The document discusses effective approaches to web application security. It emphasizes techniques that are simple yet effective, such as making things safe by default through early encoding of dangerous HTML characters. It also stresses focusing security efforts by automatically detecting changes to sensitive code and functionality through hashing and alerts, in order to quickly review any newly introduced risks from continuous deployment.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
This presentation provides basic information about Cloud APIs and Cloud Frameworks. Most of resource shared here are having links to read more. This presentation has minimal content just 'cos it is meant to be as presentation copy than reading purposes. You can connect me for more information by following the links provided in last slide.
Communication in a Microservice ArchitecturePer Bernhardt
There are many different approaches to how you let your microservices communicate between one another. Be it asynchronous or synchronous, choreographed or orchestrated, eventual consistent or distributedly transactional, fault tolerant or just a mess! In this session I will provide an overview on different concepts of microservice communication and their pros & cons. On the way I'll try to throw in some anecdotes, success stories and failures I learned from so that you can hopefully take something home with you.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
This presentation provides basic information about Cloud APIs and Cloud Frameworks. Most of resource shared here are having links to read more. This presentation has minimal content just 'cos it is meant to be as presentation copy than reading purposes. You can connect me for more information by following the links provided in last slide.
Communication in a Microservice ArchitecturePer Bernhardt
There are many different approaches to how you let your microservices communicate between one another. Be it asynchronous or synchronous, choreographed or orchestrated, eventual consistent or distributedly transactional, fault tolerant or just a mess! In this session I will provide an overview on different concepts of microservice communication and their pros & cons. On the way I'll try to throw in some anecdotes, success stories and failures I learned from so that you can hopefully take something home with you.
How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
The Multiplatform App Architecture offers the possibility to create mobile applications for multiple mobile platforms and at the same time offer the flexibility to use all native functionality of the mobile operating systems to realize an optimal user experience. Combined with a powerful development environment and a comprehensive programming language it offers an excellent way to develop and maintain rich mobile applications.
Capgemini helps customers to achieve mobile excellence and realizes mobile applications in an agile way using this architecture.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and LinkerdKai Wähner
Microservice architectures are not free lunch! Microservices need to be decoupled, flexible, operationally transparent, data aware and elastic. Most material from last years only discusses point-to-point architectures with inflexible and non-scalable technologies like REST / HTTP. This video takes a look at cutting edge technologies like Apache Kafka, Kubernetes, Envoy, Linkerd and Istio to implement a cloud-native service mesh to solve these challenges and bring microservices to the next level of scale, speed and efficiency.
Key takeaways:
- Apache Kafka decouples services, including event streams and request-response
- Kubernetes provides a cloud-native infrastructure for the Kafka ecosystem
- Service Mesh helps with security and observability at ecosystem / organization scale
- Envoy and Istio sit in the layer above Kafka and are orthogonal to the goals Kafka addresses
Blog post: http://www.kai-waehner.de/blog/2019/09/24/cloud-native-apache-kafka-kubernetes-envoy-istio-linkerd-service-mesh
Video recording of this slide deck: https://youtu.be/Us_C4RFOUrA
This presentation explains the three layer API design which organisations can use to get most out of there systems with less development and maintenance time spent on fixing issues as a whole in org.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released?
Traditional application security tools which require lengthy periods of configuration, tuning and
application learning have become irrelevant in these fast-pace environments. Yet, falling back only on
the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
How to build security into the DevOps environment. Introduction to DevSecOps for DevOps / Agile enthusiasts and practitioners. Presented on Czech DevOps meet-up.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
The Multiplatform App Architecture offers the possibility to create mobile applications for multiple mobile platforms and at the same time offer the flexibility to use all native functionality of the mobile operating systems to realize an optimal user experience. Combined with a powerful development environment and a comprehensive programming language it offers an excellent way to develop and maintain rich mobile applications.
Capgemini helps customers to achieve mobile excellence and realizes mobile applications in an agile way using this architecture.
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.
Service Mesh with Apache Kafka, Kubernetes, Envoy, Istio and LinkerdKai Wähner
Microservice architectures are not free lunch! Microservices need to be decoupled, flexible, operationally transparent, data aware and elastic. Most material from last years only discusses point-to-point architectures with inflexible and non-scalable technologies like REST / HTTP. This video takes a look at cutting edge technologies like Apache Kafka, Kubernetes, Envoy, Linkerd and Istio to implement a cloud-native service mesh to solve these challenges and bring microservices to the next level of scale, speed and efficiency.
Key takeaways:
- Apache Kafka decouples services, including event streams and request-response
- Kubernetes provides a cloud-native infrastructure for the Kafka ecosystem
- Service Mesh helps with security and observability at ecosystem / organization scale
- Envoy and Istio sit in the layer above Kafka and are orthogonal to the goals Kafka addresses
Blog post: http://www.kai-waehner.de/blog/2019/09/24/cloud-native-apache-kafka-kubernetes-envoy-istio-linkerd-service-mesh
Video recording of this slide deck: https://youtu.be/Us_C4RFOUrA
This presentation explains the three layer API design which organisations can use to get most out of there systems with less development and maintenance time spent on fixing issues as a whole in org.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
Are you struggling with application security testing? Do you wish it was easier, faster, and better? Join us to learn more about IAST, a next-generation application security tool that provides highly accurate, real-time vulnerability results without the need for application or source code scans. Learn how this nondisruptive tool can:
Run in the background and report vulnerabilities during functional testing, CI/CD, and QA activities.
Auto verify, prioritize and triage vulnerability findings in real time with 100% confidence.
Fully automate secure app delivery and deployment, without the need for extra security scans or processes.
Free up DevOps resources to focus on strategic or mission-critical tasks and contributions.
The presentation will give you an idea the secure coding practices. The points mentioned here, I would say is the minimum you should consider while developing an application
How do you integrate security within a Continuous Deployment (CD) environment - where every 5 minutes a feature, an enhancement, or a bug fix needs to be released?
Traditional application security tools which require lengthy periods of configuration, tuning and
application learning have become irrelevant in these fast-pace environments. Yet, falling back only on
the secure coding practices of the developer cannot be tolerated.
Secure coding requires a new approach where security tools become part of the development environment – and eliminate any unnecessary overhead. By collaborating with development teams, understanding their needs and requirements, you can pave the way to a secure deployment in minutes.
Implementing an Application Security Pipeline in JenkinsSuman Sourav
Performing continuous security testing in a DevOps environment with short release cycles and a continuous delivery pipeline is a big challenge and the traditional secure SDLC model fails to deliver the desired results. DevOps understand the process of built, test and deploy. They have largely automated this process in a delivery pipeline, they deploy to production multiple times per day but the big challenge is how can they do this securely?
This session will focus on a strategy to build an application security pipeline in Jenkins, challenges and possible solutions, also how existing application security solutions (SAST, DAST, IAST, OpenSource Libraries Analysis) are playing a key role in growing the relationship between security and DevOps.
Building an Open Source AppSec PipelineMatt Tesauro
Take the concepts of DevOps and apply them to AppSec and you have an AppSec Pipeline. Allow automation, orchestration and some ChatOps to expand the flow of your AppSec team since its not likely to get any bigger.
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
Deploying insecure web applications into production can be risky -- resulting in potential loss of customer data, corporate intellectual property and/or brand value. Yet many organizations still deploy public-facing applications without assessing them for common and easily-exploitable vulnerabilities such as SQL Injection and Cross-Site Scripting (XSS).
This is because traditional approaches to application security are typically complex, manual and time-consuming – deterring agile teams from incorporating code analysis into their sprints.
