This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
Â
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, itâs possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, weâll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and weâll see how itâs possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
For a college class: Hacking Mobile Devices at CCSF
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Using hypervisor and container technology to increase datacenter security pos...Tim Mackey
Â
As presented at LinuxCon/ContainerCon 2016:
Cyber threats consistently rank as a high priority for data center operators and their reliability teams. As increasingly sophisticated attacks mount, the risk associated with a zero-day attack is significant. Traditional responses include perimeter monitoring and anti-malware agents. Unfortunately, those techniques introduce performance and management challenges when used at large VM densities, and may not work well with containerized applications.
Fortunately, the Xen Project community has collaborated to create a solution which reduces the potential of success associated with rootkit attack vectors. When combined with recent advancements in processor capabilities, and secure development models for container deployment, itâs possible to both protect against and be proactively alerted to potential zero-day attacks. In this session, weâll cover models to limit the scope of compromise should an attack be mounted against your infrastructure. Two attack vectors will be illustrated, and weâll see how itâs possible to be proactively alerted to potential zero-day actions without requiring significant reconfiguration of your datacenter environment.
Technology elements explored include those from Black Duck, Bitdefender, Citrix, Intel and Guardicore.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
Â
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, itâs imperative to focus efforts on what attackersâ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session weâll present:
⢠How known vulnerabilities can make their way into production deployments
⢠How deployment of vulnerable code can be minimized
⢠How to determine the vulnerability status of a container
⢠How to determine the risk associated with a specific package
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
Secure application deployment in Apache CloudStackTim Mackey
Â
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
Qrator and Wallarm 2016 State of Network Security report is dedicated to the main events and strong trends in the network security industry. Particular attention is payed to the DDoS, Internet infrastructure, hacks and vulnerabilities in software and hardware, like connected devices.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
Â
The Slides cover :
Offensive Attack landscape: Analyzing Data from Deep dark and Surface web
Tools, Techniques & Trends related to Offensive Attack Simulation: Attack Surface Management (ASM), Continuous Automated Red Teaming (CART) & More
How CART (Continuous Automated Red Teaming) can help
Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today. Mike Pittenger addresses security in the age of open source in this presentation.
Certificate pinning in android applicationsArash Ramez
Â
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
How to do Cryptography right in Android Part TwoArash Ramez
Â
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
see videos :
https://www.youtube.com/playlist?list=PLT2xIm2X7W7j-arpnN90cuwBcNN_5L3AU
https://www.aparat.com/v/gtlHP
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
Â
This talk discusses the problems of secure API development and how nation states break into Fortune 500 computers and what application developers can/need to do so that their applications donât get broken in to and how products like Cisco's CCS Nimbus is protected from these problems. it also discusses the secure administration of systems like CCS as sysAdmins and their credentials are the #1 target for these types of attacks.
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
Â
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and youâre continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
Secure Application Development in the Age of Continuous DeliveryTim Mackey
Â
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, itâs imperative to focus efforts on what attackersâ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session weâll present:
⢠How known vulnerabilities can make their way into production deployments
⢠How deployment of vulnerable code can be minimized
⢠How to determine the vulnerability status of a container
⢠How to determine the risk associated with a specific package
New attack vectors for heartbleed: Enterprise wireless (and wired) networks.
This talk exposes a relatively obscure use of the heartbleed flaw: exploiting EAP-PEAP | EAP-TLS | EAP-TTLS network authentication protocols.
Update (02-06-2014): This blog post gives out more details and contains links to the cupid patch.
http://www.sysvalue.com/heartbleed-cupid-wireless/
Secure application deployment in Apache CloudStackTim Mackey
Â
At the Apache CloudStack Collaboration Conference in Montreal, I presented a potential pathway to secure template management in CloudStack. Under this model, cloud providers can assess the templates their users have and potentially advise if deployed instances have application security issues which have either public disclosures, or better still remediation.
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Designing Malware for Modern Red Team and Adversary Tradecraft.
Why using python for building malware?
Lesson learn and consideration.
as presented in PyCon ID 2021 (05/12/2021)
Qrator and Wallarm 2016 State of Network Security report is dedicated to the main events and strong trends in the network security industry. Particular attention is payed to the DDoS, Internet infrastructure, hacks and vulnerabilities in software and hardware, like connected devices.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
Â
The Slides cover :
Offensive Attack landscape: Analyzing Data from Deep dark and Surface web
Tools, Techniques & Trends related to Offensive Attack Simulation: Attack Surface Management (ASM), Continuous Automated Red Teaming (CART) & More
How CART (Continuous Automated Red Teaming) can help
Open source reduces development costs, frees internal developers to work on higher-order tasks, and accelerates time to market. Quite simply, open source is the way applications are developed today. Mike Pittenger addresses security in the age of open source in this presentation.
Certificate pinning in android applicationsArash Ramez
Â
How to do cryptography right in android
Part #4 / How to mitigate MITM attacks in SSL/TLS channels using server certification validation
watch it on youtube:
https://www.youtube.com/playlist?list=PLT2xIm2X7W7gZ0mtoAA8JrfFrvOKr1Qlp
How to do Cryptography right in Android Part TwoArash Ramez
Â
Cryptography is an indispensable tool used to protect information in computing systems. It is used everywhere and by billions of people worldwide on a daily basis. It is used to protect data at rest and data in motion. While extremely useful, cryptography is also highly brittle. The most secure cryptographic system can be rendered completely insecure by a single specification or programming error.to argue that a cryptosystem is secure, we rely on mathematical modeling and proofs to show that a particular system satisfies the security properties attributed to it.
We often need to introduce certain plausible assumptions to push our security arguments through.
This presentation is about exactly that: constructing practical cryptosystems in android platform for which we can argue security under plausible assumptions.part one just covers fundamentals topics in cryptography world.
see videos :
https://www.youtube.com/playlist?list=PLT2xIm2X7W7j-arpnN90cuwBcNN_5L3AU
https://www.aparat.com/v/gtlHP
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
Â
This talk discusses the problems of secure API development and how nation states break into Fortune 500 computers and what application developers can/need to do so that their applications donât get broken in to and how products like Cisco's CCS Nimbus is protected from these problems. it also discusses the secure administration of systems like CCS as sysAdmins and their credentials are the #1 target for these types of attacks.
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
Â
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and youâre continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
Â
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
Â
TLS/SSL - The mechanism enabling to have secured communications between 2 points over network is more important than ever. Here we deep dive into the basics and its relevance in today's world.
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
Â
Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
Ransomware has become one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, weâve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
Â
This presentation was made at BSides MCR 2014. It tackles the subject of SSL/TLS testing from the viewpoint of a penetration tester. It is a practical guide, broad in scope, focusing on pitfalls and how to check issues manually (as much as possible).
I already have updated material (including SNI and OCSP Stapling) for the next version. Look out for future content @exploresecurity and @NCCGroupInfosec.
Welcome to the world of 'network security' which is an unavoidable term in cyber security. This white paper of Network security encompasses the most significant and predominantly used networking security concepts which are highly important for maintaining your network environment secure.
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
Â
To guarantee data integrity and confidentiality in Alfresco, we need to implement authentication and encryption at-rest and in-transit. With micro services proliferation, orchestrating platforms, complex topologies of services and multiple programming languages, there is a demand of new ways to manage service-to-service communication, and in some cases, without the application needing to be aware. In addition to that, compliance requirements around encryption and authentication come to the picture requiring new ways to handle them. This talk will review encryption at-rest solutions for ADBP, and will be also discuss about solutions for encryption and authentication between services. This will be an introduction to service mesh and TLS/mTLS. We will see a demo of ACS running with Istio over EKS along with tools like WaveScope, Kiali, Jaeger, Grafana, Service Graph and Prometheus.
Gratitude Ignites, Growth Fortifies: Building an unbreakable cyber security V...Trupti Shiralkar, CISSP
Â
In a world filled with unyielding cyber threats, unstoppable breaches, countless security incidents and a barrage of other security challenges, the work of our task force is often marked by a reactive and stress-laden journey. Amidst this, one vital element tends to slip through the cracksâthe simple act of expressing gratitude to our dedicated team members tirelessly defending our digital realms. Gratitude, one of the most underestimated but powerful catalysts for growth, is frequently overlooked in the face of constant cybersecurity challenges. The keynote aims to shine a light on the importance of acknowledging the collective efforts shaping the foundation of cybersecurity resilience, promoting an environment where gratitude is as essential as the challenges we tackle.
Cybersecurity, at its core, thrives on collaboration. Success in security programs and individual cyber careers isnât a solo endeavor. Unfortunately, many professionals take years to realize this, leading to career stagnation or the inability to launch impactful security initiatives. This presentation underscores the crucial need to build a robust community support system through knowledge sharing and expressing gratitude. By understanding that our collective success hinges on supporting one another, we pave the way for sustained growth.
Recognizing the collaborative spirit of cybersecurity, this talk invites you to contemplate the pivotal roles of teamwork, appreciation, and shared knowledge. It advocates for a united front to drive our collective success in this dynamic field. Drawing on the speaker's background, skills, and passion for community engagement, the discussion will explore five meaningful paths for collective growth in cybersecurity. These encompass open-source collaboration, participation in hackathons and innovation challenges, partnerships with security and privacy industry groups, and the establishment of mentorship and job hunt platforms to encourage cross-industry collaboration.
Embark on this inspiring journey with us as we convert challenges into opportunities. Join in as we express gratitude, share knowledge, and come together to strengthen our cyber defenses. We're not just a community; we are a resilient cybersecurity village.
Drawing oneâs background, skillset, and passion for community engagement, the speaker will explore five impactful pathways for collective growth in cybersecurity. This includes: open-source collaboration, participation in hackathons and innovation challenges, partnering with security and privacy industry consortia and standards bodies, and running mentorship and job hunt platforms to foster cross-industry collaboration.
The speaker will challenge the audience to abandon the notions of lone wolves and heroes. She will reinforce the idea that the future of cybersecurity is collective. It's all about gratitude, shared knowledge, and building each other up.
I present a Tale of Two AIs. First, we'll delve into the intricacies of Gen AI and then discuss the unique security risks posed by Gen AI, including adversarial attacks, unintended biases, and emergent behaviors. We'll then explore how Gen AI can be utilized to strengthen security defenses by automating vulnerability detection, assisting in threat analysis, and even generating secure code. This talk will equip you with the knowledge to navigate the complex landscape of Gen AI security by building an adoption friendly responsible AI program at your organization. Join us as we explore the glitches and the guardians, and discover how to leverage the power of Gen AI to secure your applications in the future.
Whether it's the great resignation or layoffs due to macroeconomic slowdown, the average tenure of a security professional has reduced to approximately 18 months. Successful cyber security professionals always seek a meaningful career and environment to support it. However, some of the top reasons why cyber security professionals leave their jobs are mainly skill gaps and reactive nature of most security jobs and as a result increasing high stress levels and burnouts. In this talk, we will present the popular Japanese concept âFlow of IKIGAIâ that can be used to assist security professionals to embark on a purposeful career growth journey.
Join us to learn how to discover your passion, build the necessary technical domain specific skills and soft skills to make your career profile indispensable. Understand the role networking and giving back to the community plays in creating a top-notch security career. Leadership will learn how to hire the best talent and build high performing security teams. The talk will also cover what it takes to create a thriving environment for security team members so that leadership never has to worry about the great resignations.
Generative AI's impact on creativity and productivity is undeniable. This presentation dives into real-world security and privacy risks, along with methods to address them. Can generative AI be used for cybersecurity? Let's explore!
In the digital age, constant screen time causes mental fatigue and stress. Neglecting self-care worsens this, leading to burnout. Presenters will share a journey of self-discovery through breathing exercises and meditation, offering serenity amid chaos. Establishing a meditation habit supports holistic well-being, aided by resources like guided meditations and community, empowering mindfulness.
The presentation covers an analysis of microservices architecture and design patterns (such as API gateway, Log aggregation and more) in order to analyze how certain aspects of security is achievable at scale through these patterns.
The Road Less Traveled: Use-cases, Challenges, and Solutions of Homomorphic E...Trupti Shiralkar, CISSP
Â
In this hyper-connected and data-driven world, information can be highly valuable. User data can be collected and analyzed using machine learning techniques to create a superior customer experience. There is a tension between the benefits of digital freedom and privacy. Striking a careful and unique balance between privacy and security of user data can be challenging. In this asymmetric battle, are there techniques that help to protect the privacy of user data while benefiting from the results of collected data analysis? The answer is Yes. Homomorphic encryption may be an effective mechanism to protect both privacy and confidentiality of the data at the same time by enabling computation on encrypted data.
The concept of homomorphic encryption has been around in theory since the RSA algorithm was published in 1978. Recent research shows promising applications of this mathematical invention. The presentation provides an overview of homomorphic encryption and how it can be used to perform computations while helping to preserve privacy. The speaker will also discuss a few use-cases of differential privacy, homomorphic encryption and security implications associated with them.
The target audience for this talk is security engineers, privacy advocates, software development engineers and managers, technical program managers and anyone who is involved in protecting privacy. The attendees will walk away with a general understanding of this topic and its usage and a framework to mitigate challenges.
The target audience for this talk is security engineers, software development engineers, software development managers, technical program managers and anyone who uses libraries as part of software development process. The attendees will walk away with a methodology on how to review libraries and how to scale secure usage of libraries using secure-by-default implementation.
Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security evaluations of libraries. The attack surface, threats and data flow for a library are different from an application. This talk discusses the primary difference between applications and libraries and provides a mechanism for evaluating libraries. Specifically, it covers how to scope the assessment of a library and special considerations during architecture review and threat modeling phases. Validation of the secure and correct implementation of the security controls offered by the library is the main goal of the evaluation. By evaluating libraries, we make sure that all the fundamental building blocks of development framework are secure. By offering guidance on secure-by-default configurations to developers we can strengthen the secure software development process.
Lately, monolithic applications have been replaced by more complex and evolving micro-service oriented architecture. Moreover, with the rise of CI/CD, DevOps, and agile SDLC, the need for building security as a core line of business has become an indispensable requirement. Within this framework, the traditional security evaluation approach, or the new secure DevOps approach implemented using small security teams (blue team, red team, DevOps security team, etc.) present both limitations and advantages. Specifically, the checkpoint approach slows down deployments, and not all types of security assessments can be automated in CI/CD. In this presentation, I suggest that a purple team strategy is the best way to weave security across business units in an organization. Purple teams are security teams that consolidate the defensive security controls prominently learnt from blue teams with the vulnerabilities and exploitation techniques utilized by red teams, into a single score. A purple team approach can break artificial boundaries and transform security from a checkpoint to a semi-mystical function. Successful collaboration between purple team members and developers/devOps engineers will bridge the operational gap between implementation and verification of defensive controls, while using exploitation techniques will reduce the issue identification and remediation time significantly. Adopting a purple team approach can also break the negative stereotype associated with security professionals and security testing. In this talk, the audience will learn the traits and methodology of purple teams and how they are used to influence security among various groups, while augmenting the effectiveness and influence of application security programs.
Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security evaluations of libraries. The attack surface, threats and data flow for a library are different from an application. This talk discusses the primary difference between applications and libraries and provides a mechanism for evaluating libraries. Specifically, it covers how to scope the assessment of a library and special considerations during architecture review and threat modeling phases. Validation of the secure and correct implementation of the security controls offered by the library is the main goal of the evaluation. By evaluating libraries, we make sure that all the fundamental building blocks of development framework are secure. By offering guidance on secure-by-default configurations to developers we can strengthen the secure software development process.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
Â
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
đđ Click Here To Get More Info đđ
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
â Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
â Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
â Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
â Fully automated AI articles bulk generation!
â Auto-post or schedule stunning AI content across all your accounts at onceâWordPress, Facebook, LinkedIn, Blogger, and more.
â With one keyword or URL, generate complete websites, landing pages, and moreâŚ
â Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
â Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
â Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
â Save over $5000 per year and kick out dependency on third parties completely!
â Brand New App: Not available anywhere else!
â Beginner-friendly!
â ZERO upfront cost or any extra expenses
â Risk-Free: 30-Day Money-Back Guarantee!
â Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
In the ever-evolving landscape of technology, enterprise software development is undergoing a significant transformation. Traditional coding methods are being challenged by innovative no-code solutions, which promise to streamline and democratize the software development process.
This shift is particularly impactful for enterprises, which require robust, scalable, and efficient software to manage their operations. In this article, we will explore the various facets of enterprise software development with no-code solutions, examining their benefits, challenges, and the future potential they hold.
