1. The document discusses how to write effective bug bounty reports by understanding what security teams look for in reports. It emphasizes providing detailed reproduction steps, analyzing exploitability and potential impact, and considering the perspective of the security team.
2. Common elements of an effective report include clear reproduction steps, analysis of how an attack could actually work in the real world, and understanding what types of vulnerabilities are important to the specific organization based on their industry and needs.
3. The presentation provides examples of good and bad reports, outlines typical service level agreements, and emphasizes asking questions to understand the priorities and scope of individual security programs.
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
THE TIME HAS COME TO REPLACE YOUR ANTIVIRUS SOLUTION
Legacy AV products are failing to stop modern threats. That’s why AV replacement is a hot topic in the industry and why enterprises in every sector are looking for answers. As breaches continue to dominate the headlines, you need to know that there is a new approach that can close the wide security gap left by yesterday’s AV solutions. Defending against today’s sophisticated polymorphic threats requires new weapons and that’s just what the CrowdStrike Falcon Platform delivers.
The key to this new approach is going beyond malware to addressing the most complex and persistent cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, VP, Product Marketing will discuss:
--The typical challenges with legacy antivirus, from efficacy to complexity & bulky architecture
--How CrowdStrike stands above competitive offerings by providing robust threat prevention leveraging artificial intelligence and machine learning
--How Falcon’s lightweight sensor and cloud architecture dramatically reduces operational burden
--How you can seamlessly migrate from legacy antivirus to CrowdStrike Falcon
--Why CrowdStrike was positioned as a “Visionary” in the 2017 Gartner Magic Quadrant for Endpoint Protection Solutions and what it says about our standing as an effective AV replacement
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
A explanation about docker, new C.I. / C.D. cycles with docker, how to dissect a Docker image and trojanize and how to abuse of Functionality of Docker Registry
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
in this presentation we have discussed about different methodology in password cracking. Password bruteforce, social engineering attack , phishing attack, windows login cracking, web login cracking, application password cracking, Gmail password and facebook password extracting
( ** Cyber Security Training: https://www.edureka.co/cybersecurity-certification-training ** )
This Edureka PPT on "Penetration Testing" will help you understand all about penetration testing, its methodologies, and tools. Below is the list of topics covered in this session:
What is Penetration Testing?
Phases of Penetration Testing
Penetration Testing Types
Penetration Testing Tools
How to perform Penetration Testing on Kali Linux?
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
How to Replace Your Legacy Antivirus Solution with CrowdStrikeCrowdStrike
THE TIME HAS COME TO REPLACE YOUR ANTIVIRUS SOLUTION
Legacy AV products are failing to stop modern threats. That’s why AV replacement is a hot topic in the industry and why enterprises in every sector are looking for answers. As breaches continue to dominate the headlines, you need to know that there is a new approach that can close the wide security gap left by yesterday’s AV solutions. Defending against today’s sophisticated polymorphic threats requires new weapons and that’s just what the CrowdStrike Falcon Platform delivers.
The key to this new approach is going beyond malware to addressing the most complex and persistent cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, VP, Product Marketing will discuss:
--The typical challenges with legacy antivirus, from efficacy to complexity & bulky architecture
--How CrowdStrike stands above competitive offerings by providing robust threat prevention leveraging artificial intelligence and machine learning
--How Falcon’s lightweight sensor and cloud architecture dramatically reduces operational burden
--How you can seamlessly migrate from legacy antivirus to CrowdStrike Falcon
--Why CrowdStrike was positioned as a “Visionary” in the 2017 Gartner Magic Quadrant for Endpoint Protection Solutions and what it says about our standing as an effective AV replacement
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
A explanation about docker, new C.I. / C.D. cycles with docker, how to dissect a Docker image and trojanize and how to abuse of Functionality of Docker Registry
Hackerone is a vulnerability coordination and bug bounty platform. You must have heard of bug bounty programs of facebook and google. Hackerone is website where you can host your bug bounty program. You put up your program’s page on their website specifying what kind of vulnerabilities you are interested in and what rules hackers should follow, when they perform penetration testing on your software and how do your reward hackers. I am going to talk about my experience on hackerone, what kind of reports we got on rubygems.org and a bit about how we solved them.
