Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
This slide I presented at the HACKERONE BUG HUNT 2023 conference. This slide is mainly intended for people who have no idea about bug bounties. In this slide I have given the basics of what bugbounty is, why it is needed, learning and practice resources and starting platforms.
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
This slide I presented at the HACKERONE BUG HUNT 2023 conference. This slide is mainly intended for people who have no idea about bug bounties. In this slide I have given the basics of what bugbounty is, why it is needed, learning and practice resources and starting platforms.
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Attack chaining for web exploitation #c0c0n2015Abhijeth D
This is the deck which is used to present at c0c0n 2015. Due to some privacy reasons, I'm unable to share few screenshots. If interested please reach out to me.
If you have some feedback please drop an email to abhijeth0423@gmail.com.
Video will be published soon which will give more idea about the talk.
Also credits to: @mat www.wesecureapp.com
How to do well in Bug bounty programs. Presentation at @nullhyd by AbhijethAbhijeth D
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Fuzzapi is an API Fuzzer that will help Developers/Pen Testers to fuzz APIs and find few commonly found vulnerabilities. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.
Project Loon is a research and development project being developed by Google
Project loon is a network of balloon Travelling on edge of space , designed to connect with the people In Rural and Remote areas.
The Future Of Work & The Work Of The FutureArturo Pelayo
What Happens When Robots And Machines Learn On Their Own?
This slide deck is an introduction to exponential technologies for an audience of designers and developers of workforce training materials.
The Blended Learning And Technologies Forum (BLAT Forum) is a quarterly event in Auckland, New Zealand that welcomes practitioners, designers and developers of blended learning instructional deliverables across different industries of the New Zealand economy.
OSGi is becoming the technology of choice for modular and dynamic applications in many realms. One of those is the area of device-based software, which brings along its own set of characteristics and challenges. In this session, we will focus on remote management and the software evolution accompanying a large number of devices 'in the field', with ever-changing requirements, deployment scenarios, and device configurations. We'll present the case of a company which uses OSGi as the foundation for their modular device software, and the challenges they faced during their journey from small-scale pilot deployments all the way to large commercial roll-outs.
Using Apache ACE as a distribution and management platform for a large--and growing-- number of embedded devices in the field.
I used this presentation at Apachecon NA 2010.
I'm more about story and images than about text on slides, you can try to follow along here.
OSGi technology is becoming the preferred approach for creating highly modular and dynamically extensible applications. With open source framework implementations like Eclipse Equinox and Apache Felix readily available, there is no better time to move to OSGi technology. However, doing so requires to master the assembly, provisioning, and discovery of the components that make-up your system. Apache ACE, an Apache Incubator project, is a software distribution framework that allows to centrally manage and distribute software components, configuration data, and other artifacts to target systems. We will focus on building and managing OSGi deployments, showing you how to use Apache ACE to bootstrap a framework and deploy to remotely managed systems. Also, we will show how ACE can be used to deploy bundles to an Android based phone.
Visual Studio 2013, Xamarin and Microsoft Azure Mobile Services: A Match Made...Rick G. Garibay
Learn how you can harness the power of Visual Studio 2013 with the flexibility of Xamarin and the power of Microsoft Azure Mobile Services.
Secure, federated identity. A durable, reliable and scalable backend. Scalable messaging fabrics that unlock assets both in the cloud and behind the firewall. All of these are table stakes when delivering modern mobile enterprise applications. Whether you are building responsive web apps for devices or targeting iOS, Android, Windows Phone or Windows Store apps, as a mobile developer, you must focus on delivering a beautiful and functional user experience if you want your apps to be adopted. What if you could have all of this plus the power or Visual Studio 2013 and Windows Azure? Well, now you can!
Instead of reinventing the wheel each and every time you need to target a new device platform, learn how Visual Studio 2013 and Xamarin allow you to target iOS, Android and Windows devices while promoting reuse of code assets across platforms. And when you're done with the front–end work and are ready to wire up your mobile app, come see how Microsoft Azure Mobile Services provides a simplified stack that tackles security, durability, reliability and modern messaging all with just a few lines of code.
