing Microservices in KubernetesMichael Ducy
Application running in containers provide a myriad of choices to the end developer. But how do you provide the necessary services to monitor and secure these applications running in platforms such as Kubernetes. This presentation covers some common sense principles to monitor and secure your Kubernetes based applications.
curl - a hobby project that conquered the worldDaniel Stenberg
This document summarizes the open source project curl, a command line tool and library for transferring data with various protocols. It began as a hobby project in 1998 and has grown significantly over time to support many protocols, platforms, and use by thousands of companies. It is developed openly on GitHub by a small core team and many volunteers contributors over its 20+ year history.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Automating Security Response with ServerlessMichael Ducy
This document discusses using serverless technologies for automating security response. It provides an overview of serverless computing benefits and design patterns. Examples of open source serverless platforms like Knative and Kubeless are described. The document also discusses using MLGuard, Falco, and security playbooks with serverless functions to detect anomalies and automate security response actions like killing offending pods.
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
This document discusses security assessments of 4G mobile networks. It introduces the presenters and provides an overview of 4G network architecture and potential vulnerabilities, including at the radio access network level and GPRS Tunnelling Protocol. Examples of attacks like GTP "synfloods" are mentioned. The document advocates working with mobile operators to identify and address security issues for the benefit of subscribers.
This document provides an overview of advanced encryption concepts, including research, books, news events, costs, laws, deeper Java Virtual Machine (JVM) encryption, encoding, hashing, salting, keytool, SSL/TLS, elliptic curve cryptography, and other techniques like steganography. Specific encryption algorithms, protocols, and libraries are discussed like RSA, MD5, SHA-1, HMAC, Base64, and tools in the JDK like keytool. Potential attacks on encryption systems from news stories are also summarized.
The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
Describimos cómo mediante programación sencilla realizamos un ataque MITM (Man-in-the-middle) sobre un equipo y cómo tratamos de conseguir que pase de manera sigilosa.
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
This document discusses DNSSEC (Domain Name System Security Extensions) and its importance for securing the Domain Name System (DNS) infrastructure. It provides an overview of vulnerabilities like cache poisoning attacks that DNSSEC aims to address. It highlights how attitudes towards DNSSEC deployment have changed rapidly in recent years. The document outlines several cache poisoning attacks like Kaminsky's 2008 attack that exploited vulnerabilities in DNS resolvers and spurred improved security. It provides resources for learning about and testing DNSSEC implementations to help secure domains. Overall, the document makes a case for DNSSEC as a critical long-term solution to DNS security issues.
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
This document discusses dual stack IPv4 and IPv6 threat analysis. It notes that firewalls and intrusion detection systems may not recognize IPv6 traffic and could be bypassed. It also lists security considerations like vulnerabilities in IPv6, lack of vendor support, and lack of knowledge by security teams. Unauthorized deployment of IPv6 is highlighted as a risk since most current operating systems support IPv6 by default. The document provides information on analyzing IPv6 prefixes and addresses to identify threats and indicates various categories of malware, fraud, and anonymization threats that could be investigated.
Is my software ecosystem healthy? It depends!Tom Mens
QUATIC 2020 keynote presentation by Tom Mens (University of Mons) on dependency-related health issues in software ecosystems and research advances to address such health issues. Part of the presented research has been conducted as part of the Belgian SECO-ASSIST Excellence of Science Research Project.
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process.
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
Practical non blocking microservices in java 8Michal Balinski
How to write application in Java 8 that do not waste resources and which can maximize effective utilization of CPU/RAM. Comparison of blocking and non-blocking approach for I/O and application services. Based on microservices implementing simple business logic in security/cryptography/payments domain. Demonstration of following aspects:
* NIO at all edges of application
* popular libraries that support NIO
* single instance scalability
* performance metrics (incl. throughput and latency)
* resources utilization
* code readability with CompletableFuture
* application maintenance and debugging
All above based on our experiences gathered during development of software platforms at Oberthur Technologies R&D Poland.
The document discusses symmetric encryption in Java. It shows how to generate a symmetric key, use it to encrypt a message with DESede encryption, and output the encrypted bytes as a base64 encoded string. Securely transmitting the symmetric key between parties is identified as a challenge for symmetric encryption.
