SlideShare a Scribd company logo

Hacking Encounters of the 3rd Kind

Imperva
Imperva

As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks. The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will: - Explain how 3rd party software vulnerabilities might lead to a data breach - Deliver examples of incidents and how they occur - Discuss the effectiveness of patching

Technology
1 of 35
Download to read offline
© 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
© 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
© 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
© 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
© 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
© 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
© 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
© 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
© 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
© 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
© 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
© 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
© 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
© 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
© 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
© 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
© 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
© 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
© 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
© 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
© 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
© 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
© 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
© 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
© 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
© 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
© 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
© 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
© 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential

Recommended

Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3
F-Secure Corporation
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint security
Solarwinds N-able
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 

Recommended

Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kind
Barry Shteiman
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Derrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3
F-Secure Corporation
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint security
Solarwinds N-able
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...
Stefano Maccaglia
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
Black Duck by Synopsys
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
eightbit
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
Black Duck by Synopsys
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
Sander Temme
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
Shane Coughlan
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 

More Related Content

What's hot

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Sonatype
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
Black Duck by Synopsys
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
eightbit
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
Black Duck by Synopsys
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Sonatype
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
Sander Temme
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
CODE BLUE
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
Shane Coughlan
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
Eric Vétillard
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Malicious software
Malicious softwareMalicious software
Malicious software
CAS
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 

What's hot (20)

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

Similar to Hacking Encounters of the 3rd Kind

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Imperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
Imperva
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
Imperva
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the Crime
IBM Security
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
Black Duck by Synopsys
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
Imperva
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
IBM Security
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
Imperva
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
IBM Security
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM Security
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
Eric Vanderburg
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Frank Lesniak
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core Security
Core Security
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
Theresa Mammarella
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
FireEye, Inc.
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 

Similar to Hacking Encounters of the 3rd Kind (20)

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the Crime
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
 
Application security
Application securityApplication security
Application security
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core Security
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

More from Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
Imperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
Imperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
Imperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
Imperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
Imperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
Imperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
Imperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
Imperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
Imperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
Imperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
Imperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
Imperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
Imperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Imperva
 

More from Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Recently uploaded

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
Globus
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
UiPathCommunity
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Enhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZEnhancing Performance with Globus and the Science DMZ
Enhancing Performance with Globus and the Science DMZ
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..UiPath Community Day Dubai: AI at Work..
UiPath Community Day Dubai: AI at Work..
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 

Hacking Encounters of the 3rd Kind

  • 1. © 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
  • 2. © 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
  • 3. © 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
  • 5. © 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
  • 6. © 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
  • 7. © 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
  • 8. © 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
  • 9. © 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
  • 10. © 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
  • 11. © 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
  • 12. © 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
  • 13. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
  • 14. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
  • 15. © 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
  • 16. © 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
  • 17. © 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
  • 18. © 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
  • 19. © 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
  • 20. © 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
  • 21. © 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
  • 22. © 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
  • 23. © 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
  • 24. © 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
  • 25. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
  • 26. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
  • 27. © 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
  • 28. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
  • 29. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 30. © 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
  • 31. © 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
  • 32. © 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
  • 33. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 34. © 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
  • 35. © 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential