Bug bounty programs have existed since the 1990s but have grown significantly in recent years. The document summarizes highlights from 2014 reports of major companies' bug bounty programs including Google, Facebook, Microsoft, Github, and Tesla. It also discusses reasons for organizations to start bounty programs, tips for reducing noise, and trends in bug bounty research like researcher demographics.
This document summarizes a presentation about simplifying secure code reviews. It discusses defining an effective security code review process, including reconnaissance, threat modeling, automation, manual review, confirmation, and reporting. It also discusses using the OWASP Top 10 list to focus code reviews, and defining trust boundaries to identify areas of code to review for specific vulnerabilities. The goal is to introduce a simplified process that can help development teams integrate security code reviews into their workflow.
This document provides a summary of security metrics using analogies from Ice Cube's music and movies. It discusses the importance of speed in various stages from detection of a breach to remediation. It also covers quality metrics to measure success rates and avoid mistakes. Coverage metrics ensure monitoring of all potential attack vectors. Charts are provided showing costs of incidents at different stages of the cyber kill chain as well as most common detection tools. The conclusion emphasizes quality of training over just purchasing new tools.
Crowdsourcing a penetration test through Bugcrowd's Flex model offers four main benefits: 1) You pay only for valid vulnerabilities found rather than researcher time spent; 2) Engaging many skilled researchers across different specialties increases the likelihood of finding issues; 3) The reward structure encourages in-depth testing by incentivizing top submissions; 4) This results in significantly more testing effort within similar timeframes as a traditional penetration test.
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationPaül Jaramillo
It has been a reoccurring theme for corporate victims of a major breach to publicly state that the attack perpetrated on them was sophisticated. Some may even go so far as to have their 3rd party DFIR partner(s) make statements on their behalf to the effect that the attack would have been successful at most companies. All this is done in an attempt to avoid the dreaded assumption of IT Security negligence on their part. Imagine if the press release stated that the attack might have been thwarted if they implemented processes and controls that were recommended by internal staff years ago.
While we will never read that statement, many practitioners are left to wonder what was so unique and advanced about this attack. With this presentation we will present analysis of existing public attacks against traits that are more common in truly advanced attacks. These include but are not limited to the ability to operate undetected, precise targeting, use of non-public zero days and custom payloads, ability to defeat in place security controls, strong operational security, speed and of course overall effectiveness. We will also make clear delineations between what constitutes and advanced attack versus an advanced adversary. The output of this will be a model that can be applied to help characterize your adversaries capabilities.
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
This document summarizes a presentation about simplifying secure code reviews. It discusses defining an effective security code review process, including reconnaissance, threat modeling, automation, manual review, confirmation, and reporting. It also discusses using the OWASP Top 10 list to focus code reviews, and defining trust boundaries to identify areas of code to review for specific vulnerabilities. The goal is to introduce a simplified process that can help development teams integrate security code reviews into their workflow.
This document provides a summary of security metrics using analogies from Ice Cube's music and movies. It discusses the importance of speed in various stages from detection of a breach to remediation. It also covers quality metrics to measure success rates and avoid mistakes. Coverage metrics ensure monitoring of all potential attack vectors. Charts are provided showing costs of incidents at different stages of the cyber kill chain as well as most common detection tools. The conclusion emphasizes quality of training over just purchasing new tools.
Crowdsourcing a penetration test through Bugcrowd's Flex model offers four main benefits: 1) You pay only for valid vulnerabilities found rather than researcher time spent; 2) Engaging many skilled researchers across different specialties increases the likelihood of finding issues; 3) The reward structure encourages in-depth testing by incentivizing top submissions; 4) This results in significantly more testing effort within similar timeframes as a traditional penetration test.
BSides San Diego 2017 - Sophisticuffs: The rumble over adversary sophisticationPaül Jaramillo
It has been a reoccurring theme for corporate victims of a major breach to publicly state that the attack perpetrated on them was sophisticated. Some may even go so far as to have their 3rd party DFIR partner(s) make statements on their behalf to the effect that the attack would have been successful at most companies. All this is done in an attempt to avoid the dreaded assumption of IT Security negligence on their part. Imagine if the press release stated that the attack might have been thwarted if they implemented processes and controls that were recommended by internal staff years ago.