SBA Live Academy - Secure Containers for Developer by Mathias TausigSBA Research
Target Group: SysAdmins, Developer, DevOps
Focus: technical
Talk language: English
Abstract
**********
What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker?
About the Speaker:
*********************
Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.
This document discusses security linters Bandit and Gosec. It provides information on what each linter is, the types of security issues it can detect in Python and Go code respectively, how to configure and use each linter, examples of integrating the linters into development tools and workflows, and how to contribute to the open source projects. It also describes a yet-to-be-named GitHub App the presenter is working on that will automatically scan pull requests with Bandit and Gosec.
Ведущий: Александр Попов
В настоящем докладе будет рассмотрен успешный опыт использования отладочного механизма KASan (Kernel address sanitizer) для автономного гипервизора. Докладчик расскажет, как удалось усилить KASan по сравнению с его реализацией в ядре Linux.
Monitoring & Securing Microservices in KubernetesMichael Ducy
Application running in containers provide a myriad of choices to the end developer. But how do you provide the necessary services to monitor and secure these applications running in platforms such as Kubernetes. This presentation covers some common sense principles to monitor and secure your Kubernetes based applications.
curl - a hobby project that conquered the worldDaniel Stenberg
This document summarizes the open source project curl, a command line tool and library for transferring data with various protocols. It began as a hobby project in 1998 and has grown significantly over time to support many protocols, platforms, and use by thousands of companies. It is developed openly on GitHub by a small core team and many volunteers contributors over its 20+ year history.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Automating Security Response with ServerlessMichael Ducy
This document discusses using serverless technologies for automating security response. It provides an overview of serverless computing benefits and design patterns. Examples of open source serverless platforms like Knative and Kubeless are described. The document also discusses using MLGuard, Falco, and security playbooks with serverless functions to detect anomalies and automate security response actions like killing offending pods.
360° Kubernetes Security: From Source Code to K8s Configuration SecurityDevOps.com
Kubernetes has become the default way for many organizations to scale and orchestrate their use of containers. However, organizations are starting to find themselves needing to take the necessary steps to protect their containers. Automating security checks throughout the development life cycle can help reduce risk and allow organizations to develop and deploy securely.
Join Shiri Ivstan, Senior Product Manager at WhiteSource and Yaniv Peleg Tsabari, Senior Director of Product Management at Alcide, as they explore the world of security in Kubernetes and discuss:
The security risks associated with open-source code and Kubernetes environments
Supply Chain: Continuous Security throughout the CI/CD pipeline
Security aspects throughout the development cycle, such as Image Scanning, Image Assurance, K8s Configuration hygiene and more.
How to automate policies with respect to the above techniques throughout the CI/CD pipeline in order to facilitate more secure application deployments.
This document discusses security assessments of 4G mobile networks. It introduces the presenters and provides an overview of 4G network architecture and potential vulnerabilities, including at the radio access network level and GPRS Tunnelling Protocol. Examples of attacks like GTP "synfloods" are mentioned. The document advocates working with mobile operators to identify and address security issues for the benefit of subscribers.
This document provides an overview of advanced encryption concepts, including research, books, news events, costs, laws, deeper Java Virtual Machine (JVM) encryption, encoding, hashing, salting, keytool, SSL/TLS, elliptic curve cryptography, and other techniques like steganography. Specific encryption algorithms, protocols, and libraries are discussed like RSA, MD5, SHA-1, HMAC, Base64, and tools in the JDK like keytool. Potential attacks on encryption systems from news stories are also summarized.
The document discusses security best practices for Node.js applications. It covers using packages like Helmet to set secure HTTP headers, encrypting sessions with packages like cookie-session, preventing XSS attacks with csurf, sanitizing user input with express-validator, and encrypting passwords with bcrypt. It also discusses building secure HTTPS servers, analyzing dependencies for vulnerabilities with tools like NSP and Snyk, and using the Node Goat project to intentionally introduce vulnerabilities for testing security.
