Gleb Cherbov - DBO Hacking — arch bugs in BSS

•Download as PPTX, PDF•

0 likes•773 views

The document discusses security issues in banking software systems. It describes how the banking software works, with a web server, application server, database, and operator environment. It then details vulnerabilities, including that all operators can directly connect to the database using a single 'dbo_admin' account with full access, and that the password for this account is encrypted but stored in a file that can be decrypted, exposing the password. It closes by noting this is a possible attack vector that could allow malware to access the database and cause damage.

Technology

Arch bugs in BSS
Gleb Cherbov
Security Researcher
Digital Security (ERPScan)

Arch bugs in BSS

Banking

© 2002—2013, Digital Security

2

Arch bugs in BSS

Internet banking. Client side

© 2002—2013, Digital Security

3

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
4

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
5

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
6

Arch bugs in BSS

How it worx

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
7

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
8

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
9

Arch bugs in BSS

Select a target

WEB Server + App Server

DBMS

ABS

Operator
© 2002—2013, Digital Security

Operator’s environment
10

Arch bugs in BSS

Authentication

oper_login
oper_pass

Operator

© 2002—2013, Digital Security

dbo_admin
Operator’s
environment

DBMS

11

Arch bugs in BSS

Dbo_admin

• dbo_admin is the only account at DBMS
• dbo_admin has full access
• every operator can connect to DBMS directly
• oper auth on app side

© 2002—2013, Digital Security

12

Arch bugs in BSS

Lookin’ for a passwd

dbo_admin password is encrypted
and stored in a .cfg file near the app

© 2002—2013, Digital Security

13

Arch bugs in BSS

Quote

“it’s impossible to decrypt it”
(c) BSS support

© 2002—2013, Digital Security

14

Arch bugs in BSS

Let’s take a look

RSA modulus
RSA private exp
Unusual base64 alphabet
© 2002—2013, Digital Security

15

Arch bugs in BSS

Let’s take a look

Well… looks like base64?

© 2002—2013, Digital Security

16

Arch bugs in BSS

Also…

Innovative password storage
widely used in BSS products
With the same hardcoded RSA key

© 2002—2013, Digital Security

17

Arch bugs in BSS

Malware

WEB Server + App Server

DBMS

ABS
Get conf file
Decrypt dbo_admin pass
Wreak havoc
Operator
© 2002—2013, Digital Security

Operator’s environment
18

Arch bugs in BSS

Attack vector?

•Insider

•Targeted attack
•Malware

© 2002—2013, Digital Security

19

Arch bugs in BSS

Tricky data manipulations

© 2002—2013, Digital Security

20

Questions?

Digital Security in Moscow: +7 (495) 223-07-86
Digital Security in Saint Petersburg: +7 (812) 703-15-47
www.dsec.ru
www.erpscan.com
info@dsec.ru

Introducing Open APIs and the security risks involved and the great rewards that can be reaped. Going through the advantages of using and publishing APIs and how to get started, how to handle security risks with a "neo-security" stack and how Twitters API has been used to analyse Twitter use in Sweden. Lightning talk from Øredev 7 november 2013 in Malmö Sweden. Presented by Andreas Krohn, Travis Spencer and Hampus Brynolf. More information at http://nordicapis.com/oredev2013.

Secure your APIs using OAuth 2 and OpenID Connect

Nordic APIs

Session held by Travis Spencer at PayEx and Nordic APIs event "Secure, flexible and modern APIs for Payments" event in Oslo, May 10th. Description: When opening up secure APIs, OAuth 2 and OpenID Connect are the primary standards being used today. Implementing and using these standards can be challenging. In this session, Travis Spencer, CEO of Twobo Technologies, will provide an in-depth overview of these standards and explain how they can be integrated into financial services apps. The overview will include information on: The actors involved in OAuth and OpenID Connect The flows used in the standards What grant types are, which are defined, and the message exchanges of each What scopes are and examples of their use Different classes of tokens and how they are used Overview of the OpenID Foundation’s work in the Financial API WG Attendees will leave with: An overview of OAuth 2 and OpenID Connect Knowledge of the basics necessary to using these standards Resources and information sources where more information can be found

SECON'2016. Чербов Глеб, День из жизни пентестера

SECON

SECON'2016. Сергей Аверин. Javascript-фреймворки:  должен остаться только один

SECON

Рассказ от tech-менеджера о том, как мы в Acronis выбирали фреймворк в условиях, когда любое более-менее важное технологическое решение сразу затрагивает с десяток команд, несколько сотен человек и права «случайно все сломать» нет. В докладе пойдет речь о том, что хорошо работающий фронтенд — это больше про слаженную работу команды, про понятный и масштабируемый код, чем про сухие циферки. Но и циферки тоже будут. 1) Какие у нас были проблемы с текущим фреймворком — UI, архитектура, код. 2) Как измеряли, что примерно стоит брать (исследование популярности). 3) Что рассматривали. 4) На пути к демо-проекту, какие были сложности (то, что уперли идею с Typescript, собственный компилятор шаблонов, четыре Flux-фреймворка и все плохи). 5) Два пилотных демо-проекта: цифры. 6) Оценка трудоемкости перехода.