Atelier - Innover avec lâIA GĂŠnĂŠrative et les graphes de connaissancesNeo4j
Â
Atelier - Innover avec lâIA GĂŠnĂŠrative et les graphes de connaissances
Allez au-delĂ du battage mĂŠdiatique autour de lâIA et dĂŠcouvrez des techniques pratiques pour utiliser lâIA de manière responsable Ă travers les donnĂŠes de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la prĂŠcision, la transparence et la capacitĂŠ dâexplication dans les systèmes dâIA gĂŠnĂŠrative. Vous partirez avec une expĂŠrience pratique combinant les relations entre les donnĂŠes et les LLM pour apporter du contexte spĂŠcifique Ă votre domaine et amĂŠliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile dâIA gĂŠnĂŠrative, en vous fournissant des exemples pratiques et codĂŠs pour dĂŠmarrer en quelques minutes.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
Â
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operateâor are planning to operateâbroader deployments at their institution.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Â
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
Â
JASMIN is the UKâs high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERCâs long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Â
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Â
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Â
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Need for Speed: Removing speed bumps from your Symfony projects âĄď¸Ĺukasz ChruĹciel
Â
No one wants their application to drag like a car stuck in the slow lane! Yet itâs all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. Weâll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
Â
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planetâs largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Â
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Â
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
2. Disclaimer
This disclaimer informs readers that the views, thoughts, and opinions expressed in the presentation
belong solely to the author, and not necessarily to the authorâs employer, organization, committee or other
group or individual.
All the images used in this presentation do not belong to me and are subject to copyright protection act.
3. Agenda
⢠Why should we study common crypto attacks?
⢠Common Crypto Attacks
o Vulnerabilities in cryptographic ciphers and protocol
o Vulnerabilities in cryptographic Libraries
⢠FIPS 140-2: what works/ doesnât work?
⢠Secure Implementation Guidelines
⢠Conclusion
4. Why Should We Study
Crypto Attacks
Building a secure cryptographic system is easy to do so badly and
very difficult to do well. Unfortunately, most people canât tell the
difference.
~ Bruce Schniner
5. Fighting Russians in Winter
⢠35,000 troops
reduced to 19,000
⢠Swedish empire
ended in 1709
Swedish Invasion
(1707)
⢠610,000 troops
reduced to 120,000
⢠Napoleonâs defeat
French Invasion
(1812)
⢠Lessons learnt from
the history were
ignored
German Invasion
(1941)
6. Cryptographic Ciphers
There are two types of encryption: One that will prevent your sister
from reading your diary and one that will prevent your government.
- Bruce Schneier
7. Cryptographic Ciphers
Insecure vs secure cipher
⢠Any cipher which provides 128 bits + of cryptographic strength is considered safe before quantum computing becomes norm
Examples: AES (128, 192, 256 bits)
⢠NSA Suit B Cryptography for classified and unclassified information
Ăź AES (128,256) for symmetric encryption with counter mode for low bandwidth/GCM mode for high bandwidth
Ăź ECDSA for digital signature
Ăź ECDH for key agreement
Ăź SHA-256 or SHA-384 for message digest
⢠Insecure ciphers
â MD5, SHA-1,
â DES, TDES
â RSA, DSA with 1024 bits key pair
â RC4
⢠Quantum Safe ciphers
Ciphers which are safe against attack by a quantum computer.
AWS crypto quantum safe ciphers wiki
9. Cryptographic Backdoor
⢠RNG Backdoor is implemented in FIPS approved
Dual EC DRBG which was identified by Microsoft
Engineers in 2007.
⢠NSA runs BULLRUN program to crack encrypted
online data
⢠NSA paid $10 million to RSA to put backdoor in
BESAFE library
⢠NSA spent $250 million per year to insert this
backdoor in software and hardware products.
⢠In 2013, NY Times article indicated presence of
backdoor
⢠NIST SP 800-90A was published in 2006 and
withdrawn in 2014.
10. Padding Oracle Attack
⢠In cryptography plaintext is padded to be
compatible with cryptographic primitives.
⢠Oracle is usually a server that responds
whether the message is correctly padded or
not.
⢠This attack uses padding validation of
cryptographic message to decrypt ciphertext.
⢠CBC mode provides only confidentiality.
⢠In case of CBC mode based encryption, the
servers returns a message weather padding of
encrypted text is correct or not resulting in
decryption of ciphertext without encryption
key.
⢠Examples: Lucky 13, FREAK, POODLE, Logjam
11. ROBOT (Return Of Bleichenbacherâs Oracle Threat) CVE-2017-13099
⢠20 years old crypto vulnerability (identified in 1998)
⢠Researchers built proof of concept scanned
infrastructure and found facebook, F5, Cisco,
BouncyCastle, WolfSSL and few more vendors
vulnerable.