HackerOne Presents in China - COO Ning WangHackerOne
On a recent trip to China, HackerOne COO and CFO Ning Wang gave a presentation at Hack for Security Conference. Thanks to the hosts and awesome welcome from the community!
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Peningkatan Pendapatan Anggota Kelompok UPPKS Manalagi Kecamatan Bilah Hulu L...IRFANDI2010
Kegiatan ini bertujuan untuk Meningkatkan kemampuan kelompok UPPKS dalam hal pengembangan
usaha dengan berbasis penguasaan teknologi tepat guna, dimana selama ini kelompok UPPKS Manalagi
Kecamatan Bila Hulu Kabupaten Labuhan Batu dalam berbagai kegiatan pengembangan perekonomian
keluarga dalam usaha kuliner masih berbasis kepada alat-alat konvensional dan tradisional. Sehingga hal
ini berhubungan erat dengan hasil produksi yang kurang memadai dan Optimal, maka dari permasalahan
tersebut perlu adanya peningkatan teknologi yang berbasis teknologi tepat guna, hal ini akan sejalan
dengan Peningkatan kemampuan UPPKS dalam memanajemen usahanya. Sehingga dengan
pengembangan berbasis teknologi tepat guna tersebut kelompok UPPKS mampu menguasai segmentasi
pasar dengan meningkatkan produksi yang bermuara pada kwalitas dan kwantitas produk, maka dari itu
perkembangan usaha kelompok UPPKS dapat secara real terlihat dan dirasakan dampaknya secara
langsung oleh kelompok UPPKS. Hasil akhir kegiatan ini adalah mampunya kelompok UPPKS menerapkan
dan mengembangkan Produksi usahanya berbasis Teknologi tepat guna, serta alat yang berbasis teknologi
tepat guna yang diberikan mampu meningkatkan hasil produksi Kelompok UPPKS. Untuk itu dibuat
serangkaian kegiatan untuk meningkatkan produksi serta kwalitas dari Kelompok UPPKS sehingga dapat
meningkatkan tingkat perekonomian masyarakat secara umum. Namun secara keseluruhan kegitan ini
harus dilanjutkan secara kontiniu untuk terus membantu kelompok UPPKS dalam menyelesaikan masalah
dan mencapai tujuan awal
A alquimia dos 7 passos que levam do nada ao tudo.
O segredo do sucesso está contido nesta sequência.
Mais informações:
illuminati-international.org
neophyte.commandc.club
You can design and build beautiful WordPress websites using templates, if you follow a few simple steps and keep these things in mind.
Originally presented at WordCamp Phoenix 2016
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
SplunkLive! Tampa: Splunk for Security - Hands-On SessionSplunk
Join our Security Expert and learn how to use the Splunk App for Enterprise Security (ES) in a live, hands-on session. We'll take a tour through Splunk's award-winning security offering to understand some of the unique capabilities in the product. Then, we'll use ES to work an incident and disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts!
Talk for the Project Quality Day at Eclipse Conference Europe 2015. A presentation on how to perform risk based testing, using Jira, Jubula and Mylyn (and Spago4Q), appplied to a real-world use case, the SpagoWorld Shop
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS ...Amazon Web Services
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response: AWS Security Week at the San Francisco Loft
In this workshop, we discuss how you should be building your runbooks and security incident report system (SIRS) using your company's real-world configuration and processes. Our goal is to give you an easier way to start your runbooks and create a SIRS. Now you can be the hero for your company by building a strategy and finding out how secure you are. You also learn more about why you should be running a DevSecOps pipeline and how it will help your team find threats in your production environment. Finally, learn how things are different in each level of environment and where your developers should be working.
Level: 200
Speaker: Nathan Case - Sr. Solutions Architect, AWS
business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, cybersecurity, Joe Felter
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
An exploration of the cyber security market factors that lend to pervasive issues with hyperbole and feelings of broken trust across the various participants. Much is left off the slide & was covered in narrative at a recent OWASP LA meetup, original done for B-Sides LV.
Security hacks are happening everywhere and it is almost impossible to keep up with all new developments. So how do you test your own security in such a dynamic cybersecurity landscape?
The days of narrow-scoped and limited penetration tests are over, responsible disclosure, bug bounty programs and red and blue teams are the new way of continuously testing your security. This webinar will help you adapt this new testing paradigm.
