DREAD for a Startup - Ernit Architecture Example

•

0 likes•208 views

How a startup can start itself to be at-par with contemporary cyber-security measures and standards ? While it is true that a startup cannot afford bug bounty programs or the cost of conducting pen-testing. At recent Techfestival Copenhagen's Cyber Security & Infomation Warefare Summit organized by Sven Weizenegger & Marisa Hinrichs I had opportunity to speak about Good old DREAD framework where a startup can begin assessing and start itself on the journey of meeting cyber-security standards, sustain itself from vulnerabilities, and answer those tough questions coming from integration partners and investors at the same time

Technology

GOOD OLD DREAD
FOR A STARTUP
AMANDEEP MIDHA
ERNIT APS

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
WHAT IS YOUR WHY?
▸ Why are you here ?
▸ Why you care for security ?
▸ After all what is there for secure ?
▸ What the fuss it is all about ?
▸ Is it really needed ?
▸ What is net yield of my efforts to secure ?

ASSESSMENT ≠ ACTIONS
GOOD OLD DREAD FOR A STARTUP - ERNIT APS

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
DREAD
▸ Damage Potential
▸ Reproducibility
▸ Exploitability
▸ Affected Users
▸ Discoverability
Risk = (Reproducibility + Exploitability) x (Damage Potential + Affected Users + Discoverability)

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
INTRODUCTION TO ERNIT (Q2, ’17 OFFERING)
▸ Physical IoT PiggyBank connected to Internet
▸ App available on Appstore with Parent Proﬁle as Primary
user, and Child login as sub-account accessible with PIN
▸ App user proﬁle optionally connected to Bank Account

APPLYING DREAD AT ERNIT
▸ Application Threat Modelling
▸ Entry Points i.e. each HTTP / HTTPS endpoint
▸ Assets i.e. Kid, Adult, Goal images
▸ Trust Levels i.e. Parent, Patron, Kid
▸ External Dependencies
GOOD OLD DREAD FOR A STARTUP - ERNIT APS

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
1. THREAT RANKING
▸ Threat Ranking
Type Security Aspect
Spooﬁng Authentication
Tampering Data Integrity
Repudiation Non-repudiation
Inf Disclosure Conﬁdentiality
Denial of Service Availability
Elevation of
Privilege
Authorization

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
2. AUTHENTICATION & CORRECTIVE ACTIONS
▸ Log every attempt
▸ Log every 401
▸ Implement Blockout Strategy

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
3. ACCESS CONTROL - CORRECTIVE ACTIONS
▸ All POST / PUT /PATCH API calls to server must deﬁne the
span of control of such operations limited to User’s data
graph (and no more for users and kids he is not associated
with )

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
4. COMMAND INJECTION CORRECTIVE ACTIONS
▸ Mostly a cloud service provider makes the claim to prevent
▸ Having appropriate ORM and avoiding raw SQL as much
as possible
▸ Deﬁne your “Known bad inputs”

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
5. SESSION MANAGEMENT & CORRECTIVE ACTIONS
▸ Alert: UX versus Security Fights Expected Most Here
▸ Deﬁne
▸ when to invalidate app user session
▸ when to block user access
▸ checks to verify token abuse attempt
▸ when forced token invalidation should happen

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
6. SECURE DATA TRANSMISSION & CORRECTIVE ACTIONS
▸ Identify Data to Encrypt
▸ Proper Encryption Implementation
▸ Pig-Server Communication
▸ App-Server Communication
▸ Server-GW-Bank Communication

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
SOME OTHER COUNTER MEASURES
▸ TAMPERING
▸ All PUT/PATCH API call implementations to check if action is valid on set
of data, before making the action
▸ Goes hand-in-hand with “Elevation of Privilege” threat
▸ INFORMATION DISCLOSURE
▸ Have your invitation module, not send out excessive inviting user
information, and invitee to begin from “apply to access”
▸ DENIAL OF SERVICE
▸ Appropriate Rate Limiting of your Backend APIs as part of Implementation

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
ERNIT Q3, 2017
AES
COPPA Compliant
Image store