While we will never read that statement, many practitioners are left to wonder what was so unique and advanced about this attack. With this presentation we will present analysis of existing public attacks against traits that are more common in truly advanced attacks. These include but are not limited to the ability to operate undetected, precise targeting, use of non-public zero days and custom payloads, ability to defeat in place security controls, strong operational security, speed and of course overall effectiveness. We will also make clear delineations between what constitutes and advanced attack versus an advanced adversary. The output of this will be a model that can be applied to help characterize your adversaries capabilities.
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
With the transition from paper to electronic medical records, the threats and potential ramifications of network security risks to physician practices have skyrocketed. From liability for loss of patient data, to the rapidly emerging, office crippling threats of "Spear Phishing" attacks and "Ransomware," the likelihood of being affected is "when," not "if." This presentation includes an eye-opening primer of cybersecurity threats for small and medium sized practices and a roadmap to help protect patient records and practice viability.
Ravi D Goel MD presented this talk at the 2016 American Academy of Ophthalmology Annual Meeting. #aao2016
-----
About Ravi Goel
Ravi D. Goel graduated with a bachelor’s degree in ethics, politics, and economics from Yale University. He earned a medical degree from the Robert Wood Johnson Medical School and completed an ophthalmology residency at the Greater Baltimore Medical Center. Dr. Goel is in private practice in Cherry Hill, NJ, and a clinical instructor at the Wills Eye Hospital in Philadelphia.
Dr. Goel is a past chair of the American Medical Association—Young Physicians Section. He is a recipient of the AMA Foundation Excellence in Medicine Leadership Award, the American Academy of Ophthalmology Achievement Award, and Secretariat Award. He is a past president of the New Jersey Academy of Ophthalmology.
He is a member of the AMA Ophthalmology Section Council. He is also a member of the New Jersey Governors School Board of Overseers, director of the American Academy of Ophthalmic Executives and a member of the Yale University Development Council.
HostingLabs was created by a small team at HOSTING to rapidly develop and test new technologies using an agile "Skunk Works" approach. It aims to foster innovation, thought leadership, staff development and community engagement through open source projects. Some examples of previous internal projects and current public projects are provided. The presentation encourages supporting employee satisfaction, learning, engagement and automating tasks to increase productivity. It promotes measuring the impact of changes using metrics.
The document provides an overview of OWASP (Open Web Application Security Project) and application security. It discusses that most websites are vulnerable to attacks given the digital environment we live in. It then introduces OWASP as a non-profit focused on application security that produces many free, open resources like the OWASP Top 10 list of risks and over 200 projects. The presentation highlights some of OWASP's major projects and resources and emphasizes that application security is important as the "Age of Application Security".
This document discusses the concept of adversary sophistication in cyber attacks. It defines sophistication as relating to the precision of attacks, the ability to target multiple platforms, targeting ability, operational security used, resilience of attacks, and stealthiness. It analyzes several known adversary groups based on these criteria and assigns them scores in each area. The document recommends that organizations focus on improving their own defenses, conducting thorough internal investigations of incidents using frameworks like the kill chain model, understanding which adversaries pose the greatest risks to their organization, and prioritizing resources to address the biggest threats.
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...Bishop Fox
The document discusses drone defenses and countermeasures that are emerging to defend against unauthorized drones. It describes various experimental systems that have been proposed or developed, including using trained birds of prey, drone-mounted nets, ground-based net guns, jamming cannons, and portable jammers. However, the document notes there are currently no established best practices for drone defense. It proposes developing inexpensive penetration testing drones to help evaluate and improve the emerging defenses.
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
This short document promotes creating presentations on SlideShare using Haiku Deck. It features a photo of nature and text encouraging the reader to get started making their own Haiku Deck presentation. In just a few sentences, it pitches the idea of using Haiku Deck to easily create engaging slideshows.
