Efficacy Of Layered Application Security Through The Lens Of Hacker

•

1 like•218 views

Discussion will start on web app threat model, sharing the effectiveness analysis of common app sec tools including SAST, DAST, IAST, RASP, WAF, bot detection, DB monitoring, open source scan and bin composition analysis. The discussion will cover the strategy to build cost-effective SDLC stack to minimize the appsec exposure and emerging risks from AI-assisted hacking tools with actionable recommendations. Learning Objectives: 1: Learn about evolving app security tools and layered, effective use for best result. 2: Discover effective use of application security through automation and monitoring. 3: Learn how to reduce pen tests costs. (Source: RSA Conference USA 2018)

SESSION ID:
#RSAC
Gyan Prakash
EFFICACY OF LAYERED APPLICATION SECURITY
THROUGH THE LENS OF HACKER
ASEC-T07
Chief Security Architect
VISA Inc.
Bill Yue Chen
Chief Security Architect
VISA Inc.
1

#RSAC
Threat Model
Observations
Optimizing App Security Life-Cycle Controls
Agility with Security
What Pen Test Should Focus on
Recommendations
2
Agenda

#RSAC
Data
Brut force
Malware
Phishing
“Know yourself, also
know your rival.”
-Sun Tzu, 545-470 B.C.
3
A Tight Race

#RSAC
Recon.
Automated
CAPTCHA
Reader
Advanced PW
Guessing
(e.g. PassGAN)
Advanced
Spearphishing
(e.g. SNAP_R)
ML Assisted
Social
Engineering
Delivery
Weaponizing Exploit
Installation
C & C
Act. & Obj.
Scans, DNS,
Asset discovery,
Social Eng., etc.
Malware,
Open Source
Poisoning,
Faked Web, etc.
Passive Traps &
Proactive Attacks
Network, Infra,
OWASP Vuln
IAM Issues, etc.
Camouflaged
Actions, APT,
Outbound
control exploit
4
Threat Model Over The Kill Chain

#RSAC
Just Overwhelming!
Web Vul.
Scanner
WAF
RASP
Binary
Composition
SAST
Pen Test
DAST IAST
App Vul.
Monitoring
5

#RSAC
6
Observations
Thousands
H
u
n
d
red
s

#RSAC
Flawed Authentication
Security Misconfigurations
Sensitive Data Exposure
Insecure TLS/SSL usage
Cross-Site scripting
Injection
Using vulnerable components
Inappropriate error handling
CSRF
7
Observations: Application Vulnerabilities

#RSAC
SAST DASTIAST
o Injections
o Sensitive Data Exposure
o XML External Entities (XXE)
o Cross-Site Scripting
o Insecure Deserialization
More Than One Third
o Injections
o Sensitive Data Exposure
o XML External Entities (XXE)
o Cross-Site Scripting
o Insecure Deserialization
o Security Misconfigurations
o 3rd Party Vulnerable Lib
Around Two Third
o Injections
o Sensitive Data Exposure
o XML External Entities (XXE)
o Cross-Site Scripting
o Security Misconfigurations
Around One Third
8
Optimizing App Security Coverage

#RSAC
Product Backlog Sprint Backlog Iteration Product Shipping
Developer
Workspace
Daily
Builds
SPRINT
1 - 3 weeks
SAST IAST
DAST
SASTIAST
SAST
CI Automation
9
Security Embedded with Agile

#RSAC
Authentication & Authorization
Authentication flow and design, Passwords, 2FA, Security questions, Access Control
Session management
Business Logic
All possible bypassing issues
Data flows that are not covered by scanners, such as email, SSH, SAML etc.
Examine Attack surface
Sampling test Injection, XSS, to validate SAST/IAST/DAST controls
Last but not the least, Infrastructure
12
What Pen Test should focus on?

#RSAC
Shift Left – Train and Empower Developers to Security Champions
Automation - Empower engineers with SAST, IAST, OSS, and WVS
Pen test smartly – Focus on the limitation area of tools
Implement multi-factor authentication
Check password blacklist
Phishing/social engineering awareness training
14
Recommendations

#RSAC
Questions & Answers
Sprint Backlog Iteration Product Shipping
Developer
Workspace
Daily
Builds
SPRINT
1 - 3 weeks
SAST IAST
DAST
SASTIAST
SAST
Pen
Test
CI Automation
WAF
Web Vul.
Scanner
Real time
Analytics
PRODUCTION

Web applications are vulnerable to attacks at the application layer, with over 70% of attacks targeting websites and web applications directly. Traditional network and system security tools do not adequately assess vulnerabilities in custom web applications. SPI Dynamics develops automated web application security products that contain expert security knowledge to comprehensively scan websites and web applications, simulating how a hacker would attack. Their flagship product, WebInspect, automatically crawls an entire website and tests for vulnerabilities, providing an easy to understand report of issues found.