In this session, you'll learn how you can harness the power of Visual Studio 2013 with the flexibility of Xamarin and the power of Microsoft Azure Mobile Services to tackle all of your cross platform and back end chores quickly and easily so you can focus on what your users really care about.
<p>
[데브멘토 동영상] 개발자가 꼭 알아야 할4대IT 트렌드, 기술 이슈 및 미래 전망</p>
<p>
서영진 개발자1부(총2부)</p>
<p>
-리눅스용 다이얼패드, SKY 6400/6500 모바일 캠코더, 원자력 발전소CPS시스템 개발 등 리눅스/임베디드/모바일 프로젝트 다수 참여</p>
<p>
-이집트SECC, 삼성전자 비롯한 기업체 강의</p>
<p>
전북대학교 웹장터 사업(iPhone 프로그래밍) 강의</p>
<p>
한국전자정보통신산업진흥회의 임베디드 리눅스 기반 모바일 프로그래밍 과정 강의 등</p>
OSGI workshop - Become A Certified Bundle ManagerSkills Matter
OSGi is great at enabling you to build your systems out of sets of bundles. In a way, your bundles are your configuration. However, this also requires you to master the identification, assembly and provisioning of all of the components that make-up your system.
* How do you hot-deploy bundles for delivery?
* Is there a simple way of bootstrapping your system with specific configurations that are easy to assemble and kick-start?
* Once your system is "out there" how can you take things one-step further and manage the provisioning remotely?
* Is there an easy way to let the user discover and deploy what he wants, when he wants it?
* How can you do all of these things using existing technologies?
Well, you've come to the right place. In this workshop we will focus on ways to manage OSGi installations. Using a simple example application, we will show you how you can:
* use Fileinstall to hot-deploy bundles into your live application environment
* take advantage of Pax Runner to create and easily bootstrap configurations of bundles
* remotely manage, provision, and audit systems in the field with Apache Ace
* provide, discover, and deploy bundles using Apache Felix OBR
An introduction to AWS Elastic Beanstalk, a service to help run your Java web applications on the Amazon cloud, leaving you free to focus on your app. Slides from the London Java Community meetup, 1st June 2011.
Measure works - Mobile Convention Amsterdam - Guidelines for a succesful mobi...MeasureWorks
Mobile commerce raises the stakes for business owners. Recent research from Forrester and OVUM tells us that more than 70% of all consumers expect mobile sites to load as fast as regular websites. Even worse, after a bad experience, over 50% of all consumers will leave your mobile site to never return. This will have impact on your conversion and ultimately your bottom line. If you want to turn visitors into customers, every mobile strategy should focus on comfort and simplicity.
How? In this session Jeroen Tjepkema, Co-founder of MeasureWorks, will provide insight in trends, best practices and success factors for your Mobile Strategy. You'll learn:
- The latest mobile trends and how to adapt, from iPhone, Android to HTML5
- What to do with the ongoing discussion about Native App vs Mobile sites
- How successful mCommerce providers have adapted a mobile strategy
- How to gain insight in how your end-users are experiencing your mobile services
- Tips & tricks to quantify your Mobile ROI
Getting Other People to Care - Social Media Breakfast CTCauseShift
Scott Henderson, managing director of CauseShift, presented at the Social Media Breakfast Connecticut December meeting at Quinnipiac University. He focused on how organizations and people can use social media to engage others in causes they care about.
Zero to Sixty: AWS Elastic Beanstalk (DMG204) | AWS re:Invent 2013Amazon Web Services
AWS Elastic Beanstalk provides an easy way for you to quickly deploy and manage applications in the AWS cloud. In this Zero to Sixty session, accelerate your use of Elastic Beanstalk by learning how Nike and VTEX use several of its most powerful features. Through interactive demos and code samples for both Windows and Linux, this session teaches you how to achieve deployments with zero downtime, how to easily enable or disable application functionality via feature flags, and how to customize your Elastic Beanstalk environments with extensions. Demos and code samples are available to all session attendees.
Are you new to Elastic Beanstalk? Get up to speed for this session by first completing the 60-minute Fundamentals of Elastic Beanstalk lab in the Self Paced Lab Lounge.