SMBIZ is an open source online bookkeeping template that can be added to content management systems like WordPress and Drupal. It was written primarily in jQuery, AJAX and PHP. The template includes features like journal entry, viewing account balances and transactions by date, updating chart of accounts, and automatically generating income statements and balance sheets for a given period. The designer's goal is to make this the central data system for future interfaces like inventory management and point of sale systems.
This short document promotes creating presentations using Haiku Deck on SlideShare. It encourages the reader to get started making their own Haiku Deck presentation by simply clicking the "GET STARTED" prompt. In just one sentence, it pitches presentation creation using Haiku Deck on SlideShare's platform.
- Bugcrowd runs public and private bug bounty programs that incorporate up to 18,000 security researchers to test for vulnerabilities. It manages the entire process, including vulnerability submissions, payments to researchers, and communications.
- Bug bounty programs have grown significantly since the mid-1990s. They allow companies to cost-effectively find security issues through crowdsourcing, while also improving developer skills and strengthening security culture.
- Running a successful bug bounty requires planning, clear expectations, and ongoing management of researcher communications and payments. Companies that are new to bounties should start with lower reward amounts and focus on learning, while more mature programs offer higher rewards.
This short document promotes the creation of Haiku Deck presentations on SlideShare by stating it provides inspiration. It encourages the reader to get started making their own Haiku Deck presentation by clicking a button labeled "GET STARTED".
This document is an e-book titled "The 7 Pervasive Whims" by Scott E. Byorum. It explores interpretations of the seven deadly sins - lust, gluttony, greed, sloth, wrath, envy, and pride. The introduction frames the sins as pervasive aspects of human nature that can be detrimental if not overcome. Each sin is then examined individually through poetic passages and short quotes from various contributors defining when one knows they have succumbed to that sin.
Designation and evaluation of an integrated sugar crystallization control program that overcomes the defects of traditional programs summarized in: non-accurate manual set parameters and the lake of information in crystallization driving force “Supersaturation SS and crystal growth rate”
validation of the proposed program for industrial application done by practical field application cycles and simulation of program formulas with referenced value and commonly used programs and found fully identical. The program was considered as an improved version than Siemen & BMA control which indicated in its four stages integrated control strategy.
Cellulosic ethanol is made from the cellulose in plant materials like stalks, stems, and leaves. It is more difficult to produce than corn or sugarcane ethanol because cellulose molecules are tightly packed. The production process involves a pretreatment step to break down the cellulose, followed by fermentation where yeast converts the sugars to ethanol. Recent technological advances like specialized enzyme formulations and yeast strains have helped reduce costs and improve yields, making cellulosic ethanol more viable. The first commercial cellulosic ethanol plant in the US opened in 2014 in Iowa.
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
The document discusses changes in website management and content management systems between 2010 and 2017. Specifically, it notes that (1) there is more technology and customer browsing online, requiring better integration and more innovative approaches; (2) content management systems now have more features but choices are harder with more options available; and (3) website managers must know more with higher consequences for failure and more pressure to create good ideas.
Andrew Gassen, CEO | Pivotal Software
0 for 3: Edtech Startup Lessons Learned
I’ve been a part of 3 different education technology companies, all focused on the K-12 market. Each of these companies failed, but each for different reasons and in spectacularly different ways. This talk is a bit of a public post-mortem that focuses on 3 key lessons from each company, including a brief discussion on how we might have done things a different way if I knew then what I know now.
Presented by the
Serious Play Conference
seriousplayconf.com
at
Orlando,
University of Central Florida,
UCF,
July 24-26, 2019
Building a Modern Security Engineering Organization. Zane LackeyYandex
The document discusses building a modern security engineering organization. It describes how the world has changed with near-instantaneous code deployment and increased developer access to production systems. It advocates for adopting a culture of continuous monitoring and transparency around security issues. The document provides recommendations for incentivizing communication between security and development teams and for implementing access restrictions in a way that does not remove capabilities. It also discusses using bug bounties and attack simulations to increase the cost for attackers.