Estimating Development Security Maturity in About an Hour

Priyanka Aash

Dev secops on the offense automating amazon web services account takeover

Priyanka Aash

This document discusses how automation can be used to take over Amazon Web Services (AWS) accounts by abusing permissions. It describes how modules have been created to automate actions like creating administrative IAM users, launching EC2 instances, and locking out other accounts. The presentation demonstrates how these modules could be used by an attacker to escalate privileges within an AWS account and eventually take it over if the permissions are not restricted properly. It emphasizes the importance of following security best practices like least privilege when working with AWS.

DevSecOps in Baby Steps

Priyanka Aash

[OWASP Poland Day] Embedding security into SDLC + GDPR

OWASP

This document discusses embedding security into the software development lifecycle (SDLC) in light of the General Data Protection Regulation (GDPR). It outlines why security in the SDLC is important to identify and fix vulnerabilities early. The document introduces the OWASP Software Assurance Maturity Model (SAMM) as a framework to implement best practices for security in the SDLC. It maps GDPR requirements to the domains covered by SAMM to show how the two reinforce each other and how organizations can improve SDLC security practices to comply with GDPR.

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecCon

The document discusses improving security, compliance, and risk management through a DevSecOps approach. It outlines steps such as mapping compliance controls to infrastructure components, categorizing risks, describing controls and mitigations, testing controls, and communicating controls to stakeholders. Automating compliance checks and integrating security practices into development workflows are presented as ways to improve security, compliance, and speed of delivery simultaneously.

ChaoSlingr: Introducing Security-Based Chaos Testing

Priyanka Aash

Predicting exploitability-forecasts-for-vulnerability-management

Priyanka Aash

Security is overdue for actionable forecasts. Like predicting the weather, similar models should work for vulnerabilities. With some open source data and a clever machine learning model, Kenna Securities can predict which vulnerabilities attackers are likely to write exploits for. Their model has 90 percent accuracy, one the day a vulnerability is released. The speaker will issue some forecasts live. (Source: RSA Conference USA 2018)

This document discusses leveraging DevOps and Agile development practices to transform application testing programs. It provides examples of how Cisco has implemented continuous security practices. Continuous security involves integrating security practices throughout the software development lifecycle, from threat modeling during design to running automated scans on code repositories and deployments. The document outlines Cisco's approach which focuses on continuous education, automation technologies, and governance to assess security risks holistically at all stages of development and operations.

Pulling our-socs-up

Priyanka Aash

Vodafone is one of the world’s largest telecommunications companies, enabling connectivity by providing mobile, fixed and IoT networks to customers around the world. Vodafone is redefining the boundary of the SOC and sees the balance between prevention, detection and response for both Vodafone’s organization and customers as vital. This session will describe the journey from reactive SOC to proactive cyber-defense. (Source: RSA Conference USA 2018)

Soc 2030-socs-are-broken-lets-fix- them

Priyanka Aash

Is your SOC overwhelmed with alerts and threats? Cyber-adversaries are wielding tools and machine power, while organizations are still trying to scale their cybersecurity with OpEx and poorly planned CapEx spending. In this session, you will learn from a SOC expert about mistakes that have been made in the past, what we can do about it right now and what is in store as we move towards SOC 2030. (Source: RSA Conference USA 2018)

Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond

Priyanka Aash

Based on investigations of real-world attacks, Microsoft Office 365 cybersecurity experts provide a prescriptive approach to identifying and implementing the most critical security controls to protect your Office 365 tenant. You will learn threats and defenses change from on-premises attacks and what Microsoft recommends for quickly protecting against the most likely and impactful risks. (Source: RSA Conference USA 2018)

Insights from-NSAs-cybersecurity-threat-operations-center

Priyanka Aash

Be the Hunter

Rahul Neel Mani

Waratek overview 2016

Waratek Ltd

This document discusses Runtime Application Self-Protection (RASP) technology provided by Waratek Ltd. It summarizes that RASP allows applications to protect themselves at runtime without code changes. Waratek provides RASP for Java applications by running them in a protected container that isolates the application from vulnerabilities in the Java runtime environment and APIs. This allows for legacy applications and Java versions to be protected without updates.