GOOD OLD DREAD FOR A STARTUP - ERNIT APS
ERNIT SECURITY - ROAD AHEAD
▸ UL2900-1 being studied by
consortium of ERNIT, Delta
Systems, Eﬁcode, and Alexandra
Institute
▸ Vulnerability Assessment & Port
Scanning Completed
▸ Audit-ability of each PI item as
digital audit of GET endpoints
(GDPR Compliance)
▸ More Details by Q4, 2017

1. Autonomous analytics enables analyzing past, real-time, and predictive analytics on large amounts of data with minimal configuration. 2. An example application is given of a mobile app developer who wants to measure app usage and performance to understand why users started uninstalling the app. 3. Automated anomaly detection learns normal behavioral patterns and can detect and classify different types of anomalies, helping app developers identify and address issues quickly to improve the user experience.

The left is not wrong, just not right; It's time to shift right!

Phillip Maddux

In the last few years of AppSec and DevOps, we've heard the calls to shift left. But how far left can we go, and is it really going to help eliminate exploitable bugs or scale your AppSec program? What if we consider a different direction, shifting right! Can a focus on shifting to the right be more effective in mitigating real-world threats and prioritization? In this presentation, I'll explore these questions and propose concepts that show why shifting right is right! 

Threat Hunting with Deceptive Defense and Splunk Enterprise Security

Satnam Singh

Threat hunting has been primarily a playground for security experts in surfacing unknown threats. It is a proactive security approach where the hunt starts with a hypothesis about a hidden threat that may be already in the enterprise network. According to 2017 survey on threat hunting by the SANS Institute, nearly 45% of organizations hunt on an ad hoc basis. The ad hoc approach is ineffective and does not yield sufficient results to cover the cost of threat hunting. Considering the scarcity of security analysts, the ad hoc threat hunting becomes a costly and expensive process. Also, threat hunting is typically performed by doing outlier detection of the data. For example, analysts usually do outlier detection to find suspicious processes out of Windows process logs. The outlier detection can be done using simple box plots, control charts, or using more sophisticated unsupervised machine learning techniques. However, the output of all the outlier detection techniques is outliers/anomalies that still need to be audited/investigated by the security analysts. This adds more workload to the already overwhelmed security analyst. The fusion of data science and deceive security provides an opportunity to validate many alerts automatically and therefore provides an automated approach from threat hunting. Deceptive defense system offers a way to confirm an adversary presence with nearly 0% false alarms when the adversary bumps onto one of the deceptions. The modern set of deceptions is the reincarnation of honeypots, honeytokens, honeynets, and honey files that blends well within the network and can dynamically change their configurations. When an adversary access a deception, it raises a positive affirmation of a threat. In this approach, one needs to use alerts and contextual security events along with deceptive security to rank the existing alerts. It takes away a lot of manual verification of various security alerts.

Building a Security culture at Skyscanner 2016

Stu Hirst

This document summarizes the career and work experiences of Stu Hirst, currently the IT Security Manager and Squad Lead at Skyscanner. It discusses his background in mainframe programming and the music industry before moving into security. It then provides details about Skyscanner, including its growth from 30 to 800+ employees. The rest of the document outlines the security practices and initiatives implemented at Skyscanner over time, including two-factor authentication, user data standards, security training, bug bounty programs, and more. It discusses both successes and challenges, with an emphasis on building security into development processes from the start.

DevSecOps - a 2 year journey of success & failure!

Stu Hirst

.conf2016: Splunking the Endpoint: “Hands on!” Ransomware Edition

Splunk

This document discusses using Splunk software to build a security operations center (SOC) and monitor for threats and compliance. It provides an overview of Splunk's capabilities for security analytics, incident response, and compliance reporting. Specific applications mentioned include monitoring privileged user access, detecting data breaches, and ensuring compliance with the GDPR. The presentation emphasizes how Splunk allows flexible data collection and analysis across IT operations, security, and other domains to gain visibility and protect sensitive data.

Splunk Discovery Day Dubai 2017 - Security Keynote

Splunk

This document discusses Splunk's security vision, strategy, and platform. It outlines Splunk's positioning as a leader in security information and event management. It describes Splunk's security portfolio and how the platform can be used to prevent, detect, respond to and predict security threats. It also provides examples of how Splunk has helped customers in various industries improve their security operations and gain insights from security and other machine data.

Splunk Discovery Day Dubai 2017 - Keynote

Splunk

The document provides an agenda for a Splunk conference event discussing Splunk's security vision, strategy and platform. It includes presentations from Splunk executives and customers on using Splunk for security operations and IT operations. The agenda lists talks on Splunk's security vision from 10:00-10:30, a customer use case from 10:30-11:00, a break from 11:00-11:30, and presentations on using Splunk for security and IT operations from 11:30-13:00. The event concludes at 14:00 after a lunch break from 13:00-14:00.

The sooner the better but never too late

Vlad Styran

This document contains the slides from a security conference presentation titled "The sooner the better but never too late or Why software security starts with testing". The presentation discusses software security and testing. It was given by Vlad Styran from Berezha Security. Some key points discussed include common security practices like threat modeling, secure coding, and security testing. The presentation encourages learning security skills through resources like books, online courses, meetups and conferences. It promotes starting with security testing and practices from the beginning of a project.

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

QAFest

Це буде огляд підходів до побудови програми безпеки програмного забезпечення в команді розробки або кампанії загалом, доповнений висновками з мого власного досвіду виконання практичних та консультаційних проектів в сфері Application Security.

Splunk Phantom SOAR Roundtable

Splunk

Next generation security analytics

Christian Have

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

NowSecure

A mobile app that’s vulnerable to man-in-the-middle (MITM) attacks can allow an attacker to capture, view, and modify sensitive traffic sent and received between the app and backend servers. At NowSecure, Michael Krueger and Tony Ramirez spend their days performing penetration tests on Android and iOS apps, which include exploiting MITM vulnerabilities and helping developers fix them. These slides are from a 30-minute webinar with Michael & Tony about MITM attacks on mobile apps and how to prevent them that will cover: -- Identifying man-in-the-middle vulnerabilities in mobile apps -- How to execute a mobile man-in-the-middle attack -- Right and wrong ways to implement certificate validation and certificate pinning

ProActive Security

Ibnisina Sina

This document discusses proactive security and outlines the key steps involved. It describes proactive security as being secure before being acted upon by trying to mitigate and prevent risks. The main steps outlined are discovery, scoping, assessment, reporting, remediation, and training. It provides details on vulnerability discovery methods like automated scanning, manual testing, and instant discovery. It also discusses scoping a security assessment using a tiered approach, reporting essentials, the appsec pipeline, and importance of training and awareness.

ProActive Security

Ibnisina Sina

This document discusses proactive security and outlines the key steps involved. It describes proactive security as being secure before being acted upon by trying to mitigate and prevent risks. The main steps outlined are discovery, scoping, assessment, reporting, remediation, and training. It then provides more details on various aspects of the process including vulnerability discovery through automated and manual means, attack surface analysis, scoping a testing approach, reporting essentials, the application security pipeline, and training and awareness programs.

Cloak and Dagger Attacks - Android

Sudara Fernando

This about a stealthy attack which can be carried out on Android Platform. The presentation is based on the findings by Fratantonio, Yanick, Chenxiong Qian, Simon P. Chung, and Wenke Lee. "Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop." In IEEE Symposium on Security and Privacy (SP), pp. 1041-1057, 2017. I am sorry, I have used some videos, which are unfortunately not available in this version.

Mobile app development | CHOICE OF TECHNOLOGY

rsha12

This document discusses factors to consider when choosing a technology for mobile application development. It notes that changing the technology midway will be expensive in terms of time and money. It outlines prerequisites like understanding the business idea, users, and available time and money. It also covers features, user base, investment requirements, scaling principles, available options like native, HTML5 and hybrid approaches, and concludes that the decision depends on specific needs as different technologies suit different use cases.

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure

Originally Presenter October 18, 2018 Enterprise-grade ephemeral messaging provider Vaporstream knows firsthand that security needs to be built into the software development lifecycle rather than bolted on. Serving highly regulated industries such as federal government, energy, financial services and healthcare, Vaporstream’s leakproof communication platform provides the highest level of assurance that compliance professionals require. Vaporstream partners with NowSecure to test and certify its Android and iOS mobile messaging apps. This case study webinar covers how Vaporstream adheres to a rigorous secure app lifecycle in order to meet customer expectations for secure communications: + Designing a secure app architecture & development process + Incorporating security testing into the release cycle + Comprehensive penetration testing

Practical iOS App Security

Totem_Training

Conf2013 bchristensen thebig_t

Beau Christensen

The document discusses Ping Identity's approach to monitoring and building trust with customers. It emphasizes reliability through keeping systems running with automation, security, and tools. It also stresses transparency by publicly discussing decisions, architecture, and status updates. Ping Identity uses a monitoring stack with multiple tools at different layers, with Splunk as the central aggregation and visualization tool. This allows them to monitor networks, systems, applications, security, and more to quickly troubleshoot issues and maintain reliability and transparency.

How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...

Dana Gardner

Vetting Mobile Apps for Corporate Use: Security Essentials

NowSecure

Using automation to improve the effectiveness of security operations

Huntsman Security

Healthcare fraud detection

Mahdi Esmailoghli

Securing Your Business

Jose L. Quiñones-Borrero

This document contains information about Jose L. Quinones and his background and expertise in information security. It outlines his qualifications and certifications, as well as his experience working in IT roles and founding security organizations. The document also provides an overview of common cyber threats, best practices for securing small businesses and their networks, and tips for secure password usage, mobile device security, and cloud computing. It discusses social engineering techniques used by attackers and how to identify phishing attempts. Contact information is also listed at the end.

5 Mobile App Security MUST-DOs in 2018

NowSecure

Originally presented on 12/5/2017 To close out the 2017 webinar season, our mobile security expert panel will review the top mobile threats of 2017 (e.g., Cloudbleed, Bootstomp, Broadpwn, and more) and then debate what’s next in mobile app security and mobile app security testing for 2018. See the slides from this spirited discussion of the security ramifications of the new iPhone X, iOS 11, Android 8, the latest innovations in the mobile app security testing, and more. Compare your mobile app security and mobile app security testing initiatives with what our experts say should be your top priorities in 2018.

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...

MarketingArrowECS_CZ

The document discusses how Forcepoint can help organizations comply with the General Data Protection Regulation (GDPR). It summarizes that Forcepoint provides solutions to help with three key requirements of GDPR: inventorying personal data, mapping and controlling personal data flows, and being prepared to timely respond to data incidents. The document provides examples of Forcepoint products that address each of these requirements.

What's hot

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk

Splunk

Splunk Discovery Day Dubai 2017 - Security Keynote

Splunk

Splunk Discovery Day Dubai 2017 - Keynote

Splunk

The sooner the better but never too late

Vlad Styran

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

QAFest

Splunk Phantom SOAR Roundtable

Splunk

What's hot (6)

Splunk Forum Frankfurt - 15th Nov 2017 - Building SOC with Splunk

Splunk Discovery Day Dubai 2017 - Security Keynote

Splunk Discovery Day Dubai 2017 - Keynote

The sooner the better but never too late

QA Fest 2019. Володимир Стиран. Чим раніше – тим вигідніше, але ніколи не піз...

Splunk Phantom SOAR Roundtable

Similar to DREAD for a Startup - Ernit Architecture Example

Next generation security analytics

Christian Have

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

NowSecure

ProActive Security

Ibnisina Sina

ProActive Security

Ibnisina Sina

This document discusses proactive security and outlines the key steps involved. It describes proactive security as being secure before being acted upon by trying to mitigate and prevent risks. The main steps outlined are discovery, scoping, assessment, reporting, remediation, and training. It then provides more details on various aspects of the process including vulnerability discovery through automated and manual means, attack surface analysis, scoping a testing approach, reporting essentials, the application security pipeline, and training and awareness programs.

Cloak and Dagger Attacks - Android

Sudara Fernando

Mobile app development | CHOICE OF TECHNOLOGY

rsha12

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

NowSecure

Practical iOS App Security

Totem_Training

Conf2013 bchristensen thebig_t

Beau Christensen

How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...

Dana Gardner

Vetting Mobile Apps for Corporate Use: Security Essentials

NowSecure

Using automation to improve the effectiveness of security operations

Huntsman Security

Healthcare fraud detection

Mahdi Esmailoghli

Securing Your Business

Jose L. Quiñones-Borrero

5 Mobile App Security MUST-DOs in 2018

NowSecure

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...

MarketingArrowECS_CZ

Uncovering Fraud in Key Financial Accounts using Data Analysis

FraudBusters

Webinar series from FraudResourceNet LLC on Preventing and Detecting Fraud Using Data Analytics. Recordings of these Webinars are available for purchase from our Website fraudresourcenet.com This Webinar focused on fraud detection using data analytic software (Excel, ACL, IDEA) FraudResourceNet (FRN) is the only searchable portal of practical, expert fraud prevention, detection and audit information on the Web. FRN combines the high quality, authoritative anti-fraud and audit content from the leading providers, AuditNet ® LLC and White-Collar Crime 101 LLC/FraudAware. The two entities designed FRN as the “go-to”, easy-to-use source of “how-to” fraud prevention, detection, audit and investigation templates, guidelines, policies, training programs (recorded no CPE and live with CPE) and articles from leading subject matter experts. FRN is a continuously expanding and improving resource, offering auditors, fraud examiners, controllers, investigators and accountants a content-rich source of cutting-edge anti-fraud tools and techniques they will want to refer to again and again.

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

NowSecure

Andrew Hoog, founder of NowSecure, gave a presentation on managing third-party mobile app risk in healthcare. He discussed how BYOD and use of personal devices is common in healthcare despite risks. Analysis of top hospitals found on average 89 apps per device, representing over 2 million potential points of risk. Analysis of medical apps found many had significant security issues putting patient data at risk. Hoog advocated for vetting all third-party apps used through tools like NowSecure to identify and remedy security issues in order to better manage third-party mobile app risk.

COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES

IJNSA Journal

The purpose of this paper is to present a comprehensive budget conscious security plan for smaller enterprises that lacksecurity guidelines.The authors believethis paper will assist users to write an individualized security plan. In addition to providing the top ten free or affordable tools get some sort of semblance of security implemented, the paper also provides best practices on the topics of Authentication, Authorization, Auditing, Firewall, Intrusion Detection & Monitoring, and Prevention. The methods employed have been implemented at Company XYZ referenced throughout.

Splunk Webinar Best Practices für Incident Investigation

Georg Knon

The document discusses best practices for incident investigation using Splunk, including collecting data from various sources like network traffic, endpoints, user activity, and threat intelligence. Effective investigation requires visibility into who and what communicated on the network, running processes, file system changes, and privileged access on endpoints. The goal is to quickly scope infections and disrupt breaches by understanding attack intent, lateral movement, and exfiltration through correlation of different data sources.

Similar to DREAD for a Startup - Ernit Architecture Example (20)

Next generation security analytics

Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...

ProActive Security

Cloak and Dagger Attacks - Android

Mobile app development | CHOICE OF TECHNOLOGY

CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries

Practical iOS App Security

Conf2013 bchristensen thebig_t

How Allegiant Air Solved Their PCI Problem and Got a Whole Lot Better Securit...

Vetting Mobile Apps for Corporate Use: Security Essentials

Using automation to improve the effectiveness of security operations

Healthcare fraud detection

Securing Your Business

5 Mobile App Security MUST-DOs in 2018

Forcepoint: Technická opatření pro ochranu osobních údajů (a citlivých dat) z...

Uncovering Fraud in Key Financial Accounts using Data Analysis

Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk

COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES

Splunk Webinar Best Practices für Incident Investigation

More from Amandeep Midha

RFC 7807 - Communicating the Problem

Amandeep Midha

This document discusses communication challenges in API economies and proposes solutions using RFC 7807. It outlines issues like protection, documentation and integration for internal/partner APIs as well as composition and modification for service APIs. RFC 7807 proposes including a type, title, status and detail in error responses to provide more context than HTTP status codes alone. It gives an example implementation from Zalando and discusses extending responses dynamically while maintaining security.

Ernit Product Introduction

Amandeep Midha

This document introduces ERNIT, the world's first smart piggy bank. It discusses ERNIT's goal of teaching children the value of money through a connected piggy bank and app. The app and piggy bank work together to teach financial lessons appropriate for different age groups from 4-15 years old. ERNIT sees the opportunity to partner with technology companies to further develop its IoT, security, connectivity, and data protection capabilities to create a learnable, secure, and API-enabled platform. It calls for collaboration in areas like messaging protocols, efficient data transfer, security chips, and child data protection to realize its technology vision.

Finding IT-job in Denmark as an Expat

Amandeep Midha

This document provides advice for finding an IT job in Denmark as an expat based on the author's experiences. It notes that job application responses are slow, experience rather than skills are emphasized, and most jobs are at small-medium enterprises. Networking on LinkedIn and meeting people in person are important. The author details their experience going through a host matching program, where they refined their resume and application process over meetings. Getting an initial job took over 6 months of dedicated searching, but networking and expanding skills were key to eventually finding a position.

La hiTapiola-31.10. Avanto (1)

Amandeep Midha

This document outlines the schedule and details for a REDI Living Lab event hosted by Avanto Ventures at LähiTapiola from 19-23 September 2016. Teams will work throughout the week to develop digital startup concepts, with coaching from Avanto. On Friday, teams will demo their ideas to a jury for the chance to be announced as the winner. The jury will evaluate ideas based on innovation, potential for execution, and business impact. General event information like meals, smoking areas and ID badge requirements are also provided.

Barclays Final Lookbook Edited 8_31

Amandeep Midha

Risk Management In Software Product Development

Amandeep Midha

The document discusses risk management in software product development. It presents the results of a study with three key findings: 1. 91% of respondents felt that scope and schedule-related risks must be considered. 2. 73% said dependent delivery of product components is a risk that requires consideration. 3. H0, that identifying and managing risks cannot avoid project failures, was disproved as over 90% of respondents felt identifying risks is important.

Business Ethics International Perspective

Amandeep Midha

This document summarizes key topics in international business ethics, including: 1) The field of business ethics approaches issues from both normative and descriptive perspectives. 2) Globalization has increased interest in business ethics due to issues like outsourcing and supply chain management. 3) Multinational companies face challenges in determining ethical standards when home and host country standards differ. Guidelines focus on respecting human rights, welfare, and justice. 4) Other issues discussed include exploiting workers through low wages, foreign bribery, and addressing cultural differences in business practices.

More from Amandeep Midha (7)

RFC 7807 - Communicating the Problem

Ernit Product Introduction

Finding IT-job in Denmark as an Expat

La hiTapiola-31.10. Avanto (1)

Barclays Final Lookbook Edited 8_31

Risk Management In Software Product Development

Business Ethics International Perspective

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/ DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen! Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell. Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten. Diese Themen werden behandelt - Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten - Wie funktionieren CCB- und CCX-Lizenzen wirklich? - Verstehen des DLAU-Tools und wie man es am besten nutzt - Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw. - Praxisbeispiele und Best Practices zum sofortigen Umsetzen

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Safe Software

Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency. During the hour, we’ll take you through: Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board. Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes. Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI. We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI. This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

Serial Arm Control in Real Time Presentation

tolgahangng

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

Speck&Tech

ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune. Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile. BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Introduction to CHERI technology - Cybersecurity

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU

Communications Mining Series - Zero to Hero - Session 1

20240609 QFM020 Irresponsible AI Reading List May 2024

20240607 QFM018 Elixir Reading List May 2024

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Artificial Intelligence for XMLDevelopment

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Driving Business Innovation: Latest Generative AI Advancements & Success Story

Mariano G Tinti - Decoding SpaceX

Serial Arm Control in Real Time Presentation

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Video Streaming: Then, Now, and in the Future

Pushing the limits of ePRTC: 100ns holdover for 100 days

Cosa hanno in comune un mattoncino Lego e la backdoor XZ?

TrustArc Webinar - 2024 Global Privacy Survey

DREAD for a Startup - Ernit Architecture Example

1. GOOD OLD DREAD FOR A STARTUP AMANDEEP MIDHA ERNIT APS

2. GOOD OLD DREAD FOR A STARTUP - ERNIT APS WHAT IS YOUR WHY? ▸ Why are you here ? ▸ Why you care for security ? ▸ After all what is there for secure ? ▸ What the fuss it is all about ? ▸ Is it really needed ? ▸ What is net yield of my efforts to secure ?

3. ASSESSMENT ≠ ACTIONS GOOD OLD DREAD FOR A STARTUP - ERNIT APS

4. GOOD OLD DREAD FOR A STARTUP - ERNIT APS DREAD ▸ Damage Potential ▸ Reproducibility ▸ Exploitability ▸ Affected Users ▸ Discoverability Risk = (Reproducibility + Exploitability) x (Damage Potential + Affected Users + Discoverability)

5. GOOD OLD DREAD FOR A STARTUP - ERNIT APS INTRODUCTION TO ERNIT (Q2, ’17 OFFERING) ▸ Physical IoT PiggyBank connected to Internet ▸ App available on Appstore with Parent Proﬁle as Primary user, and Child login as sub-account accessible with PIN ▸ App user proﬁle optionally connected to Bank Account

6. APPLYING DREAD AT ERNIT ▸ Application Threat Modelling ▸ Entry Points i.e. each HTTP / HTTPS endpoint ▸ Assets i.e. Kid, Adult, Goal images ▸ Trust Levels i.e. Parent, Patron, Kid ▸ External Dependencies GOOD OLD DREAD FOR A STARTUP - ERNIT APS

7. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 1. THREAT RANKING ▸ Threat Ranking Type Security Aspect Spooﬁng Authentication Tampering Data Integrity Repudiation Non-repudiation Inf Disclosure Conﬁdentiality Denial of Service Availability Elevation of Privilege Authorization

8. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 2. AUTHENTICATION & CORRECTIVE ACTIONS ▸ Log every attempt ▸ Log every 401 ▸ Implement Blockout Strategy

9. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 3. ACCESS CONTROL - CORRECTIVE ACTIONS ▸ All POST / PUT /PATCH API calls to server must deﬁne the span of control of such operations limited to User’s data graph (and no more for users and kids he is not associated with )

10. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 4. COMMAND INJECTION CORRECTIVE ACTIONS ▸ Mostly a cloud service provider makes the claim to prevent ▸ Having appropriate ORM and avoiding raw SQL as much as possible ▸ Deﬁne your “Known bad inputs”

11. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 5. SESSION MANAGEMENT & CORRECTIVE ACTIONS ▸ Alert: UX versus Security Fights Expected Most Here ▸ Deﬁne ▸ when to invalidate app user session ▸ when to block user access ▸ checks to verify token abuse attempt ▸ when forced token invalidation should happen

12. GOOD OLD DREAD FOR A STARTUP - ERNIT APS 6. SECURE DATA TRANSMISSION & CORRECTIVE ACTIONS ▸ Identify Data to Encrypt ▸ Proper Encryption Implementation ▸ Pig-Server Communication ▸ App-Server Communication ▸ Server-GW-Bank Communication

13. GOOD OLD DREAD FOR A STARTUP - ERNIT APS SOME OTHER COUNTER MEASURES ▸ TAMPERING ▸ All PUT/PATCH API call implementations to check if action is valid on set of data, before making the action ▸ Goes hand-in-hand with “Elevation of Privilege” threat ▸ INFORMATION DISCLOSURE ▸ Have your invitation module, not send out excessive inviting user information, and invitee to begin from “apply to access” ▸ DENIAL OF SERVICE ▸ Appropriate Rate Limiting of your Backend APIs as part of Implementation

14. GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT Q3, 2017 AES COPPA Compliant Image store

15. GOOD OLD DREAD FOR A STARTUP - ERNIT APS ERNIT SECURITY - ROAD AHEAD ▸ UL2900-1 being studied by consortium of ERNIT, Delta Systems, Eﬁcode, and Alexandra Institute ▸ Vulnerability Assessment & Port Scanning Completed ▸ Audit-ability of each PI item as digital audit of GET endpoints (GDPR Compliance) ▸ More Details by Q4, 2017

DREAD for a Startup - Ernit Architecture Example

Recommended

Recommended

More Related Content

What's hot

What's hot (6)

Similar to DREAD for a Startup - Ernit Architecture Example

Similar to DREAD for a Startup - Ernit Architecture Example (20)

More from Amandeep Midha

More from Amandeep Midha (7)

Recently uploaded

Recently uploaded (20)

DREAD for a Startup - Ernit Architecture Example