10 practices that every developer needs to start right nowCaleb Jenkins
Gathered from over 15 years of development and consulting experience with some of the largest development companies in the world. These are the 10 practices that are the lowest hanging fruit and will also have the greatest impact on the way that you write and deliver software. Enjoy.
This document discusses the concepts of DevOps, SecOps, and DevSecOps. It describes how the traditional divisions between development, operations, and security can lead to problems, and how adopting a DevOps culture and practices like continuous integration, infrastructure as code, and automation can help break down silos. It emphasizes that DevSecOps is about collaboration, culture change, and bringing security practices into the development lifecycle from the beginning.
Devops aims to break down silos between development and operations teams through culture, automation, and continuous integration/delivery. It emphasizes collaboration and automation to allow code to be deployed safely and quickly. Security should be integrated into the devops pipeline through practices like automated security testing on each code change and configuration management to standardize security across environments. Adopting devops and continuous delivery helps improve security by reducing risk through faster issue remediation and increased visibility into systems.
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Why Software Teams Struggle with API Security Testing
Scott Gerlach, Co-Founder & Chief Security Officer at StackHawk
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
With the transition from paper to electronic medical records, the threats and potential ramifications of network security risks to physician practices have skyrocketed. From liability for loss of patient data, to the rapidly emerging, office crippling threats of "Spear Phishing" attacks and "Ransomware," the likelihood of being affected is "when," not "if." This presentation includes an eye-opening primer of cybersecurity threats for small and medium sized practices and a roadmap to help protect patient records and practice viability.
Ravi D Goel MD presented this talk at the 2016 American Academy of Ophthalmology Annual Meeting. #aao2016
-----
About Ravi Goel
Ravi D. Goel graduated with a bachelor’s degree in ethics, politics, and economics from Yale University. He earned a medical degree from the Robert Wood Johnson Medical School and completed an ophthalmology residency at the Greater Baltimore Medical Center. Dr. Goel is in private practice in Cherry Hill, NJ, and a clinical instructor at the Wills Eye Hospital in Philadelphia.
Dr. Goel is a past chair of the American Medical Association—Young Physicians Section. He is a recipient of the AMA Foundation Excellence in Medicine Leadership Award, the American Academy of Ophthalmology Achievement Award, and Secretariat Award. He is a past president of the New Jersey Academy of Ophthalmology.
He is a member of the AMA Ophthalmology Section Council. He is also a member of the New Jersey Governors School Board of Overseers, director of the American Academy of Ophthalmic Executives and a member of the Yale University Development Council.
HostingLabs was created by a small team at HOSTING to rapidly develop and test new technologies using an agile "Skunk Works" approach. It aims to foster innovation, thought leadership, staff development and community engagement through open source projects. Some examples of previous internal projects and current public projects are provided. The presentation encourages supporting employee satisfaction, learning, engagement and automating tasks to increase productivity. It promotes measuring the impact of changes using metrics.
The document provides an overview of OWASP (Open Web Application Security Project) and application security. It discusses that most websites are vulnerable to attacks given the digital environment we live in. It then introduces OWASP as a non-profit focused on application security that produces many free, open resources like the OWASP Top 10 list of risks and over 200 projects. The presentation highlights some of OWASP's major projects and resources and emphasizes that application security is important as the "Age of Application Security".
This document discusses the concept of adversary sophistication in cyber attacks. It defines sophistication as relating to the precision of attacks, the ability to target multiple platforms, targeting ability, operational security used, resilience of attacks, and stealthiness. It analyzes several known adversary groups based on these criteria and assigns them scores in each area. The document recommends that organizations focus on improving their own defenses, conducting thorough internal investigations of incidents using frameworks like the kill chain model, understanding which adversaries pose the greatest risks to their organization, and prioritizing resources to address the biggest threats.
Black Hat USA 2016 - Highway to the Danger Drone - 03Aug2016 - Slides - UPDAT...Bishop Fox
The document discusses drone defenses and countermeasures that are emerging to defend against unauthorized drones. It describes various experimental systems that have been proposed or developed, including using trained birds of prey, drone-mounted nets, ground-based net guns, jamming cannons, and portable jammers. However, the document notes there are currently no established best practices for drone defense. It proposes developing inexpensive penetration testing drones to help evaluate and improve the emerging defenses.