[OWASP Poland Day] Security in developer's life

OWASP

This document discusses how to integrate security practices into the developer life cycle from the initial interview through onboarding and ongoing development. It recommends assessing security knowledge in interviews, providing security guides and resources for new developers, measuring reading of guides through quizzes, and using metrics to improve security processes over time. The goal is to make developers aware of security best practices from their first days of work and involve them in an ongoing security culture.

The Good, the Bad and the Ugly of the Ultrasonic Communications Ecosystem

Priyanka Aash

Vasilios Mavroudis and Giovanni Vigna presented on the ultrasonic communications ecosystem. They discussed how SilverPush used ultrasonic beacons for cross-device tracking starting in 2012. By 2014, their technology was covered in articles and funded by investors. In 2015, security researchers noticed the technology and raised privacy concerns. The FTC took action against SilverPush in 2016. The presentation examined open questions about the technology, potential use cases, and identified security and privacy risks like replay attacks if proper authentication and encryption are not implemented. They proposed mitigations like permission controls and browser extensions to filter ultrasonic signals.

[OPD 2019] Governance as a missing part of IT security architecture

OWASP

The document discusses how governance is a missing part of IT security architecture. It proposes that security architecture should include technology, processes, and organization/people, similar to how Gartner describes the components of overall IT architecture. It presents capabilities maturity models and the secure development lifecycle as ways to incorporate governance into the design, development, testing, and operations of technology to ensure security is considered throughout the IT process.

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

Anant Shrivastava

AllDayDevOps 2019 AppSensor

jtmelton

Modern applications can protect themselves from attackers by incorporating runtime monitoring capabilities. The OWASP AppSensor project aims to make intrusion detection primitives available within applications so they can detect attacks and automatically respond before an attacker succeeds. It works by collecting event data from applications and analyzing them for attacks using configurable rules. This allows applications to become self-defending by detecting and stopping attackers without needing manual responses.

Building and Adopting a Cloud-Native Security Program

Priyanka Aash

The document discusses building a cloud-native security program. It recommends embracing principles like automation, immutability, and isolation. It covers securing applications, infrastructure, and operations in the cloud. For applications, it recommends secure design and deployment through DevOps practices. For infrastructure, it suggests starting with architecture, using infrastructure as code, and implementing immutable and baseline shared services. It also provides tips for monitoring, alerting, assessment, and automating security management in the cloud.

The Dev, Sec and Ops of API Security - API World

42Crunch

The enterprise use of APIs is growing exponentially. Companies face a difficult choice. They must shift towards a software-based, digital approach to service and product delivery – or get left behind. Agile development, business pressure and the complexity of API security have made security teams life very complicated. And to make matters more complicated, the adoption of microservices architectures has multiplied the number of API endpoints that you have to protect. Downside: The more APIs, the higher the security risk! API security flaws are injected at many different levels of the API lifecycle: in requirements, development, deployment and monitoring. It is proven that detecting and fixing vulnerabilities during production or post-release time is up to 30 times more difficult than earlier in the API lifecycle. Security should be easy to considered at requirements phase, applied during development by attaching pre-defined policies to APIs and ensuring that security tests are performed as part of the continuous delivery of the APIs. Upside: We’ll prep you with all the knowledge and tools you need to implement an automated, end-to-end API Security process that will get your dev, sec and ops teams speaking the same language. In this presentation you will learn: Security risks at each stage of the API lifecycle, and how to mitigate them. How to implement an end-to-end automated API security model that development, security and operations teams will love. How to think positive! Why a positive security model works.

Gov & Education Day 2015 - User Behavior Analytics

Splunk

This document provides an overview of Splunk User Behavior Analytics (UBA). It begins with forward-looking statements and disclaimers. It then introduces the presenter and outlines an agenda covering Splunk's security vision, today's threat landscape, an overview of UBA and machine learning, and a product overview of Splunk UBA. Key use cases of Splunk UBA are described as advanced cyber attacks and malicious insider threats. The document highlights what Splunk UBA does including automated threat detection across various data sources using machine learning. Workflows for threat detection and investigation are outlined. The presentation concludes by inviting the audience to a live demo and providing details on limited-time promotional offers for Splunk UBA and Security bundles

Reducing Risk of Credential Compromise at Netflix

SBWebinars

Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. At Netflix we have hand-crafted ingredients that by themselves are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish. Attendees will learn the secret to the sauce that is Netflix Infrastructure Security and how even defensive appsec tooling like Signal Sciences can be used in the mix to be better equipped to start baking pizza in their own kitchen, and leave satisfied.