But it doesn’t have to be that way. By incorporating key SecDevOps concepts into the Software Development Lifecycle (SDLC) – including centralized policies and tighter collaboration and visibility between security and DevOps teams – we can now embed continuous code-level security and assessment into our agile development processes. We’ve uncovered eight patterns that work together to transform cumbersome waterfall methodologies into efficient and secure agile development.
Building an AppSec Pipeline: Keeping your program, and your life, saneweaveraaaron
Are you currently running at AppSec program? AppSec programs fall into a odd middle ground; highly technical interactions with the dev and ops teams yet a practical business focus is required as you go up the org chart. How can you keep your far too small team efficient while making sure you meet the needs of the business all while making sure you’re catching vulnerabilities as early and often as possible?
The AppSec team and the business created an AppSec Pipeline to handle the work flow. The pipeline starts with “Bag of Holding”, an open source web application which helps automate and streamline the activities of your AppSec team. At the end of the pipeline is ThreadFix to manage all the findings from all the sources. Finally we incorporated a chatbot to tie all the information into one place.
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
Slide deck from AppSec California 2016 + some additional slides.
Abstract:
How many applications are in your company’s portfolio? What’s the headcount for your AppSec team? Whatever your situation is, I am sure the numbers are not in your favor. Its not time to find a new career, it's time to up your game. This talk will cover how to take your small merry band of AppSec professionals and scale it up to a virtual army. By taking the best of DevOps, Agile and CI/CD, you can iteratively up your AppSec game over time and begin your ascent out of the security hole you are in.
The talk covers real world experiences running AppSec groups at two different companies. Rackspace with approximately 4,000+ employees and Pearson with 40,000+. Both have an international presence and far more apps and developers that AppSec staff. The talk covers the key principles to speed and scale up AppSec programs using an AppSec Pipeline as well as practical examples of these practices put into use. Start early and begin to buy down the technical security dept which feels inevitable with more traditional AppSec program thinking.
AppSec Pipelines and Event based SecurityMatt Tesauro
Presented at AppSec California 2017, this is a continuation of earlier talks about AppSec Pipelines and demonstrates 1st and 2nd Gen Pipelines, how OWASP is creating a pipeline for its projects and how several companies have benefited from combining DevOps, Agile, CI/CD and Security into an AppSec Pipeline to move beyond traditional AppSec testing.
This is my keynote for AppSec California 2015. In it I discuss how application security is taking over all areas of security and how we need to change how we build and deploy security tools as a result.
Here is the video of me giving the talk:
https://www.youtube.com/watch?v=-1kZMn1RueI
Application Security Epistemology in a Continuous Delivery WorldJames Wickett
CD Summit - Austin, from DevOps Connect
Desc:
Over the years, application security (appsec) has made progress, but it has also made some considerable mis-steps. Appsec focuses almost solely on developer awareness and secure development training as remediation. This isn’t sustainable and arguably does little good. There is a better way, but we have to separate ourselves from the core assumptions we have made that got us here.
http://www.devopsconnect.com/events/cd-summit-austin/
The AWS platform offers a rich set of capabilities that can be leveraged by the customer to better control applications state, configuration, and supporting infrastructure throughout the service lifecycle – all while operating with security best practices such as audit and accountability, access control, change review and governance, and systems integrity. We will showcase and discuss design patterns for using these capabilities in synergy with fast-paced and agile application development methodologies – such as DevOps – to achieve an integrated security operations program.
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Slides from presentation delivered at InfoSecWeek in London (Oct 2016) about making developers more productive, embedding security practices into the SDL and ensuring that security risks are accepted and understood.
The focus is on the Dev part of SecDevOps, and on the challenges of creating Security Champions for all DevOps stages.
Building a Modern Security Engineering OrganizationZane Lackey
Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:
- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment
In this webinar, 451 Research Director, Wendy Nather and NT OBJECTives co-CEO and CTO, Dan Kuykendall discuss Wendy and Dan discuss how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls.