Cloud Computing2rajivmordani

5 incredible (and uncommon) serverless patterns

DavidVictoria12

Serverless technology opens up a whole new world of possibilities for modern application development, but many developers continue to use familiar patterns, such as moving from Amazon API Gateway to AWS Lambda and Amazon DynamoDB. In this dev chat, learn about five disruptive architectures that can help you increase your integration capabilities and take advantage of underutilized AWS services such as AWS Transfer Family, Amazon EventBridge, AWS Step Functions, and Amazon SES.

Speaker: Drew DiPalma, Product Manager, Cloud, MongoDB Level: 100 (Beginner) Track: Developer Come learn more about MongoDB Stitch – Our new Backend as a Service (BaaS) that makes it easy for developers to create and launch applications across mobile and web platforms. Stitch provides a REST API on top of MongoDB with read, write, and validation rules built-in and full integration with the services you love. This talk will cover the what, why, and how of MongoDB Stitch. We’ll discuss everything from features to the architecture. You’ll walk away knowing how Stitch can kickstart your new project or take your existing application to the next level. What You Will Learn: - The basics of MongoDB Stitch and how to use it to kickstart new projects and implement new features in existing projects. - How to integrate your favorite services with your MongoDB application without writing any code.

Owning End-to-end Application Experience With ThousandEyes

ThousandEyes

Enhancing SaaS Performance: A Hands-on Workshop for Partners

ThousandEyes

GPSTEC317-From Leaves to Lawns AWS Greengrass at the Edge and Beyond

Amazon Web Services

AWS Greengrass provides a wide range of opportunities from IoT gateway applications to building systems like those with microservice architectures. In this session, we first evaluate how AWS Greengrass fits into OEM, ODM, and IT service delivery models. We then wade into a gentle overview of AWS Greengrass and how it interoperates with AWS IoT and other AWS services. We walk through several key AWS Greengrass distributed architectures. Next, to help you accelerate your solution using AWS Greengrass, we discuss how AWS Greengrass fits into the AWS Cloud development and delivery model. The talk wraps up with a demonstration of AWS Greengrass facilitating communication between a closed machine to machine (M2M) network and AWS IoT.

3 Secrets to Becoming a Cloud Security Superhero

Amazon Web Services

While security is a top concern in every organization these days, it often gets a bad rap. In many minds, security has the reputation of the bothersome villain who attempts to hinder performance or restrain agility. In this session we will outline four strategies to protect your valuable workloads, without falling into traditional security traps. We will walk through three stories of EC2 security superheroes who saved the day by overcoming compliance and design challenges, using a (not so) secret arsenal of AWS and Trend Micro security tools. Andrew Watts-Curnow, Solutions Architect, Amazon Web Services, ASEAN Justin Foster, CISSP Head of Cloud Workload Security, Trend Micro

Cloud vs. On-Premises Security: Can you afford not to switch?

Zscaler

As the cloud transforms enterprise IT, it brings a lot more savings than cold hard cash. No question, reducing infrastructure costs is the #1 attraction to cloud. But there are two other cost dimensions with huge impact on security that must not be ignored. The payoffs depend on whether you approach security with a cloud vs. on-premises model. An organization’s choices are crucial – both for enterprise security and for the roles of its stakeholders.

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

ThousandEyes

Introduction to ThousandEyes

ThousandEyes

Software as a Service

Frankie Warren

NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...

Amazon Web Services

Many customers are hesitant to adopt SaaS solutions due to the concerns on the safety of the network connectivity traversing internet. It is also difficult to manage the firewall rules, NAT Gateway or VPN connections. AWS PrivateLink provided solution that let our customers’ applications, whether in a VPC or in their own data center, to connect to SaaS solutions in a highly scalable and highly available manner, while keeping all the network traffic within the AWS network.

Realise True Business Value .pdf

ThousandEyes

Realize True Business Value With ThousandEyes

ThousandEyes

Realise True Business Value With ThousandEyes

ThousandEyes

Increasing Productivity with End-User Computing Solutions on AWS

Amazon Web Services

IT organizations today need to support a modern, flexible, global workforce and ensure that their users can be productive anywhere. Moving desktops and applications to the AWS Cloud offers improved security, scale, and performance with cloud economics. In this session, we provide an overview of Amazon WorkSpaces and Amazon AppStream 2.0, and we discuss the use cases for each. Then, we dive deep into best practices for implementing Amazon WorkSpaces and AppStream 2.0

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

Vladimir Simek

SRV336_Build a Serverless, Face-Recognizing IoT Security System with Amazon R...