Gov Day Sacramento 2015 - User Behavior Analytics

Splunk

Bob Pratt from Splunk presented on Splunk's User Behavior Analytics (UBA) product. UBA uses machine learning and behavioral analytics to detect cyber threats and insider threats by analyzing user, application, and entity behaviors. It reduces false positives by focusing on anomalies rather than signatures. Splunk collects log data from various sources and uses UBA to detect threats like account takeovers, lateral movement, and malware attacks in a more efficient manner than traditional SIEMs. Pratt demonstrated UBA's threat detection and investigation workflows.

Uncover threats and protect your organization

RapidSSLOnline.com

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Kyle Lai

This document provides an overview of application security services offered by Pactera Cybersecurity Consulting. It discusses why clients choose Pactera, the types of cybersecurity capabilities offered including application vulnerability testing, secure coding training, and third-party risk management. It then goes into more detail about application security testing methodologies and tools used for mobile, web, and API security assessments. Profiles of some of Pactera's cybersecurity experts are also included.

Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill

AgileNetwork

This document discusses the importance of adopting a DevSecOps culture and approach to security. It notes several major cyber attacks and the consequences organizations faced. It then outlines the key aspects of DevSecOps, including threat modeling, using security tools in development pipelines, red teaming, and reducing attack surfaces through microservices. Adopting best practices like access controls, encryption, and monitoring are also emphasized. Overall the document promotes integrating security practices into development from the start to build more robust systems and prevent vulnerabilities.

DevSecOps in Baby Steps

Priyanka Aash

The document discusses moving from traditional security practices to a DevSecOps model where security is integrated into the development lifecycle. It encourages making DevOps the security team's job, hardening the development toolchain, planning security epics and user stories, and sprinting to automate security practices. Specific examples provided include building an AWS Lambda function to respond to CloudTrail events and using AWS CodeDeploy for security tasks like imaging instance memory.

Rapid Threat Modeling Techniques

Priyanka Aash

The document discusses techniques for rapid threat modeling. It begins with an overview of threat modeling and the STRIDE methodology. It then provides lessons learned for making threat modeling faster, such as setting time limits for sessions, prioritizing what to model, and customizing common controls. The document also discusses capturing issues identified and using threat modeling as part of a broader security analysis process.

What's hot

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...

DevOps.com

Pulling our-socs-up

Priyanka Aash

Soc 2030-socs-are-broken-lets-fix- them

Priyanka Aash

Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond

Priyanka Aash

Insights from-NSAs-cybersecurity-threat-operations-center

Priyanka Aash

Be the Hunter

Rahul Neel Mani

Waratek overview 2016

Waratek Ltd

[OWASP Poland Day] Security in developer's life

OWASP

The Good, the Bad and the Ugly of the Ultrasonic Communications Ecosystem

Priyanka Aash

[OPD 2019] Governance as a missing part of IT security architecture

OWASP

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

Anant Shrivastava

AllDayDevOps 2019 AppSensor

jtmelton

Building and Adopting a Cloud-Native Security Program

Priyanka Aash

The Dev, Sec and Ops of API Security - API World

42Crunch

Gov & Education Day 2015 - User Behavior Analytics

Splunk

Reducing Risk of Credential Compromise at Netflix

SBWebinars

Gov Day Sacramento 2015 - User Behavior Analytics

Splunk

Uncover threats and protect your organization

RapidSSLOnline.com

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Kyle Lai

Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill

AgileNetwork

What's hot (20)

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...

Pulling our-socs-up

Soc 2030-socs-are-broken-lets-fix- them

Office 365 Security: Top Priorities for 30 Days, 90 Days and Beyond

Insights from-NSAs-cybersecurity-threat-operations-center

Be the Hunter

Waratek overview 2016

[OWASP Poland Day] Security in developer's life

The Good, the Bad and the Ugly of the Ultrasonic Communications Ecosystem

[OPD 2019] Governance as a missing part of IT security architecture

Owasp Mobile Risk Series : M4 : Unintended Data Leakage

AllDayDevOps 2019 AppSensor

Building and Adopting a Cloud-Native Security Program

The Dev, Sec and Ops of API Security - API World

Gov & Education Day 2015 - User Behavior Analytics

Reducing Risk of Credential Compromise at Netflix

Gov Day Sacramento 2015 - User Behavior Analytics

Uncover threats and protect your organization

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill

Similar to Efficacy Of Layered Application Security Through The Lens Of Hacker

DevSecOps in Baby Steps

Priyanka Aash

Rapid Threat Modeling Techniques

Priyanka Aash

Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow

Priyanka Aash

Understanding what you own is step one in securing your assets. A simple concept that still escapes the grasp of most, and it’s getting harder in a cloud-enabled world. Despite this struggle there’s a plethora of APIs and publicly available data to give you a jumpstart on identifying high-risk assets. This session will share techniques and tools to gather data and identify unknown risks. Learning Objectives: 1: Learn about sources and methods to identify public, unknown assets. 2: Gain access to OSS tooling allowing defenders to operationalize asset inventory process. 3: Learn to apply risk methods using public data attributes to understand quantitative risk. (Source: RSA Conference USA 2018)

RSA 2018: Recon For the Defender - You know nothing (about your assets)

Jonathan Cran

RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...

Aaron Rinehart

This document discusses security chaos engineering as a new approach to continuously learning about and validating security controls. It provides examples of how Cardinal Health and UnitedHealth Group use security chaos engineering. Cardinal Health conducts experiments to identify security gaps and partners to remediate issues before exploitation. UnitedHealth Group tests hypotheses about how the system should respond to events like misconfigured ports. The document encourages organizations to start with low-impact experiments and create a business case to expand the practice over time. It concludes that security chaos engineering can improve security resilience by proactively testing systems.

Security precognition chaos engineering in incident response

Priyanka Aash

This document summarizes a presentation on security chaos engineering and incident response. The presentation discusses how complex adaptive systems are difficult to understand and failures are common. It introduces the concept of security chaos engineering, which involves experimenting with failures to build system resilience. An example is provided of how security chaos engineering could work by planning experiments, executing them during a "game day," analyzing results, and taking corrective action.

RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?

Scott Carlson

Stop Passing the Bug: IoT Supply Chain Security

Synopsys Software Integrity Group

This document discusses securing the IoT supply chain. It notes that IoT devices often contain vulnerabilities due to using common third-party components with known issues. The speaker recommends a three-step process: 1) Secure each software component using static analysis, runtime monitoring, and penetration testing; 2) Verify secure composition of components; and 3) Obtain independent validation of the product through a standards/certification program. Automatic tools are key to scaling security practices. The speaker emphasizes that software often contains vulnerabilities and there are no single solutions, so a holistic approach is needed.

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...

DevOps for Enterprise Systems

This document discusses leveraging DevOps and Agile development practices to transform application testing programs. It provides examples of how Cisco has implemented continuous security practices. Continuous security involves running static and dynamic application security testing at various stages of the development lifecycle. It also involves managing security incident data and mapping it to application and environment attacks. Continuous security helps manage risk holistically by minimizing attack surfaces and facilitating bottom-up and top-down vulnerability management. Key resources are provided to learn more about secure DevOps practices and application security testing.

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...

Deborah Schalm

Discover how Sona Srinivasan, Senior Architect of Cisco IT’s Global Architecture and Technology Services group, helps transform an IT DevOps strategy to a Security DevOps strategy, with IBM Security's assistance. Cisco is presently implementing continuous security and agile methods throughout the software development lifecycle (SDLC), and specific examples of current initiatives will be reviewed in this session.

RSA ASIA 2014 - Internet of Things

Wolfgang Kandek

Securing 100 products - How hard can it be?

Priyanka Aash

This document summarizes a presentation on securing 100 products. It discusses the challenges of securing multiple products, including mapping responsibilities, diverse technologies, and resource limitations. It provides approaches for prioritizing security based on product type and risk level. These include developing a security maturity program, product strategy, and correctly budgeting security resources. Automating security tools and finding partnerships can help scale efforts. Measuring effectiveness over time is also important.

RSA 2015 Realities of Private Cloud Security

Scott Carlson

Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...

MrityunjayaHikkalgut1

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery

Priyanka Aash

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...

Paula Januszkiewicz

Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain

Priyanka Aash

SDN capabilities like micro-segmentation, service chaining, and security orchestration can disrupt the APT kill chain. SDN allows automatic provisioning of dynamic security policies. It restricts lateral movement and transparently inserts compensating controls. Security orchestration further automates responses by leveraging intelligence to update network and host-based defenses based on incidents. Together, these SDN features counter APT persistence and give attackers a moving target.

Aspirin as a Service: Using the Cloud to Cure Security Headaches

Priyanka Aash

Moving critical workloads into the cloud can be unnerving for security professionals. In reality, though, the cloud offers a whole new set of opportunities for the security team to do things even better than in their on-premises environment. Two seasoned cloud experts will explore the latest real-world, practical tools and techniques for becoming demonstrably more secure as you move to the cloud. (Source: RSA USA 2016-San Francisco)

RSAC 2016: How to Get into ICS Security

Chris Sistrunk

This document contains the presentation slides from Chris Sistrunk on how to get into ICS security. Some key points: - The number of security professionals is around 189,000 but those focused on ICS security is under 1,000, only 0.5% of security professionals. - For those with an OT background, the presenter suggests learning about security fundamentals. For those with an IT background, the presenter suggests learning about operational technology like PLCs and protocols. - The presenter provides many resources for learning about ICS security including training, conferences, books, and standards. He also suggests ways to build an at-home ICS network lab and get involved in information sharing