More info and recording: http://www.ntobjectives.com/go/scaling-web-application-security-scanning
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle.
We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
Information Security: Advanced SIEM TechniquesReliaQuest
Joe Parltow, CISO, ReliaQuest (www.reliaquest.com) -We’ve all heard it before; SIEM is dead, defense is boring, logs suck, etc. The fact is having total visibility into what’s happening on your network is absolutely necessary and keeps you from having to answer questions like “How did you not know we were compromised for the past 6 months!” This talk focuses on advanced tips and tricks you can implement with your SIEM to give you better visibility into all areas of your environment. Also includes top secret, 1337 (ok maybe just average) code snippets.
In this webinar, 451 Research Director, Wendy Nather and NT OBJECTives co-CEO and CTO, Dan Kuykendall discuss Wendy and Dan discuss how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls:
Recorded version: http://www.ntobjectives.com/go/scaling-web-application-security-scanning
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
When your security tools fail you, and what you can do about it. This discusses actual tool fail backgrounds, what failed and what you can do to detect and/or mitigate the issues(s) another way
HackerHurricane
MalwareArchaeology
Malware Archaeology
LOG-MD
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
In this talk I will attempt to share my experience of over 10 years conducting Web Application security assessments. I will present the current panorama of Web application security practices and talk about what are we doing well and how we can do better. Also, the Web 2.0 has sparked a “social revolution” of the Web, how can security benefit from that revolution?
Presented at https://www.owasp.org/index.php/OWASP_IBWAS10
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. Who
am
I?
• Co-‐Founder
/
CSO
at
Signal
Sciences
• Built
and
led
the
Etsy
Security
Team
• Prior
to
that,
offensive
research
and
penetra%on
tes%ng
@
iSEC
Partners
3. About
this
talk
Real
world
approaches
to
web
applica%on
security
challenges
4. About
this
talk
Specifically,
techniques
that
are
simple
and
effec*ve
13.
Being
able
to
deploy
quick
is
our
#1
security
feature
14. Compared
to
We’ll
rush
that
security
fix.
It
will
go
out
…
in
about
6
weeks.
-‐
Former
vendor
at
Etsy
15. What
it
boils
down
to
(spoiler
alert)
• Make
things
safe
by
default
• Detect
risky
func%onality
/
Focus
your
efforts
• Automate
as
much
as
you
can
• Know
when
the
house
is
burning
down
17.
How
have
the
tradi%onal
defenses
for
XSS
worked
out?
18.
19. Safe
by
default
• Problems?
– OZen
done
on
a
per-‐input
basis
• Easy
to
miss
an
input
or
output
– May
use
defenses
in
wrong
context
• Input
valida%on
paern
may
block
full
HTML
injec%on,
but
not
injec%ng
inside
JS
– May
put
defenses
on
the
client
side
in
JS
– Etc
…
These
problems
miss
the
point
20. Safe
by
default
• The
real
problem
is
that
it’s
hard
to
find
where
protec%ons
have
been
missed
• How
can
we
change
our
approach
to
make
it
simpler?
23. Safe
by
default
Encode
dangerous
HTML
characters
to
HTML
en%%es
at
the
very
start
of
your
framework
To
repeat…
Before
input
reaches
main
applica%on
code
24. Safe
by
default
On
the
surface
this
doesn’t
seem
like
much
of
a
change
25. Safe
by
default
Except,
we’ve
just
made
lots
of
XSS
problems
grep-‐able
26.
27. Safe
by
default
Now
we
look
for
a
small
number
of
paerns:
• HTML
en%ty
decoding
func%ons
or
explicit
string
replacements
• Data
in
formats
that
won’t
be
sani%zed
– Ex:
Base64
encoded,
double
URL
encoded,
etc
• Code
that
opts
out
of
plaeorm
protec%ons
28. Safe
by
default
Fundamentally
shiZs
us:
From:
“Where
is
my
app
missing
protec%ons?”