⢠This attack is applicable to RSA key exchange
(TLS_RSA_WITH_AES_128_CBC_SHA)
⢠Root Cause: The error messages in the RSA
encryption standard PKCS#1v1.5 padding scheme
allows adaptive chosen cipher text attack.
⢠Impact: attacker can decrypt encrypted data and
sign communications using the sitesâ private key
resulting in information disclosure.
⢠Resolution: Do not use PKCS#1v1.5.
⢠TLS v 1.3 has decided deprecate the use of RSA key
exchange PKCS #1v 1.5
12. LUCKY 13 (CVE-2013-0169)
⢠This is a timing attack which is basically a side
channel attack. Attacker analyzes time takes
to execute the cipher operations.
⢠Root cause: Attacker exploits badly formatted
padding in TLS cipher that uses CBC mode
⢠Impact: Attacker can obtain plaintext
authentication cookies.
⢠Martin R. Albrecht and Paterson
demonstrated variant of Lucky 13 attack on
Amazon s2n and fount it vulnerable.
⢠Resolution: Add random time delays to beat
statistical analysis, use authenticated
encryption AES-GCM/CCM
13. BEAST Browser Exploit Against SSL/TLS (CVE-2011-3389)
⢠BEAST is an attack which was revealed in September
2011
⢠This is a purely client side vulnerability.
⢠Root cause: weakness in CBC mode, except the first
random string of IV used for encryption, rest all IVs are
predictable during active man in the middle attack
causing chosen plaintext vulnerability in TLS/SSL.
⢠Impact: According to Gregory Bardâs paper, the
success rate of this attack is 100%.
⢠Resolution: use explicit IV, AES-GCM in TLS 1.2
14. POODLE(Padding Oracle On Downgraded Legacy Encryption) CVE-2014-3566
⢠Root Cause: For backward compatibility, many
legacy server support downgrading request to
SSL v3 which uses insecure RC4 or CBC mode
⢠Impact: Attacker uses Man-In-the-Middle
attack to downgrade protocol to SSV3
⢠Secret encrypted with RC4 and sent many
times, it leaks more and more information
with bit flipping attack.
⢠256 SSL v3 requests are required to obtain1
byte of plain text data.
⢠Resolution: Disable SSL v3 or use
TLS_FALLBACK_SCSV which ensures that
legacy system is involved
15. HeartBleed (CVE-2014-0160)
⢠January 1, 2011 German developer introduced Heartbeat
extension to OpenSSL.
⢠This TLS extension implements keep-alive functionality
without performing a renegotiation.
⢠This flaw was discovered by Codenomicon + Google security
engineers in April,2014.
⢠Root cause: Buffer over read vulnerability which lacks bound
checking, reads more data than the size of buffer causing
memory safety issues.
⢠Impact: Attacker can read sensitive information including
private keys from 64 MB memory, decrypt server traffic and
impersonate server.
⢠Resolution: upgrade OpenSSL library to OpenSSL v1.0.1g.
16. LOGJAM( CVE-2015-4000)
⢠Root Cause: Logjam exploits the TLS protocol flaw of
supporting export grade Diffie- Helman (512 bit)
⢠Impact: TLS connection is downgraded to export level
Diffie-Hellman using man-in-the-middle attack
⢠Resolution: Reject small primes in DHE handshake,
accept 2048 bits or lager DHE group, transition to
ECDH.
17. FREAK (Factoring Attack on RSA Export Keys) CVE-2015-0204
⢠Root cause: Attacker can conduct Man-in-the-Middle attack to
force clients to use weaker encryption (RSA 512 bit) which is
easy to decrypt.
⢠Weak RSA Export options:
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
⢠Impact: Attacker can decrypt cipher text.
⢠Resolution: disable export grade cipher suite.
18. DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) CVE-2016-0800
⢠Breaking TLS using SSLv2: Published in August
2016
⢠According to https://drownattack.com , 33%
HTTPS servers were affected.
⢠Root cause: Attacker exploits fundamental flaw in
SSL v2 which utilizes 40 bits RSA key material.