My presentation at the recent Open Camp in Dallas, TX
Is your content ready to go mobile? Is your audience spending more time viewing your site on their iPhone then a desktop? If they're not, they will be soon. Mobile is exploding, and to make sure your message is getting across to the largest audience, you need to make sure you're giving mobile user the best experience. Jeremy will go over tips, tricks, examples - along with some easy ways to get your site ready for a mobile audience.
Applications are constantly under attack. Unfortunately, nearly all applications have no capability of detecting an attacker or responding before a breach occurs. Those applications sit passively and allow the attacker to constantly unleash attack after attack. Let's change the game and equip our application with the resources to detect an attack with high accuracy and respond in real time to prevent a compromise by eliminating the threat from the system.
In this talk we'll cover the OWASP AppSensor project – a project that details how to instrument an application to become attack aware and immediately respond to neutralize threats. This project is backed by multiple talented security experts that have been advancing the project for the past three years. AppSensor has been featured in the Department of Defense Cross Talk journal, presented at the US Department of Homeland Security resilient software conference and at security conferences around the world.
Devbeat Conference - Developer First SecurityMichael Coates
Topics include:
- Sample and Demo of Top Application Risks — Cross Site Scripting, SQL Injection, Access Control
- Who’s Monitoring Your Traffic? — Encrypting in Transit
Secure Data Storage & Protection — Correct Password
-Storage & Data Protection
-Growing Threats Plaguing Applications
These slides provide instructions on how to setup a virtual security training lab that uses OWASP Broken Web Apps, OWASP WebGoat, and OWASP ZAP running on top of Virtual Box.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 2
3. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 3
4. History of Bounty Programs
1995 - Netscape 2010
2002 - iDefense Google Chromium
2004 - Mozilla Firefox Deutsche Post E-Postbrief
Google Web
2005 - ZDI
Mozilla Web
2007 - Pwn2Own
Barracuda
2011
Hex Rays
Facebook
OWASP 4
5. Types of Programs
Open to all - Reported Central “Clearing House”
direct to software maker (2002) iDefense
(1995) Netscape (2005) ZDI TippingPoint
(2004) Mozilla Firefox
(2010) Google Chromium Pre-Approved Teams /
(2010) Google Web Competition
(2010) Mozilla Web (2007) Pwn2Own
(2010) Barracuda (2010) Deutsche Post E-
(2011) Hex Rays Postbrief
(2011) Facebook
OWASP 5
6. Programs for the Web
Mozilla Web Bounty General Policies
$500 - $3000 Select web sites in
Google Web Bounty scope
$500 - $3137 Critical issues
Facebook Security Bounty Paid for new issues
Typically $500, paid up to (not dupes)
$5000
OWASP 6
7. Bounty Programs - Why?
User & user data safety is #1
Productive relationship with community
Work directly with researchers
Consistent security at scale is hard
Not competing with black market
OWASP 7
8. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 8
9. Mozilla Web Bounty - Scope
‣ Goal: Protect Users
‣ Critical issues such as xss, csrf, code injection, authentication flaws
Sites In Scope
- bugzilla.mozilla.org - www.getfirefox.com
- *.services.mozilla.com - addons.mozilla.org
- getpersonas.com - services.addons.mozilla.org
- aus*.mozilla.org - versioncheck.addons.mozilla.org
- www.mozilla.com/org - pfs.mozilla.org
- www.firefox.com - download.mozilla.org
OWASP 9
11. Mozilla Web Bounty - Bugs Reported
!"#$%&"'()*+,(-(."/(0,(1*#2345&"(
%&#$
'()$*+,-$
!"#$ .+/01234(-$
OWASP 11
12. Mozilla Web Bounty - Types of Issues Reported
!"#$%&'%()*+#,-'%
(#$ &#$ )#$
'#$ *++$
%"#$ ,-./0$
1+02$
!"#$
%&#$ 3456-$
+78349/1-$
:6-.$
-8+$
OWASP 12
13. Mozilla Web Bounty - The Reporters
How Many Bugs Are People Submitting?