(hard)
To:
“Where
is
it
made
deliberately
unsafe?”
(easy)
29. Safe
by
default
Obviously
not
a
panacea
– DOM
based
XSS
– Javascript:
URLs
– Can
be
a
pain
during
interna%onaliza%on
efforts
31. Focus
your
efforts
• Con%nuous
deployment
means
code
ships
fast
• Things
will
go
out
the
door
before
security
team
knows
about
them
• How
can
we
detect
high
risk
func%onality?
32. Detect
risky
func%onality
• Know
when
sensi%ve
por%ons
of
the
codebase
have
been
modified
• Build
automa%c
change
aler%ng
on
the
codebase
– Iden%fy
sensi%ve
por%ons
of
the
codebase
– Create
automa%c
aler%ng
on
modifica%ons
33. Detect
risky
func%onality
• Doesn’t
have
to
be
complex
to
be
effec%ve
• Approach:
– sha1sum
sensi%ve
plaeorm
level
files
– Unit
tests
alert
if
hash
of
the
file
changes
– No%fies
security
team
on
changes,
drives
code
review
34. Detect
risky
func%onality
• At
the
plaeorm
level,
watching
for
changes
to
site-‐wide
sensi%ve
func%onality
– CSRF
defenses
– Session
management
– Encryp%on
wrappers
– Login/Authen%ca%on
– Etc
35. Detect
risky
func%onality
• At
the
feature
level,
watching
for
changes
to
specific
sensi%ve
methods
• Iden%fying
these
methods
is
part
of
ini%al
code
review/pen
test
of
new
features
36. Detect
risky
func%onality
• Watch
for
dangerous
func%ons
• Usual
candidates:
– File
system
opera%ons
– Process
execu%on/control
– Encryp%on
/
Hashing
– Etc
37. Detect
risky
func%onality
• Unit
tests
watch
codebase
for
dangerous
func%ons
– Split
into
separate
high
risk/low
risk
lists
• Alerts
are
emailed
to
the
appsec
team,
drive
code
reviews
38. Detect
risky
func%onality
• Find
out
about
unused
but
reachable
pages
• Any
files
s%ll
reachable
but
barely
requested
are
probably
old
or
“temporary”
code
– aka
a
goldmine
of
vulnerabili%es
39. Detect
risky
func%onality
1. Walk
DocumentRoot,
build
list
of
files
2. Compare
each
file
against
access
log
3. Alert
on
any
files
accessed
<
X
%mes
in
last
30
days
Iden%fied
files
are
worth
a
manual
review,
can
likely
be
removed
en%rely
40. Detect
risky
func%onality
• Monitor
applica%on
traffic
• Purpose
is
twofold:
– Detec%ng
risky
func%onality
that
was
missed
by
earlier
processes
– Groundwork
for
aack
detec%on
and
verifica%on
41. Detect
risky
func%onality
• Regex
incoming
requests
at
the
framework
– Sounds
like
performance
nightmare,
shockingly
isn’t
• Look
for
HTML/JS
in
request
– This
creates
a
huge
number
of
false
posi%ves
• That’s
by
design,
we
refine
the
search
later
42. Detect
risky
func%onality
• We
deliberately
want
to
cast
a
wide
net
to
see
HTML
entering
the
applica%on
• From
there,
build
a
baseline
of
HTML
– Entering
the
applica%on
in
aggregate
– Received
by
specific
endpoints
43. Detect
risky
func%onality
What
to
watch
for:
– Did
a
new
endpoint
suddenly
show
up?
• A
new
risky
feature
might’ve
just
shipped
– Did
the
amount
of
traffic
containing
HTML
just
significantly
go
up?