Main points that will be covered:
• Limits of 'old' penetration testing;
• Continuous testing to stay on top;
• Leveraging the hacker community through a bug bounty program
• Responsible disclosure and handling incidents
Presenter:
Arthur Donkers (arthur@1secure.nl):
Interested in infosec, technology, organization and combining these all into one solution Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000). Convinced that Infosec is a means to an end, not a purpose in itself.
Link of the recorded session published on YouTube: https://youtu.be/Kck8zBY27Hg
Cyber Security testing in an agile environmentArthur Donkers
How do you test your cyber security in an agile environment? Moving to a continuous testing methodology, applying red teaming, using a smart bugbounty program and having a well oiled incident response process help you maintaining your cyber security in an agile environment.
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
Similar to Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nullcon 2017 (20)
Ever wonder who runs the biggest, fastest, and most lucrative bug bounty programs on the HackerOne platform? In this list, you’ll see which programs on the HackerOne platform ranked highest on the total amount of bounties awarded to hackers over the life of the program. You’ll also be able to compare and contrast these top programs by other speed, volume, and bounty metrics.
118 Hacker-Powered Facts From The 2018 Hacker-Powered Security ReportHackerOne
Another year, another Hacker-Powered Security Report! We pulled out 100 of the report’s top facts—and then added 18 more, since it’s 2018. See below for a better understanding of how hacker-powered security is disrupting (in a good way) how organizations approach security. More security teams are adding VDPs, more are supplementing their skills and bandwidth with hackers, and more are augmenting their standard pen tests with hacker challenges.
In 2018, the HackerOne community and those using our platform have combined to crush every metric that we track. Organizations awarded more than $11 million in bounties. Hackers submitted more than 78,000 reports. Bounties were awarded to hackers in over 100 countries.
Unfortunately, the only metric that hasn’t changed much is the percentage of Forbes Global 2000 companies without vulnerability disclosure policies.
Read on for all of the facts!
Federal Trade Commission's Start With Security GuideHackerOne
Sound security is no accident. Here's what the FTC learned from more than 50 law enforcement actions related to data security, distilled down into their wonderful guide https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.
The Federal Trade Commission’s (FTC) job is to protect consumers. The agency’s Bureau of Consumer Protection works to investigate issues related to many areas, including data security. When they discover unfair, deceptive, or fraudulent business practices, they work with law enforcement to follow-up.
To help businesses better protect their customers’ sensitive data, they published Start With Security: A Guide for Business to surface their lessons learned from settling more than 50 law enforcement actions. The FTC found that most of the cases involved “basic, fundamental security missteps.”
What follows are suggestions from the FTC so, hopefully, you can avoid those same basic, fundamental missteps. We’ve also included the FTC’s real examples of infractions and some helpful resources.
Understanding Information Security Assessment TypesHackerOne
There are many different types of security assessments,
...and they’re not always easy to keep separately in our minds (especially for sales types).”
Enter Daniel Miessler.
Daniel Miessler is a well-known information security professional based in San Francisco. For more than 20 years, he’s been writing about his infosec projects and other interests, as he puts it, “as a means of organizing everything
I have learned and want to learn.”
With organization and education in mind, Daniel wrote a helpful post describing the major types of security assessments and how they’re unique. If you’re one of the “sales types” Daniel mentions above, or just looking to educate yourself on infosec topics, then click ahead.
So here in all its glory is Daniel Miessler’s brief description of the major types of security assessment, along with what differentiates them.
Everything you Need to Know about The Data Protection Officer Role HackerOne
Data privacy and security expert, Debra Farber, presents on the emerging role of the Data Protection Officer (DPO). When the EU's General Data Protection Regulation (GDPR) becomes enforceable on May 25, 2018, companies around the world who process the personal data of EU residents will be required by law to appoint an independent DPO who has specific responsibilities and data protection knowledge.