Practical appsec lessons learned in the age of agile and DevOps

Priyanka Aash

The SDLC has been the model for web application security over the last decade. However, the SDLC was originally designed in a Waterfall world and often causes more problems than it solves in the shift to agile, DevOps and CI/CD. This talk will share actionable tips on the most effective application security techniques in today’s increasingly rapid environment of application creation and delivery. (Source : RSA Conference USA 2017)

Similar to Efficacy Of Layered Application Security Through The Lens Of Hacker (20)

DevSecOps in Baby Steps

Rapid Threat Modeling Techniques

Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow

RSA 2018: Recon For the Defender - You know nothing (about your assets)

RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...

Security precognition chaos engineering in incident response

RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?

Stop Passing the Bug: IoT Supply Chain Security

Leverage DevOps & Agile Development to Transform Your Application Testing Pro...

RSA ASIA 2014 - Internet of Things

Securing 100 products - How hard can it be?

RSA 2015 Realities of Private Cloud Security

Cyber Crime / Cyber Secuity Testing Architecture by MRITYUNJAYA HIKKALGUTTI (...

CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...

Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain

Aspirin as a Service: Using the Cloud to Cure Security Headaches

RSAC 2016: How to Get into ICS Security

Practical appsec lessons learned in the age of agile and DevOps

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Priyanka Aash

Verizon Breach Investigation Report (VBIR).pdf

Priyanka Aash

The Verizon Breach Investigation Report (VBIR) is an annual report analyzing cybersecurity incidents based on real-world data. It categorizes incidents and identifies emerging trends, threat actors, motivations, attack vectors, affected industries, common attack patterns, and recommendations. Each report provides the latest insights and data to give organizations a global perspective on evolving cyber threats.

Top 10 Security Risks .pptx.pdf

Priyanka Aash

The document summarizes the top 10 cybersecurity risks presented to the board of directors of a manufacturing company. It discusses each risk such as insider threats, cloud security, ransomware attacks, third party risks, and data security. For each risk, it provides the current posture in terms of controls, compliance level, and planned improvements. The CISO and other leaders such as the managing director, finance director, and chief risk officer attended the presentation.

Simplifying data privacy and protection.pdf

Priyanka Aash

1) Data is growing exponentially which increases the risk and impact of data breaches, while compliance requirements are also becoming more stringent. 2) IBM Security Guardium helps customers address this by discovering, classifying, and protecting sensitive data across platforms and simplifying compliance. 3) It detects threats in real-time, increases data security accuracy, and reduces the time spent on audits and issue remediation, helping customers minimize the impact of potential data breaches and address local compliance requirements.

Generative AI and Security (1).pptx.pdf

Priyanka Aash

Generative AI and Security Testing discusses generative AI, including its definition as a subset of AI focused on generating content similar to human creations. The document outlines the evolution of generative AI from artificial neural networks to modern models like GPT, GANs, and VAEs. It provides examples of different types of generative AI like text, image, audio, and video generation. The document proposes potential uses of generative AI like GPT for security testing tasks such as malware generation, adversarial attack simulation, and penetration testing assistance.

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

Priyanka Aash

The document discusses shifting the focus in cybersecurity from vulnerability management to weakness management and attack surface management. It argues that attacks persist because approaches focus only on software vulnerabilities, while ignoring other weaknesses like technological, people and process weaknesses that expand the potential attack surface. A new approach is needed that takes a holistic view of all weaknesses and continuously monitors the entire attack surface to better prevent attacks.

DPDP Act 2023.pdf

Priyanka Aash

The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Priyanka Aash

This document discusses cybersecurity threats and SentinelOne's solutions. It begins with questions about an organization's cyber preparedness and budget. It then discusses the cat-and-mouse game between attackers and defenders. The document highlights growing ransomware threats and payments. It argues SentinelOne provides a unified security solution that lowers costs, risks, and complexity while improving detection and response. It shares industry recognition for SentinelOne and concludes by thanking the audience.

Cyber Crisis Management.pdf

Priyanka Aash

An IT systems outage and distributed denial of service (DDoS) attack impacted an organization called XYZ Ltd. This was followed by a ransom demand email from an anonymous sender threatening to release sensitive project data. When the ransom deadline passed, anonymous hackers released a video on social media and the data breach began receiving media coverage. A customer then contacted XYZ to inquire about the data leak and if their content was impacted. The document outlines discussions between teams at XYZ on responding to the cyber incident and lessons learned.