• Worth
inves%ga%ng
46. Automate
as
much
as
you
can
• Automate
finding
simple
issues
to
free
up
resources
for
more
complex
tasks
• Use
aacker
traffic
to
automa%cally
drive
tes%ng
• We
call
it
A<ack
Driven
Tes@ng
47. Automate
as
much
as
you
can
• Some
cases
where
this
is
useful:
– Applica%on
faults
– Reflected
XSS
– SQLi
48. Automate
as
much
as
you
can
• Applica%on
faults
(HTTP
5xx
errors)
• As
an
aacker,
these
are
one
of
the
first
signs
of
weakness
in
an
app
– As
a
defender,
pay
aen%on
to
them!
49. Automate
as
much
as
you
can
• Just
watching
for
5xx
errors
results
in
a
lot
of
ephemeral
issues
that
don’t
reproduce
• Instead:
– Grab
last
X
hours
worth
of
5xx
errors
from
access
logs
– Replay
the
original
request
– Alert
on
any
requests
which
s%ll
return
a
5xx
50. Automate
as
much
as
you
can
• Cron
this
script
to
run
every
few
hours
• If
a
request
s%ll
triggers
an
applica%on
fault
hours
later,
it’s
worth
inves%ga%ng
51. Automate
as
much
as
you
can
• Similar
methodology
for
verifying
reflected
XSS
• For
reflected
XSS
we:
– Iden%fy
requests
containing
basic
XSS
payloads
– Replay
the
request
– Alert
if
the
XSS
payload
executed
52. Automate
as
much
as
you
can
• Basic
payloads
commonly
used
in
tes%ng
for
XSS:
– alert()
– document.write()
– unescape()
– String.fromCharCode()
– etc
53. Automate
as
much
as
you
can
We
created
a
tool
to
use
NodeJS
as
a
headless
browser
for
verifica%on
54. Automate
as
much
as
you
can
Test
webserver
1.
Fetch
URL
containing
poten%al
XSS
55. Automate
as
much
as
you
can
Test
webserver
2.
Page
contents
returned
to
a
temp
buffer,
not
interpreted
yet
56. Automate
as
much
as
you
can
Test
webserver
3.
Inject
our
instrumented
JS
into
page
contents
+
Our
JS
Page
contents
57. Automate
as
much
as
you
can
Test
webserver
4.
Combina%on
of
instrumented
JS
+
page
contents
interpreted
+
Our
JS
Page
contents
58. Automate
as
much
as
you
can
Test
webserver
5.
If
instrumented
JS
is
executed,
alert
appsec
team
for
review
59. Automate
as
much
as
you
can
• Sample
instrumented
JS:
(function() {
var proxiedAlert = window.alert;
window.alert = function() {
location="XSSDETECTED";
};
})();
60. Automate
as
much
as
you
can
• Open
sourced
NodeJS
tool
– hps://github.com/zanelackey/projects
• Combine
this
approach
with
driving
a
browser
via
Wa%r/Selenium
– Make
sure
to
use
all
major
browsers
66. Know
when
the
house
is
burning
down
• Methodology:
– Instrument
applica%on
to
collect
data
points
– Fire
them
off
to
an
aggrega%on
backend
– Build
individual
graphs
– Combine
groups
of
graphs
into
dashboards
• We’ve
open
sourced
our
instrumenta%on
library
– hps://github.com/etsy/statsd
71. Know
when
the
house
is
burning
down
Now
we
can
visually
spot
aacks
72. Know
when
the
house
is
burning
down
But
who’s
watching
at
4AM?
73. Know
when
the
house
is
burning
down
• In
addi%on
to
data
visualiza%ons,
we
need
automa%c
aler%ng
• Look
at
the
raw
data
to
see
if
it
exceeds
certain
thresholds
• Works
well
for
graphs
like
this…
77. Know
when
the
house
is
burning
down
• We
need
to
smooth
out
graphs
that
follow
usage
paerns
• Use
exponen%al
smoothing
formulas
like
Holt-‐
Winters
• Math
is
hard,
let’s
look
at
screenshots!