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
Describimos cómo mediante programación sencilla realizamos un ataque MITM (Man-in-the-middle) sobre un equipo y cómo tratamos de conseguir que pase de manera sigilosa.
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSECPROIDEA
This document discusses DNSSEC (Domain Name System Security Extensions) and its importance for securing the Domain Name System (DNS) infrastructure. It provides an overview of vulnerabilities like cache poisoning attacks that DNSSEC aims to address. It highlights how attitudes towards DNSSEC deployment have changed rapidly in recent years. The document outlines several cache poisoning attacks like Kaminsky's 2008 attack that exploited vulnerabilities in DNS resolvers and spurred improved security. It provides resources for learning about and testing DNSSEC implementations to help secure domains. Overall, the document makes a case for DNSSEC as a critical long-term solution to DNS security issues.
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
This document discusses dual stack IPv4 and IPv6 threat analysis. It notes that firewalls and intrusion detection systems may not recognize IPv6 traffic and could be bypassed. It also lists security considerations like vulnerabilities in IPv6, lack of vendor support, and lack of knowledge by security teams. Unauthorized deployment of IPv6 is highlighted as a risk since most current operating systems support IPv6 by default. The document provides information on analyzing IPv6 prefixes and addresses to identify threats and indicates various categories of malware, fraud, and anonymization threats that could be investigated.
Is my software ecosystem healthy? It depends!Tom Mens
QUATIC 2020 keynote presentation by Tom Mens (University of Mons) on dependency-related health issues in software ecosystems and research advances to address such health issues. Part of the presented research has been conducted as part of the Belgian SECO-ASSIST Excellence of Science Research Project.
stackconf 2021 | Continuous Security – integrating security into your pipelinesNETWAYS
In the world of continuous delivery and cloud native, the boundaries between what is our application and what constitutes infrastructure is becoming increasing blurred. Our workloads, the containers they ship in, and our platform configuration is now often developed and deployed by the same teams, and development velocity is the key metric to success. This presents us with a challenge which the previous models of security as a final external gatekeeper step cannot keep up with. To ensure our apps and platforms are secure, we need to integrate security at all stages of our pipelines and ensure that our developers and engineering teams have tools and data with enable them to make decisions about security on an ongoing basis. In this session I will talk through the problem space, look at the kinds of security issues we need to consider, and look at where the integration points are to build in security as part of our CI/CD process.
This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.
This document provides an introduction to the VeriFast program verifier. It describes how to set up VeriFast, including downloading required files. It explains that VeriFast can verify single-threaded and multi-threaded C/Java programs annotated with preconditions and postconditions written in separation logic, and that it avoids illegal memory accesses like buffer overflows. The document demonstrates running VeriFast on sample code, showing how it finds errors, and provides references for more information.
Network Security Open Source Software Developer CertificationVskills
Vskills certification for Network Security Open Source Software Developer assesses the candidate as per the company’s need for network security software development. The certification tests the candidates on various areas in writing Plug-ins for nessus, ettercap network sniffer, Nikto vulnerability scanner, extending hydra and nmap, writing modules for the Metasploit framework, extending Webroot, writing network sniffers and packet-injection tools.
Node.js and JavaScript adoption is high and application security plays a big part in shipping your products in the midst of cyber security threats. We will deep-dive into practical Node.js security measures which you can easily implement in your current projects. Covering topics such as OWASP Top 10 vulnerabilities, Secure Code Guidelines, Leveraging recommended npm libraries, Hardening ExpressJS, and Secure Dependencies Management with CI/CD integration.
Node.js Security - XSS, Vulnerable Dependencies, Snyk, OWASP Liran Tal
Liran is leading the core team for the MEAN.js JavaScript framework. He recently published Essential Node.js Security. Passionate about Open Source since an early age, he is continuously contributing to many projects on GitHub around Node.js, JavaScript, Docker, and Security.
Being an avid supporter and contributor to the open source movement, in 2007 Liran has redefined network RADIUS management by establishing daloRADIUS, a world-recognized and industry-leading open source project (http://www.daloradius.com).