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
This short document promotes creating presentations on SlideShare using Haiku Deck. It features a photo of nature and text encouraging the reader to get started making their own Haiku Deck presentation. In just a few sentences, it pitches the idea of using Haiku Deck to easily create engaging slideshows.
SMBIZ is an open source online bookkeeping template that can be added to content management systems like WordPress and Drupal. It was written primarily in jQuery, AJAX and PHP. The template includes features like journal entry, viewing account balances and transactions by date, updating chart of accounts, and automatically generating income statements and balance sheets for a given period. The designer's goal is to make this the central data system for future interfaces like inventory management and point of sale systems.
This short document promotes creating presentations using Haiku Deck on SlideShare. It encourages the reader to get started making their own Haiku Deck presentation by simply clicking the "GET STARTED" prompt. In just one sentence, it pitches presentation creation using Haiku Deck on SlideShare's platform.
- Bugcrowd runs public and private bug bounty programs that incorporate up to 18,000 security researchers to test for vulnerabilities. It manages the entire process, including vulnerability submissions, payments to researchers, and communications.
- Bug bounty programs have grown significantly since the mid-1990s. They allow companies to cost-effectively find security issues through crowdsourcing, while also improving developer skills and strengthening security culture.
- Running a successful bug bounty requires planning, clear expectations, and ongoing management of researcher communications and payments. Companies that are new to bounties should start with lower reward amounts and focus on learning, while more mature programs offer higher rewards.
This short document promotes the creation of Haiku Deck presentations on SlideShare by stating it provides inspiration. It encourages the reader to get started making their own Haiku Deck presentation by clicking a button labeled "GET STARTED".
This document is an e-book titled "The 7 Pervasive Whims" by Scott E. Byorum. It explores interpretations of the seven deadly sins - lust, gluttony, greed, sloth, wrath, envy, and pride. The introduction frames the sins as pervasive aspects of human nature that can be detrimental if not overcome. Each sin is then examined individually through poetic passages and short quotes from various contributors defining when one knows they have succumbed to that sin.
Designation and evaluation of an integrated sugar crystallization control program that overcomes the defects of traditional programs summarized in: non-accurate manual set parameters and the lake of information in crystallization driving force “Supersaturation SS and crystal growth rate”
validation of the proposed program for industrial application done by practical field application cycles and simulation of program formulas with referenced value and commonly used programs and found fully identical. The program was considered as an improved version than Siemen & BMA control which indicated in its four stages integrated control strategy.
Cellulosic ethanol is made from the cellulose in plant materials like stalks, stems, and leaves. It is more difficult to produce than corn or sugarcane ethanol because cellulose molecules are tightly packed. The production process involves a pretreatment step to break down the cellulose, followed by fermentation where yeast converts the sugars to ethanol. Recent technological advances like specialized enzyme formulations and yeast strains have helped reduce costs and improve yields, making cellulosic ethanol more viable. The first commercial cellulosic ethanol plant in the US opened in 2014 in Iowa.
Cyber Threats and Data Privacy in a Digital Worldqubanewmedia
The document discusses changes in website management and content management systems between 2010 and 2017. Specifically, it notes that (1) there is more technology and customer browsing online, requiring better integration and more innovative approaches; (2) content management systems now have more features but choices are harder with more options available; and (3) website managers must know more with higher consequences for failure and more pressure to create good ideas.
Andrew Gassen, CEO | Pivotal Software
0 for 3: Edtech Startup Lessons Learned
I’ve been a part of 3 different education technology companies, all focused on the K-12 market. Each of these companies failed, but each for different reasons and in spectacularly different ways. This talk is a bit of a public post-mortem that focuses on 3 key lessons from each company, including a brief discussion on how we might have done things a different way if I knew then what I know now.