CISOPlatform journey.pptx.pdf

Priyanka Aash

The CISO Platform is a 10+ year old dedicated social platform for CISOs and senior IT security leaders that has grown to over 40,000 members across 20+ countries. Through sharing and collaboration, the community has created over 500 checklists, frameworks, and playbooks that are available for free to members. The platform also hosts an annual security conference with over 100 speakers and 20 workshops attended by 20,000 people. The goal of the CISO Platform is to build tangible community goods and resources through open sharing and collaboration among security professionals.

Chennai Chapter.pptx.pdf

Priyanka Aash

This document provides updates from the Chennai Chapter of the CISO Platform for 2021. It discusses the following: 1. The Breach and Attack Summit held in December which included panel discussions, presentations, task forces, and workshops despite natural disasters, with over 200 attendees. 2. Chapter meetings focused on ransomware trends and lessons learned from attacks. 3. A kids initiative to promote cybersecurity awareness through sessions for students, parents and teachers at local schools. 4. The task forces focused on topics like cyber risk quantification, quantum computing, cyber insurance and privacy.

Cloud attack vectors_Moshe.pdf

Priyanka Aash

Stories From The Web 3 Battlefield

Priyanka Aash

Lessons Learned From Ransomware Attacks

Priyanka Aash

The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Priyanka Aash

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Priyanka Aash

Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud

Cyber Security Governance

Priyanka Aash

Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.

Ethical Hacking

Priyanka Aash

The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Verizon Breach Investigation Report (VBIR).pdf

Top 10 Security Risks .pptx.pdf

Simplifying data privacy and protection.pdf

Generative AI and Security (1).pptx.pdf

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

DPDP Act 2023.pdf

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Cyber Crisis Management.pdf

CISOPlatform journey.pptx.pdf

Chennai Chapter.pptx.pdf

Cloud attack vectors_Moshe.pdf

Stories From The Web 3 Battlefield

Lessons Learned From Ransomware Attacks

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Cyber Security Governance

Ethical Hacking

Recently uploaded

Main news related to the CCS TSI 2023 (2023/1695)

Jakub Marek

An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers. The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 . The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

Serial Arm Control in Real Time Presentation

tolgahangng

HCL Notes and Domino License Cost Reduction in the World of DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

Recommendation System using RAG Architecture

fredae14

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

A Comprehensive Guide to DeFi Development Services in 2024

Intelisync

DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum. In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance. In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape. At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology. Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!

Operating System Used by Users in day-to-day life.pptx

Pravash Chandra Das

Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes. Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions. Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻 The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️ Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution. The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟

Finale of the Year: Apply for Next One!

GDSC PJATK

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Trusted Execution Environment for Decentralized Process Mining

LucaBarbaro3

GenAI Pilot Implementation in the organizations

kumardaparthi1024

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Tosin Akinosho

Monitoring and Managing Anomaly Detection on OpenShift Overview Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices. Key Topics Covered 1. Introduction to Anomaly Detection - Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems. 2. Understanding Edge (IoT) - Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source. 3. What is ArgoCD? - Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices. 4. Deployment Using ArgoCD for Edge Devices - Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD. 5. Introduction to Apache Kafka and S3 - Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions. 6. Viewing Kafka Messages in the Data Lake - Learn how to view and analyze Kafka messages stored in a data lake for better insights. 7. What is Prometheus? - Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices. 8. Monitoring Application Metrics with Prometheus - Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system. 9. What is Camel K? - Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes. 10. Configuring Camel K Integrations for Data Pipelines - Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow. 11. What is a Jupyter Notebook? - Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text. 12. Jupyter Notebooks with Code Examples - Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

Fueling AI with Great Data with Airbyte Webinar

Zilliz

Recently uploaded (20)

Main news related to the CCS TSI 2023 (2023/1695)

Choosing The Best AWS Service For Your Website + API.pptx

June Patch Tuesday

Programming Foundation Models with DSPy - Meetup Slides

Serial Arm Control in Real Time Presentation

HCL Notes and Domino License Cost Reduction in the World of DLAU

Recommendation System using RAG Architecture

Artificial Intelligence for XMLDevelopment

A Comprehensive Guide to DeFi Development Services in 2024

Operating System Used by Users in day-to-day life.pptx

Finale of the Year: Apply for Next One!