Securing containers by Breaking In - Liran Tal - DevSecCon Tel Aviv 2019Liran Tal
There’s no better way to understand container security than seeing some live hacking! This sessions explains and distinguishes the security concern of each layer in the container stack by actually exploiting each layer. We’ll take on Kubernetes itself, the Kubernetes configuration, the container engine (sandbox escaping), OS dependencies in your images, and of course your application dependencies. Each successful hack will help you better understand the mistakes you can make, their implications, and how you can avoid them.
Snyk Intro - Developer Security Essentials 2022Liran Tal
Overwhelmed with security issues in your Node.js applications? Not entirely sure how to write secure code? Join us in this workshop where you’ll learn how to improve security without being a security professional. We’ll use Snyk Code’s VS Code extension to catch and find security issues while you code, automatically fix security issues in your open source libraries, and see first-hand how to weaponize vulnerabilities to exploit working Node.js applications. You will also learn about the multiple ways of using Snyk to secure your projects, from the CLI, to CI/CD pipelines with GitHub Actions, and extend your know from secure code and secure dependencies to that of building secure containers to your Node.js apps on Docker.
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
The 7 characteristics of container native infrastructure, LinuxCon/ContainerC...Casey Bisson
As presented at LinuxCon/ContainerCon 2015: http://sched.co/3YTd
Containers are changing the manner in which applications are run across all data centers. However, it’s time to improve the efficiency of containers by removing VMs altogether and enabling containers to exist as first class citizens in the datacenter. The removal of the VM is just one of the seven characteristics of container-native infrastructure that offers specific performance and operational advantages to Docker in production.
From more convenient networking to improved host management and overall better performance, container-native infrastructure is the future of the data center. In this session, Joyent Product Manager Casey Bisson will explore the difference between container-native and legacy infrastructure, including a side-by-side demonstration of clear differences.
This summary provides an overview of the key points from the OpenStack security document:
1. OpenStack is an open source cloud computing platform consisting of several interrelated components like Nova, Swift, Keystone, etc. Each component has its own REST API and is responsible for a certain functionality like compute, storage, identity, etc.
2. The document discusses various security aspects and pain points related to different OpenStack components like authentication tokens, message buses, REST APIs, volumes, and intrusion detection.
3. It also covers strategies for incident response, forensics, and reporting vulnerabilities in OpenStack. Maintaining chain of custody for evidence and providing forensic access to tenants are highlighted.
4. Finally, the
stackconf 2020 | Speeding up Linux disk encryption by Ignat KorchaginNETWAYS
Encrypting data at rest is a must-have for any modern SaaS company. And if you run your software stack on Linux, LUKS/dm-crypt [1] is the usual go-to solution. However, as the storage becomes faster, the IO latency, introduced by dm-crypt becomes rather noticeable, especially on IO intensive workloads.
At first glance it may seem natural, because data encryption is considered an expensive operation. But most modern hardware (specifically x86 and arm64) platforms have hardware optimisations to make encryption fast and less CPU intensive. Nevertheless, even on such hardware transparent disk encryption performs quite poorly.
JSconf JP - Analysis of an exploited npm package. Event-stream's role in a su...Jarrod Overson
This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
Pavan Gupta, Research and Cloud Computing Architect, UC San Francisco Center for Digital Health Innovation (Panel 1: Securing your research data: Perspectives from domain scientists ) -- "Hybridizing Kubernetes and HPC Securely"
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
Hardening Your CI/CD Pipelines with GitOps and Continuous SecurityWeaveworks
Join us for a webinar on how to secure your CI/CD pipeline for Kubernetes with GitOps best practices and continuous runtime protection. As modern developers and DevOps teams are embarking on a quest for speed and reliability through automated CI/CD pipelines for Kubernetes, enterprises still need to ensure security and regulatory compliance.
Together with Deepfence, the Weaveworks team will explain and demonstrate how GitOps continuous delivery pipelines, combined with continuous security observability, improves the overall security of your development workflow - from Git to production.