79. Know
when
the
house
is
burning
down
• Now
that
we’ve
smoothed
out
the
graphs…
• Use
the
same
approach
as
before:
– Grab
the
raw
data
– Look
for
values
above/below
a
set
threshold
– Alert
80. Know
when
the
house
is
burning
down
Have
the
ability
to
quickly/easily
correlate
events
81. Know
when
the
house
is
burning
down
• Global
Request
IDs
<?php
global
$request_uuid;
apache_note(’request_uuid',
$request_uuid);
82. Know
when
the
house
is
burning
down
[01/Aug/2012:16:37:41
+0000]
"GET
/members/twokb/payments
HTTP/1.1"
200
"hps://XXX/members/twokb"
"Mozilla/5.0
(Windows
NT
6.1;
WOW64)
AppleWebKit/536.11
(KHTML,
like
Gecko)
Chrome/
20.0.1132.57
Safari/536.11"
MF9JqDVpY93VOMreyvI2UC24wRjT
[Wed
Aug
01
16:37:41
2012]
[MF9JqDVpY93VOMreyvI2UC24wRjT]
[info]
[XXX]
[kbarry]
about
to
call
shop_get_data
for
shop:
[5971709]
[Wed
Aug
01
16:37:41
2012]
[MF9JqDVpY93VOMreyvI2UC24wRjT]
[info]
[XXX_audit]
[kbarry]
ac%on="view_payments"
staff="kbarry"
user_id="5597626"
sec%on="payment_info"
83. Know
when
the
house
is
burning
down
Alert
on
events
that
(should)
never
happen
84. Know
when
the
house
is
burning
down
Successful
aacks
don’t
happen
in
a
vacuum!
They
generate
signals
85. Know
when
the
house
is
burning
down
1. Iden%fy
the
signals
associated
with
a
vulnerability
class
2. Alert
when
a
signal
occurs
3. Fix
the
iden%fied
weaknesses
86. Know
when
the
house
is
burning
down
Two
examples:
SQLi
and
code
execu%on
87. Know
when
the
house
is
burning
down
• The
road
to
exploited
SQLi
is
liered
with
broken
queries
1. Watch
the
logs
for
SQL
syntax
errors
2. Alert
when
they
appear
3. Fix
the
lack
of
valida%on
allowing
the
error
88. Know
when
the
house
is
burning
down
• Further
along
the
aack
process,
a
SQLi
aack
looks
like…
your
database
• Sensi%ve
DB
table
names
shouldn’t
be
showing
up
in
requests
– Alert
if
they
do!
• aka
the
“Two
hours
un%l
the
db
is
up
on
pastebin”
alert
89. Know
when
the
house
is
burning
down
A
funny
story
about
a
code
execu%on
vuln…
90. Know
when
the
house
is
burning
down
• preg_replace()
in
PHP
has
an
interes%ng
modifier
“e
(PREG_REPLACE_EVAL)
If
this
modifier
is
set,
preg_replace()
does
normal
subs%tu%on
of
backreferences
in
the
replacement
string,
evaluates
it
as
PHP
code,
and
uses
the
result
for
replacing
the
search
string.
“
91. Know
when
the
house
is
burning
down
• preg_replace()
in
PHP
has
an
interes%ng
modifier
“e
(PREG_REPLACE_EVAL)
If
this
modifier
is
set,
preg_replace()
does
normal
subs%tu%on
of
backreferences
in
the
replacement
string,
evaluates
it
as
PHP
code,
and
uses
the
result
for
replacing
the
search
string.”
92. Know
when
the
house
is
burning
down
What
do
the
signals
for
this
look
like?
100. References
/
Thanks
• DevOpsSec:
hp://www.slideshare.net/nickgsuperstar/
devopssec-‐apply-‐devops-‐principles-‐to-‐security
• Special
Thanks:
– Nick
Galbreath,
Dan
Kaminsky,
Marcus
Barczak