The 2018 Hacker Report: Insights on the hacker mindset, who they are, and the...HackerOne
We are in the age of the hacker. Never before has there been more opportunities to learn, more tools, more welcoming companies and more money up for grabs. At the end of last year, we tapped into our community of ethical hackers to better understand how they like to work, what’s most important to them and what needs to change. The 2018 Hacker Report is the largest survey ever conducted of the ethical hacking community with 1,698 respondents.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
What companies have paid the most in bug bounties to date
Highest paid bounties and average bounty amount across top programs
How long it takes to respond, pay, and respond to reported vulnerabilities
Top hackers average number of hackers that have reported bugs across each program
GDPR Guide: The ICO's 12 Recommended Steps To Take NowHackerOne
Recommendations from The United Kingdom's Information Commissioner's Office (ICO) to Prepare for May 2018.
The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
Why Executives Underinvest In CybersecurityHackerOne
Learn how to get around misguided thinking that leads to executive under investment in cyber security, and secure the resources you need. You'll learn how to:
- Work around CEO and CFO human biases
- Motivate decision makers to invest more in cyber infrastructure
- Replace your CEO’s mental model with new success metrics
- Compare your company’s performance with similar firms to overcome executive overconfidence
Watch the full video recording!
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
Scott Crawford, Research Director of Information Security at 451 Research, shares:
Why having a Vulnerability Disclosure Policy is now “table stakes”
The what, how and why of Vulnerability Disclosure Policy documentation
Tangible benefits and tradeoffs of incorporating bug bounties into software development
How bug bounties make for a more secure software development lifecycle
An Invitation to Hack: Wiley Rein and HackerOne Webinar on Vulnerability Disc...HackerOne
The private sector and federal government are increasingly considering the use of vulnerability disclosure programs and bug bounties to improve cybersecurity of connected products, websites and services.
These programs can improve security, but they present legal and practical challenges that companies should consider. In this joint webinar with Wiley Rein, Legal cybersecurity experts Megan Brown and Matthew Gardner cover the following:
A overview of vulnerability disclosure controversies and the current push for vulnerability disclosure programs, including recommendations from the FTC, NIST, NTIA, and federal programs like Hack the Pentagon;
Analyze the legal framework for vulnerability disclosure programs, including the rights companies may give up;
Look at the dangers associated with a poorly implemented program, like failing to dedicate proper resources to it;
Explore pragmatic considerations of working with hackers, including how to establish respect and proper boundaries; and
Discuss real-world examples of successful bug bounty programs.
See the full recording here: https://www.youtube.com/watch?v=-xb87hEt_Ws
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
4. Work
● Pentester (~4 yrs)
● Google (~4 years)
● Snapchat (~1 year)
● HackerOne (~1 year)
Play
● Gaming
● Playing with fire
Adam Bacchus
4
5. ● Bug bounty platform where you
can find organizations to hack on
● Uber, Twitter, Snapchat,
Starbucks… tons more
● 100,000+ hackers to learn from,
like our buddy geekboy :)
● $14 mill USD (₹ 934m) in bounties
paid to hackers!
HackerOne
5
13. Vulnerability Disclosure
13
the process by which an organization receives and disseminates information
about vulnerabilities in their products or online services
21. Scope
21
●Why are things out of scope?
○Infrastructure can’t handle scans
○Security team already knows it needs
work
○Security team is starting small and
working their way up
○Hosted by a third party; security team
doesn’t control it
23. Scope
23
Don’t be afraid to ask!
But keep expectations low - they might
not be ready for the new scope yet.
24. SLA - Service Level Agreement
24
“an official commitment that prevails between
a service provider and the customer.
Particular aspects of the service – quality,
availability, responsibilities – are agreed
between the service provider and the service
user.”
25. A Service For Hackers
25
That’s right - a vulnerability disclosure/bug
bounty program is a service, to you, the
hacker.
26. What should a security team provide?
26
How much time for...
27. What should a security team provide?
27
How much time for…
...first response
28. What should a security team provide?
28
How much time for…
...first response
...bounty decision
29. What should a security team provide?
29
How much time for…
...first response
...bounty decision
...remediation
30. What if the security team doesn’t have SLAs?
30
31. (didn’t we see this slide already?)
31
Don’t be afraid to ask!
“What’s your normal turnaround time
on X?”
33. What are typical SLAs?
33
First Response = 3 business days
Bounty Decision = 1 - 3 weeks after triage
34. What are typical SLAs?
34
First Response = 3 business days
Bounty Decision = 1 - 3 weeks after triage
Remediation depends on severity
Critical = 1-2 days
High = 1-2 weeks
Medium = 4-8 weeks
Low = 3 months
35. What NOT to do
35
1.Send report
2.Five minutes
later... update plz!