In this webinar we will demonstrate:
Deepfence container scanning
Git-to-Kubernetes using FluxCD
Deepfence continuous runtime security
[Blackhat EU'14] Attacking the Linux PRNG on Android and Embedded Devicessrkedmi
This document discusses attacking the Linux pseudo-random number generator (PRNG) on Android and embedded devices. It begins by motivating the attack by describing a previous vulnerability discovered in the Android keystore. It then provides an overview of the Linux PRNG and describes how an attacker could reconstruct the PRNG's internal state by simulating PRNGs with different seeds and comparing to leaked values from the real PRNG. It discusses problems with mounting the attack and where leaks could be obtained, such as during the kernel or platform boot process. It then describes a local attack method using a malware to obtain a PRNG seed and bypass stack canary protection.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Cluj JSHeroes 2017 - Liran Tal on Node.js SecurityLiran Tal
This document discusses security issues with Node.js and best practices to address them. It describes security horror stories from malicious npm packages deleting files ("rimrafall") and packages with similar names to popular ones downloading instead. Other issues covered include NoSQL injections, regular expression denial of service attacks, and insecure dependencies. The document recommends using Helmet to set secure HTTP headers, avoiding writing your own regular expressions, using libraries like validator.js for validation, and integrating Snyk to check for vulnerabilities in dependencies. The key takeaway is the importance of secure development practices like input validation, output encoding, and dependency management for Node.js applications.
Similar to Black Clouds and Silver Linings in Node.js Security - Liran Tal Snyk OWASP Global AppSec (20)
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
14 th Edition of International conference on computer visionShulagnaSarkar2
About the event
14th Edition of International conference on computer vision
Computer conferences organized by ScienceFather group. ScienceFather takes the privilege to invite speakers participants students delegates and exhibitors from across the globe to its International Conference on computer conferences to be held in the Various Beautiful cites of the world. computer conferences are a discussion of common Inventions-related issues and additionally trade information share proof thoughts and insight into advanced developments in the science inventions service system. New technology may create many materials and devices with a vast range of applications such as in Science medicine electronics biomaterials energy production and consumer products.
Nomination are Open!! Don't Miss it
Visit: computer.scifat.com
Award Nomination: https://x-i.me/ishnom
Conference Submission: https://x-i.me/anicon
For Enquiry: Computer@scifat.com
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Project Management: The Role of Project Dashboards.pdfKarya Keeper
Project management is a crucial aspect of any organization, ensuring that projects are completed efficiently and effectively. One of the key tools used in project management is the project dashboard, which provides a comprehensive view of project progress and performance. In this article, we will explore the role of project dashboards in project management, highlighting their key features and benefits.
INTRODUCTION TO AI CLASSICAL THEORY TARGETED EXAMPLESanfaltahir1010
Image: Include an image that represents the concept of precision, such as a AI helix or a futuristic healthcare
setting.
Objective: Provide a foundational understanding of precision medicine and its departure from traditional
approaches
Role of theory: Discuss how genomics, the study of an organism's complete set of AI ,
plays a crucial role in precision medicine.
Customizing treatment plans: Highlight how genetic information is used to customize
treatment plans based on an individual's genetic makeup.
Examples: Provide real-world examples of successful application of AI such as genetic
therapies or targeted treatments.
Importance of molecular diagnostics: Explain the role of molecular diagnostics in identifying
molecular and genetic markers associated with diseases.
Biomarker testing: Showcase how biomarker testing aids in creating personalized treatment plans.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Content:
• Ethical issues: Examine ethical concerns related to precision medicine, such as privacy, consent, and
potential misuse of genetic information.
• Regulations and guidelines: Present examples of ethical guidelines and regulations in place to safeguard
patient rights.
• Visuals: Include images or icons representing ethical considerations.
Real-world case study: Present a detailed case study showcasing the success of precision
medicine in a specific medical scenario.
Patient's journey: Discuss the patient's journey, treatment plan, and outcomes.
Impact: Emphasize the transformative effect of precision medicine on the individual's
health.
Objective: Ground the presentation in a real-world example, highlighting the practical
application and success of precision medicine.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions for handling and analyzing vast
datasets.
Visuals: Include graphics representing data management challenges and technological solutions.
Objective: Acknowledge the data-related challenges in precision medicine and highlight innovative solutions.
Data challenges: Address the challenges associated with managing large sets of patient data in precision
medicine.