Presented by the
Serious Play Conference
seriousplayconf.com
at
Orlando,
University of Central Florida,
UCF,
July 24-26, 2019
Building a Modern Security Engineering Organization. Zane LackeyYandex
The document discusses building a modern security engineering organization. It describes how the world has changed with near-instantaneous code deployment and increased developer access to production systems. It advocates for adopting a culture of continuous monitoring and transparency around security issues. The document provides recommendations for incentivizing communication between security and development teams and for implementing access restrictions in a way that does not remove capabilities. It also discusses using bug bounties and attack simulations to increase the cost for attackers.
10 practices that every developer needs to start right nowCaleb Jenkins
Gathered from over 15 years of development and consulting experience with some of the largest development companies in the world. These are the 10 practices that are the lowest hanging fruit and will also have the greatest impact on the way that you write and deliver software. Enjoy.
This document discusses the concepts of DevOps, SecOps, and DevSecOps. It describes how the traditional divisions between development, operations, and security can lead to problems, and how adopting a DevOps culture and practices like continuous integration, infrastructure as code, and automation can help break down silos. It emphasizes that DevSecOps is about collaboration, culture change, and bringing security practices into the development lifecycle from the beginning.
Devops aims to break down silos between development and operations teams through culture, automation, and continuous integration/delivery. It emphasizes collaboration and automation to allow code to be deployed safely and quickly. Security should be integrated into the devops pipeline through practices like automated security testing on each code change and configuration management to standardize security across environments. Adopting devops and continuous delivery helps improve security by reducing risk through faster issue remediation and increased visibility into systems.
apidays LIVE New York 2021 - Why Software Teams Struggle with API Security Te...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Why Software Teams Struggle with API Security Testing
Scott Gerlach, Co-Founder & Chief Security Officer at StackHawk
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
The document provides advice for junior developers on important technical skills and interpersonal skills to learn. It recommends learning version control systems like Git and getting familiar with common data structures, algorithms, and computer science fundamentals. The document emphasizes the importance of strong communication skills for writing clear code. It also encourages developers to get involved in local coding communities and open source projects to expand their networks and portfolios.
Teaching Elephants to Dance (and Fly!): A Developer's Journey to Digital Tran...Burr Sutter
The document provides an overview of the challenges facing developers in achieving digital transformation and discusses various strategies and techniques to help address these challenges, including adopting DevOps practices, implementing continuous integration and deployment pipelines, using automation and infrastructure as code, and moving to microservices architectures. It emphasizes the need for organizations to adapt and evolve quickly in the face of digital disruption.
Achieving Technical Excellence in Your Software Teams - from Devternity Peter Gfader
Our industry has a problem: We are not lacking software methodologies, programming languages, tools or frameworks but we need great software engineers.
Great software engineer teams build quality-in and deliver great software on a regular basis. The technical excellence of those engineers will help you escape the "Waterfall sandwich" and make your organization a little more agile, from the inception of an idea till they go live.
I will talk about my experiences from the last 15 years, including small software delivery teams until big financial institutions.
Why would a company like to be "agile"?
How can a company achieve that?
How can you achieve Technical Excellence in your software teams?
What developer skills are more important than languages, methods or frameworks?
This will be an interactive session with a Q&A at the end.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
How To (Not) Open Source - Javazone, Oslo 2014gdusbabek
Releasing an open source project while maintaining a shipping product is hard! Different behaviors, attitudes and actions can help or hinder your cause; and they are not always obvious.
The Blueflood distributed metrics engine was released as open source software by Rackspace in August 2012. In the succeeding months the team had to strike a manageable balance between the challenges of growing a community, being good open source stewards, and maintaining a shipping product for Rackspace. Find out what worked, what did not work, and the lessons that can be applied as you endeavor to take your project out into the open.
In this presentation you will learn about strategies for releasing open source products, pitfalls to avoid, and the potential benefits of moving more of your development out in the open.
We have also made a few realizations about the community growing up around metrics. It is still young, and there are problems that come with that youth. I'll talk about some things we can do to make a better software ecosystem.