⢠Impact: 40,000 probes and 2^50 computations
are required to decrypt 1/900 TLS connections
from victim. Amazon EC2 computation cost for is
$440
⢠In case of OpenSSL bug, 17,000 probes are
required to decrypt 1/260 TLS connections from
victim. It will take less than one min on a fast PC
to decrypt the key.
⢠Resolution: upgrade OpenSSL library and do not
use SSLv2
19. Vulnerabilities in
Cryptographic Libraries
S
Strong cryptography is very powerful when it is done right, but it is not a panacea.
Focusing on cryptographic algorithms while ignoring other aspects of security is like
defending your house not by building a fence around it, but by putting an immense
stake in the ground and hoping that your adversary runs right into it.
~ Bruce Schneier
23. Bouncy Castle Vulnerabilities
Known vulnerabilities
1. ROBOT (CVE-2017-13098)
2. Invalid curve attack (CVE-2015-7940)
~ Bouncy Castle does not validate EC point curve and attacker can send several
specially crafted ECDH key exchange request to obtain private key.
3. Timing Side Channel Attack (CVE-2013-1624)
~ During processing of malformed CBC padding, timing attack on MAC validation
operation results in plaintext recovery.
4. Bleichenbacher vulnerability (ROBOT) (CVE-2007-6721)
24. Lessons Learnt from FIPS 140-2
⢠Finite State Model crypto libraries
⢠Self Test
- known answer test for each cipher
⢠Conditional tests
- pairwise consistency test
⢠Key Generation Entropy
⢠Random number conditional tests
- stuck bit test
⢠Key Zerorization
- Securely delete keys after usage by overwriting it with
zeros or random data.
⢠Tamper Resistance
Tamper detection, Tamper Evidence and Tamper Response
25. Entropy
⢠Longer key does not guarantee more security
⢠What is entropy?
⢠How to measure entropy?
⢠Tools : NISTâs Statistical test suite, Dieharder
https://w.amazon.com/index.php/Infosec/Cryptography/Guidelines/Dieharder
⢠Best security practices
Ă Ensure all sources of entropy are secure
ĂThe entropy of the key should be equivalent to the cryptographic strength indicated by the key size
o AES 256 bits (cryptographic strength: 256 bits)
o RSA 2048 bits (cryptographic strength: 128 bits)
26. Why FIPS 140-2 doesnât guarantee security?
⢠Cipher suite recommendations including key size, modes are dictated
by NIST (or NSA ?)
⢠Application security or full stack (end to end) issues are not captured
⢠Scope of crypto review is limited to boundary of the library
⢠Crypto requirements do not change as technology changes
⢠Paper Chase: Too much emphasis on documentation
⢠Time required for certification is more that the life of version of
crypto product /service
27. Secure implementation
Guidelines
Prussian general Carl von Clausewitz calls "the position of the interior." A good
security product must defend against every possible attack, even attacks that
haven't been invented yet.
~ Bruce Schniner
28. Secure cryptographic implementation guidelines
⢠Do not reuse cryptographic parameters (key, IV, key material)
⢠Check the size of input parameters to avoid buffer overflows.
⢠Destroy all copies (temporary files, virtual memory)of plaintext after it is encrypted.
⢠Erase key material properly after usage
⢠Do not leave keys and password on host and rely on OS to protect it.
⢠Audit flooding should be prohibited to avoid hiding attackerâs identity
⢠Ensure the protection of compromised keys stored as hot list
⢠Selection of weak password in Password Base Key Derivation Function(PBKDF) ( Password less than size
10 could result as a weak protection for resulting AES-256 bit key)
⢠Along with encryption, ensure the integrity and authenticity of the data.
29. Summary
Buckets of crypto Vulnerabilities:
⢠Lack of security control
⢠Insecure configuration
⢠Insufficient entropy/randomness
⢠Implementation bugs
⢠Mathematical flaws
⢠Design flaws
⢠1990s era export grade cryptography
30. Conclusion
⢠Weaker encryption (1990s era US export) is baked in many software products which is root cause of
many crypto vulnerabilities.
⢠A strong and secure cryptographic keys do not guarantee a secure cryptosystem.
⢠Security builders should be aware of cryptanalytic attacks so that old mistakes are not repeated over
and over again.
⢠Security control developers and cryptographers should work together efficiently.
⢠Discuss the gravity of consequences of a security trade off to enhance usability with cryptographers.