Technological solutions: Discuss technological innovations and solutions
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
Malibou Pitch Deck For Its €3M Seed Roundsjcobrien
French start-up Malibou raised a €3 million Seed Round to develop its payroll and human resources
management platform for VSEs and SMEs. The financing round was led by investors Breega, Y Combinator, and FCVC.
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...kalichargn70th171
In today's business landscape, digital integration is ubiquitous, demanding swift innovation as a necessity rather than a luxury. In a fiercely competitive market with heightened customer expectations, the timely launch of flawless digital products is crucial for both acquisition and retention—any delay risks ceding market share to competitors.
6. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground
7. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
8. Invites big risksInvites big risks
The Biggest RepositoryThe Biggest Repository
Lucrative attack playgroundLucrative attack playground
Open and free-to-publish ecosystemOpen and free-to-publish ecosystem
Difficult to counter-measureDifficult to counter-measure
36. How did we find out about this maliciousHow did we find out about this malicious
crossenv package?crossenv package?
post-install script ✅post-install script ✅
call-home base64 payload ✅call-home base64 payload ✅
59. Reset the bufferReset the buffer
Load JavaScript codeLoad JavaScript code
Execute codeExecute code
60.
61. Observation 1Observation 1
security by code review has to be on-point ALL THE TIME,security by code review has to be on-point ALL THE TIME,
where-as attackers only have to get lucky ONCEwhere-as attackers only have to get lucky ONCE
71. Who depends on eslint-scope?Who depends on eslint-scope?
72. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint
73. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint
eslinteslint
74. Who depends on eslint-scope?Who depends on eslint-scope?
babel-eslintbabel-eslint
eslinteslint
webpackwebpack
75. npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12
76. npm invalidates all tokensnpm invalidates all tokens
<= 2018-07-12<= 2018-07-12
estimated potential ~4,500 accounts estimated potential ~4,500 accounts
were compromised were compromised
77. Observation 2Observation 2
eslint-scope published an npm package, but actorseslint-scope published an npm package, but actors
had no github repository access so the source codehad no github repository access so the source code
varied between github and the published npmvaried between github and the published npm
packagepackage
84. Compromised Contributors ?Compromised Contributors ?
662662 usersusers
123456123456
had their password set tohad their password set to
CompromisedCompromised ContributorsContributors ??
85. Compromised Contributors ?Compromised Contributors ?
14091409 usersusers
had their password set tohad their password set to
their usernametheir username
CompromisedCompromised ContributorsContributors ??
86. Compromised Contributors ?Compromised Contributors ?
11%11% usersusers
had their password set tohad their password set to
previously leaked passwordpreviously leaked password
CompromisedCompromised ContributorsContributors ??
89. Observation 3Observation 3
due to the increased use of transpilers, reviewing anddue to the increased use of transpilers, reviewing and
comparing source code between actual source tocomparing source code between actual source to
distributed is a real problemdistributed is a real problem
108. - auto release ?- auto release ?
Enable 2FAEnable 2FA
caveatscaveats
109. - auto release ?- auto release ?
- tokens are global for all packages- tokens are global for all packages
Enable 2FAEnable 2FA
caveatscaveats
110. - auto release ?- auto release ?
- tokens are global for all packages- tokens are global for all packages
- npm recommends creating a 2nd user- npm recommends creating a 2nd user
Enable 2FAEnable 2FA
caveatscaveats
112. Devs TakeDevs Take Ownership Ownership
for App Securityfor App Security
Source: The State of Open Source Security Report 2019, Snyk
https://snyk.io/opensourcesecurity-2019/
118. The Security WGThe Security WG
Improving the state of Node.js SecurityImproving the state of Node.js Security
Incident response for Node.js core and theIncident response for Node.js core and the
npm ecosystemnpm ecosystem
Security disclosure policies for bug huntersSecurity disclosure policies for bug hunters
Maintain a public vulnerability databaseMaintain a public vulnerability database
119. The Security WGThe Security WG
Uninitialized BufferUninitialized Buffer base64urlbase64url|| 2,000,0002,000,000 ||
monthly downloadsmonthly downloads