Amazon Web Services

Learn how to build powerful backends without managing servers by using MongoDB Stitch. Stitch is a backend-as-a-service that lets developers perform CRUD operations directly against their database with a REST API, declaratively specify field-level security on their data, and compose server-side logic and external services with hosted functions. We provide four live coding demonstrations of Stitch in action. First, we demonstrate querying and inserting data into Stitch by adding comment capability to a static blog. Second, we demonstrate the power of Stitch's declarative ACL rules in the context of a medical records application. Third, we show services integration using Amazon S3 and Amazon Rekognition. Finally, we put it all together with an IoT-powered two-factor door security system, demonstrating how Stitch orchestrates a complex architecture of devices, logic, and services. Session sponsored by MongoDB

Introducing MongoDB Atlas

MongoDB

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...

Amazon Web Services

On-premise to Microsoft Azure Cloud Migration.

Emtec Inc.

BIM Data for Owners - Sam Nseir

Jad DELLEL

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...

DefconRussia

Intel Boot Guard — аппаратно поддержанная технология верификации подлинности BIOS, которую вендор компьютерной системы может встроить на этапе производства. Докладчик представит результаты анализа технологии, расскажет об её эволюции. Слушатели узнают, как годами клонируемая ошибка на производстве нескольких вендоров позволяет потенциальному злоумышленнику воспользоваться этой технологией для создания в системе неудаляемого (даже программатором!) скрытого руткита. Github: https://github.com/flothrone/bootguard

Similar to Gleb Cherbov - DBO Hacking — arch bugs in BSS

Introducing Stitch

MongoDB

Owning End-to-end Application Experience With ThousandEyes

ThousandEyes

Enhancing SaaS Performance: A Hands-on Workshop for Partners

ThousandEyes

GPSTEC317-From Leaves to Lawns AWS Greengrass at the Edge and Beyond

Amazon Web Services

3 Secrets to Becoming a Cloud Security Superhero

Amazon Web Services

Cloud vs. On-Premises Security: Can you afford not to switch?

Zscaler

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

ThousandEyes

Introduction to ThousandEyes

ThousandEyes

Software as a Service

Frankie Warren

NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...

Amazon Web Services

Realise True Business Value .pdf

ThousandEyes

Realize True Business Value With ThousandEyes

ThousandEyes

Realise True Business Value With ThousandEyes

ThousandEyes

Increasing Productivity with End-User Computing Solutions on AWS

Amazon Web Services

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

Vladimir Simek

SRV336_Build a Serverless, Face-Recognizing IoT Security System with Amazon R...

Amazon Web Services

Introducing MongoDB Atlas

MongoDB

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...

Amazon Web Services

On-premise to Microsoft Azure Cloud Migration.

Emtec Inc.

BIM Data for Owners - Sam Nseir

Jad DELLEL

Similar to Gleb Cherbov - DBO Hacking — arch bugs in BSS (20)

Introducing Stitch

Owning End-to-end Application Experience With ThousandEyes

Enhancing SaaS Performance: A Hands-on Workshop for Partners

GPSTEC317-From Leaves to Lawns AWS Greengrass at the Edge and Beyond

3 Secrets to Becoming a Cloud Security Superhero

Cloud vs. On-Premises Security: Can you afford not to switch?

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes

Introduction to ThousandEyes

Software as a Service

NEW LAUNCH! AWS PrivateLink: Bringing SaaS Solutions into Your VPCs and Your ...

Realise True Business Value .pdf

Realize True Business Value With ThousandEyes

Realise True Business Value With ThousandEyes

Increasing Productivity with End-User Computing Solutions on AWS

AWS Webinar CZSK 02 Bezpecnost v AWS cloudu

SRV336_Build a Serverless, Face-Recognizing IoT Security System with Amazon R...

Introducing MongoDB Atlas

GPSWKS404-GPS Game Changing C2S Services To Transform Your Customers Speed To...

On-premise to Microsoft Azure Cloud Migration.

BIM Data for Owners - Sam Nseir

More from DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

DefconRussia

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...