Building Production Ready Search Pipelines with Spark and Milvus

TrustArc Webinar - 2024 Global Privacy Survey

Skybuffer SAM4U tool for SAP license adoption

5th LF Energy Power Grid Model Meet-up Slides

Trusted Execution Environment for Decentralized Process Mining

GenAI Pilot Implementation in the organizations

Monitoring and Managing Anomaly Detection on OpenShift.pdf

Presentation of the OECD Artificial Intelligence Review of Germany

Fueling AI with Great Data with Airbyte Webinar

Efficacy Of Layered Application Security Through The Lens Of Hacker

1. SESSION ID: #RSAC Gyan Prakash EFFICACY OF LAYERED APPLICATION SECURITY THROUGH THE LENS OF HACKER ASEC-T07 Chief Security Architect VISA Inc. Bill Yue Chen Chief Security Architect VISA Inc. 1

2. #RSAC Threat Model Observations Optimizing App Security Life-Cycle Controls Agility with Security What Pen Test Should Focus on Recommendations 2 Agenda

3. #RSAC Data Brut force Malware Phishing “Know yourself, also know your rival.” -Sun Tzu, 545-470 B.C. 3 A Tight Race

4. #RSAC Recon. Automated CAPTCHA Reader Advanced PW Guessing (e.g. PassGAN) Advanced Spearphishing (e.g. SNAP_R) ML Assisted Social Engineering Delivery Weaponizing Exploit Installation C & C Act. & Obj. Scans, DNS, Asset discovery, Social Eng., etc. Malware, Open Source Poisoning, Faked Web, etc. Passive Traps & Proactive Attacks Network, Infra, OWASP Vuln IAM Issues, etc. Camouflaged Actions, APT, Outbound control exploit 4 Threat Model Over The Kill Chain

5. #RSAC Just Overwhelming! Web Vul. Scanner WAF RASP Binary Composition SAST Pen Test DAST IAST App Vul. Monitoring 5

6. #RSAC 6 Observations Thousands H u n d red s

7. #RSAC Flawed Authentication Security Misconfigurations Sensitive Data Exposure Insecure TLS/SSL usage Cross-Site scripting Injection Using vulnerable components Inappropriate error handling CSRF 7 Observations: Application Vulnerabilities

8. #RSAC SAST DASTIAST o Injections o Sensitive Data Exposure o XML External Entities (XXE) o Cross-Site Scripting o Insecure Deserialization More Than One Third o Injections o Sensitive Data Exposure o XML External Entities (XXE) o Cross-Site Scripting o Insecure Deserialization o Security Misconfigurations o 3rd Party Vulnerable Lib Around Two Third o Injections o Sensitive Data Exposure o XML External Entities (XXE) o Cross-Site Scripting o Security Misconfigurations Around One Third 8 Optimizing App Security Coverage

9. #RSAC Product Backlog Sprint Backlog Iteration Product Shipping Developer Workspace Daily Builds SPRINT 1 - 3 weeks SAST IAST DAST SASTIAST SAST CI Automation 9 Security Embedded with Agile

10. #RSAC Product Backlog Sprint Backlog Iteration Product Shipping Developer Workspace Daily Builds SPRINT 1 - 3 weeks SAST IAST DAST SASTIAST SAST CI Automation > 80 % with << 10 Security Embedded with Agile

11. #RSAC 11

12. #RSAC Authentication & Authorization Authentication flow and design, Passwords, 2FA, Security questions, Access Control Session management Business Logic All possible bypassing issues Data flows that are not covered by scanners, such as email, SSH, SAML etc. Examine Attack surface Sampling test Injection, XSS, to validate SAST/IAST/DAST controls Last but not the least, Infrastructure 12 What Pen Test should focus on?

13. #RSAC Product Backlog Sprint Backlog Iteration Product Shipping Developer Workspace Daily Builds SPRINT 1 - 3 weeks SAST IAST DAST SASTIAST SAST Pen Test CI Automation 13 Completing the Puzzle

14. #RSAC Shift Left – Train and Empower Developers to Security Champions Automation - Empower engineers with SAST, IAST, OSS, and WVS Pen test smartly – Focus on the limitation area of tools Implement multi-factor authentication Check password blacklist Phishing/social engineering awareness training 14 Recommendations

15. #RSAC Questions & Answers Sprint Backlog Iteration Product Shipping Developer Workspace Daily Builds SPRINT 1 - 3 weeks SAST IAST DAST SASTIAST SAST Pen Test CI Automation WAF Web Vul. Scanner Real time Analytics PRODUCTION

Efficacy Of Layered Application Security Through The Lens Of Hacker

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Efficacy Of Layered Application Security Through The Lens Of Hacker

Similar to Efficacy Of Layered Application Security Through The Lens Of Hacker (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

Efficacy Of Layered Application Security Through The Lens Of Hacker