3.Ten minutes
later… bounty plz!
38. Reproduction Steps - The Wrong Way
38
1. You got an XSS on the name… BOOM!!!
2. Where’s my bounty?
39. Reproduction Steps - The Right Way
39
1.While logged in, navigate to your profile at
<url>
2.Click the “Edit” button in the upper right
3.Change your first name to “><img src=x
onerror=prompt(document.cookie)>
4.Click “Save”
5.Navigate to your profile at <url>, the XSS
should fire
42. Exploitability - The Wrong Way - Clickjacking
42
1.Navigate to <URL>
2.X-Frame-Options
header is missing
3.???
4.Profit?
43. Exploitability - The Right Way - Clickjacking
43
1.Navigate to <URL>
2.X-Frame-Options header
is missing
3.You can use clickjacking to
trick a user into deleting
their account. See
attached HTML file for a
PoC.
44. Exploitability - The Wrong Way - Server Info
44
1.Your server at <IP>
is showing banner
information and is
out of date.
2.???
3.Profit?
45. Exploitability - The Right Way - Server Info
45
1.Your server at <IP> is
running an outdated
version of <software>.
2.I’ve verified it’s vulnerable
to a known XSS which can
be used to steal <cookie ID>
and hijack users’ sessions.
Here are the repro steps.
46. Impact
46
We know how to repro…
We know exploitability / attack vector…
So now what?
47. Impact
47
What happens if this vulnerability gets
exploited?
What does the security team care about most?
48. 48
Put yourself in the organization’s shoes
Industry Compliance What they care about
Healthcare
Health Insurance Portability and
Accountability Act (HIPAA)
PII (Personally Identifiable
Information), e.g. patient data
eCommerce / Retail
Payment Card Industry Data
Security Standard (PCI-DSS)
User data, especially credit card info
Government (U.S.)
The Federal Information Security
Management Act (FISMA)
Employee info, classified info
Finance
Gramm-Leach-Bliley Act (GLBA),
PCI-DSS
Consumer and investor financial data
Education
Family Educational Rights and
Privacy Act (FERPA)
Student records
Technology It depends! It depends!
49. 49
Put yourself in the organization’s shoes
User information disclosure of first and last
name. Where is the impact bigger?
or...
50. 50
Put yourself in the organization’s shoes
User information disclosure of first and last
name. Where is the impact bigger?
or...
51. Impact - The Wrong Way
51
1.You have an XSS
2.<repro steps>
3.<exploitability info>
4.…
5.Profit?
52. Impact - The Right Way
52
1. Here’s a PoC to steal session
info via XSS
2. Exploiting this against a
regular user would allow
access to view and modify
their name, address,
birthdate, as well as transfer
all money out of their account.
68. Public Disclosure
68
What is it?
After the bug is fixed, the security team and
hacker agree to disclose the report as an
example for the bug bounty community.
69. The Good, The Bad,
The Ugly
69
Bug Bounty Reports IRL
70. Reports IRL - The Good, The Bad, The Ugly
70
Let’s take a look at some real life examples...
71. The Good - hackerone.com/reports/143717
71
Report: Changing any Uber user’s password
Bounty: $10,000 USD
Let’s check it out!
72. The Bad - hackerone.com/reports/156098
72
Report: XSS At "pages.et.uber.com"
Bounty: um...
78. Resources
78
●Web Application Hacker’s Handbook
●Web Hacking 101
●Google Bughunter University
●Google Gruyere
●Burp Suite
●Bug Bounty Reports - How Do They Work?
81. Quick Recap
81
Know your audience!
Think from the security team’s perspective
“I am the audience”
Repro + Exploitability + Impact
Ask questions, get clarity
better bug reports result in a quicker turnaround time from the security team responding to your request
you’ll also learn how to build better reputation and relationships with security teams
and in the end, this will all result in higher chances of getting bigger bounties!
This is huge - *always* ask first before going crazy on an unlisted scope. You might end up wasting your entire weekend on a domain that ends up not even belonging to the organization!
Another good report, if there’s time: https://hackerone.com/reports/149907