DefconRussia

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

DefconRussia

В Spring MVC есть классная фича — autobinding. Но если пользоваться ей неправильно, могут появиться «незаметные» уязвимости, иногда с серьёзным импактом. Рассмотрим пару примеров, углубимся в тонкости появления autobinding-багов. Writeup [ENG]: http://agrrrdog.blogspot.ru/2017/03/autobinding-vulns-and-spring-mvc.html

[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux

DefconRussia

Руткиты в мире основанных на ядре Linux операционных систем уже не являются редкостью. Рассказ будет о том, как попытки в современных реалиях определить то, скомпрометирована ли система, привели к неожиданному результату.

Георгий Зайцев - Reversing golang

DefconRussia

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC

DefconRussia

Мы поговорим об общей проблеме валидации входных данных и качестве их обработки. Интерпретация входящих данных оказывает прямое влияние на решения, принимаемые в физической инфраструктуре: если какая-либо часть данных обрабатывается недостаточно аккуратно, это может повлиять на эффективность и безопасность процесса. В этой беседе мы обсудим атаки на процесс обработки данных и природу концепции «never trust your inputs» в контексте информационно-физических систем (в общем смысле, то есть любых подобных систем). Для иллюстрации проблемы мы используем уязвимости аналого-цифровых преобразователей (АЦП), которые можно заставить выдавать поддельный цифровой сигнал с помощью изменения частоты и фазы входящего аналогового сигнала: ошибка масштабирования такого сигнала может вызывать целочисленное переполнение и дает возможность эксплуатировать уязвимости в логике PLC/встроенного ПО. Также мы покажем реальные примеры использования подобных уязвимостей и последствия этих нападений.

Cisco IOS shellcode: All-in-one

DefconRussia

Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security. This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing. This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation. We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

DefconRussia

HTTP HOST header attacks

DefconRussia

Attacks on tacacs - Алексей Тюрин

DefconRussia

Weakpass - defcon russia 23

DefconRussia

nosymbols - defcon russia 20

DefconRussia

static - defcon russia 20

DefconRussia

Zn task - defcon russia 20

DefconRussia

Vm ware fuzzing - defcon russia 20

DefconRussia

Nedospasov defcon russia 23

DefconRussia

Advanced cfg bypass on adobe flash player 18 defcon russia 23

DefconRussia

Miasm defcon russia 23

DefconRussia

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

DefconRussia

Расскажу где и как iCloud Keychain хранит пароли, и какие потенциальные риски это несёт. Apple утверждает, что пароли надежно защищены, и даже её сотрудники не могут получить к ним доступ. Чтобы это подтвердить или опровергнуть, необходимо разобраться с внутренним устройством iCloud Keychain, чем мы и займемся.

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

DefconRussia

Все шире и шире получают распространение bugbounty программы - программы вознаграждения за уязвимости различных вендоров. И порой при поиске уязвимостей находятся места, которые явно небезопасны (например - self XSS), но доказать от них угрозу сложно. Но чем крупнее (хотя, скорее адекватнее) вендор, тем они охотнее обсуждают и просят показать угрозу от сообщенной уязвимости, и при успехе – вознаграждают 8). Мой доклад – подборка таких сложных ситуаций и рассказ, как же можно доказать угрозу.

More from DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...

[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...

[Defcon Russia #29] Алексей Тюрин - Spring autobinding

[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux

Георгий Зайцев - Reversing golang

[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC

Cisco IOS shellcode: All-in-one

Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...

HTTP HOST header attacks

Attacks on tacacs - Алексей Тюрин

Weakpass - defcon russia 23

nosymbols - defcon russia 20

static - defcon russia 20

Zn task - defcon russia 20

Vm ware fuzzing - defcon russia 20

Nedospasov defcon russia 23

Advanced cfg bypass on adobe flash player 18 defcon russia 23

Miasm defcon russia 23

Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...

Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях

Recently uploaded

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Free Complete Python - A step towards Data Science

RinaMondal9

RESUME BUILDER APPLICATION Project for students

KAMESHS29

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Mind map of terminologies used in context of Generative AI

Kumud Singh

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Recently uploaded (20)

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

UiPath Test Automation using UiPath Test Suite series, part 5

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

20240609 QFM020 Irresponsible AI Reading List May 2024

Free Complete Python - A step towards Data Science

RESUME BUILDER APPLICATION Project for students

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

PCI PIN Basics Webinar from the Controlcase Team

Securing your Kubernetes cluster_ a step-by-step guide to success !

Removing Uninteresting Bytes in Software Fuzzing

Mind map of terminologies used in context of Generative AI

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

UiPath Test Automation using UiPath Test Suite series, part 6

GraphRAG is All You need? LLM & Knowledge Graph

Video Streaming: Then, Now, and in the Future

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Climate Impact of Software Testing at Nordic Testing Days

DevOps and Testing slides at DASA Connect

Introduction to CHERI technology - Cybersecurity