This document provides an overview of bug bounty hunting. It discusses:
- What bug bounty programs are and how they work
- A brief history of major bug bounty programs from the 1990s to present day
- Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment
- Popular bug bounty platforms and programs
- How to get started with the process of bug hunting
- Tips for writing bug reports that document the issue and steps to reproduce it
- Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept
Bug bounty roadmap covers various techniques for finding vulnerabilities such as understanding the target application flow, using passive reconnaissance tools to discover assets, hacking with Burp Suite to find bugs like XSS and SQLi, and keeping up with new trends to improve bounty hunting. The presentation emphasizes thorough preparation and research to avoid duplicate reports and better understand the target before launching attacks. It also provides tips for writing high-quality bug reports to build good relationships with security teams.
The document summarizes Adrian Cockcroft's experience giving talks about Netflix's approach to technology over time. It notes that initially people reacted skeptically, saying Netflix's approach was crazy and wouldn't work (2009-2010). Later, people said it could only work for large companies like Netflix (2011). By 2012, people said they wanted to adopt a similar approach but couldn't. The document outlines key lessons learned from Cockcroft's time at Netflix, including that speed wins in the marketplace and removing friction from product development helps enable faster innovation.
SplunkLive! Frankfurt 2018 - Intro to Security Analytics MethodsSplunk
Splunk Security Essentials provides concise summaries in 3 sentences or less that provide the high level and essential information from the document. The document discusses an introductory presentation on security analytics methods. It includes an agenda that covers an introduction to analytics methods, an example scenario, and next steps. It also discusses common security challenges, different analytics methods and types of use cases, and how analytics can be applied to different stages of an attack.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
In our second session, we shall learn all about the main features and fundamentals of UiPath Studio that enable us to use the building blocks for any automation project.
📕 Detailed agenda:
Variables and Datatypes
Workflow Layouts
Arguments
Control Flows and Loops
Conditional Statements
💻 Extra training through UiPath Academy:
Variables, Constants, and Arguments in Studio
Control Flow in Studio
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
10. ‹#›
Highlights from the 2014 Google
o Started in 2010
o In 2014 paid over 200 researchers
o Highest single payout: $150k
o Total payout: $1.5+ million
o Over 500 unique and valid bugs
o Over half of the bugs in Chrome were reported and fixed in
beta or dev builds
src: http://googleonlinesecurity.blogspot.com/2015/01/security-reward-programs-year-in-review.html
13. ‹#›
Highlights from the 2014 Facebook Report
o Started in 2011
o Currently $500 minimum, no
defined maximum
o 17,011 Submissions
o 61 Eligible bugs were high severity
o 123 Countries (65 Rewarded)
o $1.3 million paid to 321
researchers
Countries with High # of Valid Subs
Valid Bugs Average $
RewardIndia 196 $1,343
Egypt 81 $1,220
USA 61 $2,470
UK 28 $2,768
Philippines 27 $1,093
src: https://www.facebook.com/notes/facebook-bug-bounty/2014-highlights-bounties-get-better-than-ever/1026610350686524
14. ‹#›
Microsoft Bounty Expansion
o Started in 2013
o Online services like Azure and 0365 have a
maximum bounty of $15k
o Doubled this during Aug 5 - Oct 5 for auth
vulnerabilities in Windows Live
o “Mitigation Bypass” bounty for novel methods to
bypass paramount OS protections like ASLR and
DEP - $100k
o “Bonus Bounty for Defense” - $50k
src: http://blogs.technet.com/b/msrc/archive/2015/04/22/microsoft-bounty-programs-expansion-azure-and-project-spartan.aspx
src: https://technet.microsoft.com/en-us/security/dn800983
15. ‹#›
Highlights from the 2014 Github Report
o First year of the program
o $200 - $5,000 (doubled for 2015)
o 1,920 Submissions
o 73 Unique Vulnerabilities (57 medium/high)
o 33 Unique Researchers earned a total of
$50,100 for the med/high vulnerabilities
src: h?ps://github.com/blog/1951-github-security-bug-bounty-program-turns-one
16. ‹#›
Tesla Motors
o Began their program with Bugcrowd in 2015
o Includes all Tesla Motors hosts, mobile apps, and any hardware
you’re authorized to test against (don’t hack your neighbors car)
o Initially had an upper end of $1,000
o Increased the upper end to $10k at Black Hat
o Researchers were able to gain access to the Model S
computer system, remotely lock and unlock the car, and apply
the emergency brake if under 5 m.p.h.
17. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
18. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
19. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work
with them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
20. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the
right thing”
oThe program makes a statement
oContinuous testing
21. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
22. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
23. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
24. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
25. ‹#›
Why should my organization run a bug bounty?
oHelps augment your internal security team
oHelps level the playing field
oShows the security community you’ll work with
them
oMakes it easy for researchers to “do the right
thing”
oThe program makes a statement
oContinuous testing
27. ‹#›
I’m already getting continuous testing from my red team
oBug bounties don’t replace red teams
oThey work in concert, providing a different
perspective
oRed teams have access to privileged information that
may create bias in their testing
28. ‹#›
I’m already getting continuous testing from my red team
oBug bounties don’t replace red teams
oThey work in concert, providing a different
perspective
oRed teams have access to privileged information that
may create bias in their testing
29. ‹#›
I’m already getting continuous testing from a scanner
oThey report false positives
oScanners miss a lot of
vulnerabilities
30. ‹#›
I’m already having my application pen tested
oLimited resources compared to the
crowd
oPaying for time vs. results
oSnapshot in time
40. ‹#›
Program Statistics
o $725k paid to researchers
o 38k submissions
o 8k valid & unique (21%)
o $200 average payout
o 4.39 “big bugs” per program
41. ‹#›
P1 - Critical
Vulnerabilities that cause a privilege
escalation on the platform from
unprivileged to admin, allows remote
code execution, financial theft, etc.
Examples: Vertical Authentication
bypass, SSRF, XXE, SQL injection,
User Authentication bypass
P2 - High
Vulnerabilities that affect the security
of the platform including the
processes it supports.
Examples: Lateral authentication
bypass, Stored XSS, some CSRF
depending on impact
What are big bugs?
44. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
45. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
46. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
47. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
48. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
49. ‹#›
How to reduce noise
o Provide clear directives to researchers
o What’s in/out of scope
o Play by your own rules
o Reward Quickly and Consistently
o Fix Quickly
o Provide feedback/education
50. ‹#›
Provide Feedback/Education
o Respond to researchers
o Improve submissions
o Note deficiencies
o Clarify scope
o Training
o Google: Bughunter University
o Facebook: Bounty Hunter’s Guide
o Bugcrowd: Bugcrowd Forum
51. ‹#›
Shaping the Future of Bug Bounty
o Paid Summer Internships
o Guest blog posts
o Bugcrowd Forum
o Training
o https://github.com/jhaddix/tbhm
o https://www.youtube.com/watch?
v=VtFuAH19Qz0
o https://blog.bugcrowd.com/bugcrowds-2015-
guide-hacker-summer-camp/
52. ‹#›
Shaping the Future of Bug Bounty
Bug Bounties as Primary Source of Income
(Researchers with 15+ Valid Submissions)
54. ‹#›
Researcher Statistics
o 20,000 total sign ups
o 90 Countries
o India - 31%
o US - 18%
o UK - 9%
o Highest average payout
o Cyprus - $644
o Switzerland - $512
o Austria - $475
60. ‹#›
• Clifford’s first private bounty invitation
• Launched at midnight in Philippines
• Found an IDOR à elevation of privilege
• Clifford’s first private bounty invitation
• Launched at midnight in Philippines
• Found an IDOR à elevation of privilege
src: h?ps://www.cliffordtrigo.info/hijacking-smartsheet-accounts/
64. ‹#›
In Summary
o Bug bounty programs have been around for a while
o Managing a bug bounty program can be difficult
o Security-conscious companies keep running them
o More companies are adopting (private) programs
o Researchers are reporting interesting and critical vulnerabilities