Number of Bugs Submitted Percentage of Reporters
1 Bug 47%
2-5 Bugs 33%
6+ Bugs 20%
Top 11% of bug finders contribute 56% of bugs
OWASP 13
14. Mozilla Web Bounty - What is Submitted
Failure in design patterns - ex: image uploads
Procedural gaps / forgotten servers
Smaller traditional bugs
OWASP 14
15. Mozilla Web Bounty - The Bounties
$104,000* Total Paid (since Dec, 2010)
175 Bugs Submitted
64 Qualifying bugs
24 Paid Contributors
* Mozilla Web Bounty, not including Firefox Bounties
OWASP 15
18. Mozilla Web Bounty - Benefits
Engages community
Produces many high value bugs
Bounty is not purchasing silence
Security at huge scope
Identifies clever attacks & edge cases
OWASP 18
19. Mozilla Web Bounty - Lessons Learned
Initial spike of work load
Prepare necessary teams
Response time & communication is critical
Researchers & directions - not always a perfect
match
+,-."+/"0123"
#!!"
#$"
+!"
*!"
)!"
(!"
'!" %&"
&!"
%!"
'*"
$!" '!" '!" ')"
'(" '&"
$"
#!" !" !"
!"
,-./#!" 012/#!" 345/##" 617/##" 849/##" :;9/##" 84</##" 3=5/##" 3=>/##" :=?/##" @1;/##"
OWASP 19
21. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 21
22. Bounty Programs - Why?
User & user data safety is #1
Productive relationship with community
Consistent security at scale is hard
Not competing with black market
OWASP 22
23. Launching Your Own Web Bounty Program
Bug bounties are an enhancement, not a substitute
for any portion of a secure SDLC
OWASP 23
24. Bounty Programs - Preparation
Gain developer & team lead support
Check your code
Define clear reporting process
Define scope and types of issues
Build team to respond to reports & establish
response time goals
Announce program
Root cause analysis
Learn & adjust
OWASP 24
25. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 25
26. Bounty Concerns
Common concerns with web bounty programs
Encourages attackers
Too expensive
Veil of cover for attackers
Bounty program duplicates internal security work
Can’t compete with black market
We’ll address why these concerns aren’t necessarily valid
OWASP 26
27. Bounty Concerns - Encourages attackers
Bad guys already attacking you
Without bounty program good guys afraid to test
or report
Bounty program enables participants that will help
you
OWASP 27
28. Bounty Concerns - Too Expensive
Very high value
Compare bounty payout with equivalent 3rd party
testing
Provides continual testing
Use individual bugs to identify root cause flaws
What percentage of profit spent on security?
OWASP 28
29. Bounty Concerns - Veil of cover for attackers
Goal is to identify flaws, not identify bad guys
One possible deployment:
Full security controls & active blocking in prod
Setup public stage for testing with dummy data
Configure production to actively blocks attackers
Stage area could be next revision of code for prod
OWASP 29
30. Bounty Concerns - Duplicates Internal Security
Work
You don’t know what you don’t know
Identifies process breakdowns
Identifies areas for training in secure sdlc
Another tactic to protect users & critical data
OWASP 30
31. Bounty Concerns - Can’t Compete with Black
Market
Bounty programs and black market target different
audiences
Some people are bad, but many people are good
Many don’t want hassle or questionable ethics/
legalities of black market
OWASP 31
32. Bounty Concerns - Can’t Compete with Black
Market
Black market process Bug bounty process
Identify critical issue Identify critical issue
Weaponize exploit
Report issue to
Find buyer on underground
reputable program
market
Negotiate price Receive bounty from
Give bank account info for organization
wire transfer? Arrange Feel happy you’ve
meeting for large cash helped the world be
exchange?
safer
File appropriate tax
returns?
OWASP 32
33. Agenda
History of Bounty Programs
Mozilla Web Bounty Results
Launching a Web Bounty Program
Common Bounty Concerns
Conclusion
OWASP 33
34. Conclusion
Web Bounty Program works great for Mozilla
Recommend exploring how this may work for you
Leverage lessons learned & evaluate risk/benefit
OWASP 34