This document provides tips and guidance for starting an information security career. It discusses the importance of continuous learning and hands-on skills development. Some key recommendations include building a home lab, participating in capture-the-flag exercises, learning programming languages like Python and Linux, finding a mentor, considering certifications, and networking within the security community through conferences, Twitter, blogs and open source projects. The document uses examples from penetration testing and security analysis to illustrate real-world scenarios.
Have you ever run a vulnerability scanner and thought "Okay...so now what?". This talk explores how to go beyond running a vulnerability scanner by walking through a penetration test with examples and tips along the way.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
BSides CHARM 2015 Talk "InfoSec Hunters and Gatherers" - Learn how to go beyond automated tools to truly be the "Hunter" and find both bad guys and vulnerabilities.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
Have you ever run a vulnerability scanner and thought "Okay...so now what?". This talk explores how to go beyond running a vulnerability scanner by walking through a penetration test with examples and tips along the way.
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
We discuss tips and tricks we have picked up along our way performing penetration tests and red teaming engagements. We also cover 5 main ways we break into a company.
BSides CHARM 2015 Talk "InfoSec Hunters and Gatherers" - Learn how to go beyond automated tools to truly be the "Hunter" and find both bad guys and vulnerabilities.
BSides Philly Finding a Company's BreakPointAndrew McNicol
We cover modern day hacking techniques to establish a foothold into a target network. This is a great introduction to hacking techniques to those new to pentesting, with hopes of breaking the mindset of "scan then exploit".
Introduction to Penetration Testing with a use case of LFI -> Shell. I talk about the mindset required to be a good tester, and show places many testers and automated tools stop and how to go further.
Adding Pentest Sauce to Your Vulnerability Management Recipe. Coves 10 tips to improve vulnerability management based on common red team and pentest findings.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Additional materials: https://www.securing.biz/en/seven-step-guide-to-securing-your-aws-kingdom/index.html
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Additional materials: https://www.securing.biz/en/seven-step-guide-to-securing-your-aws-kingdom/index.html
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Attackers don’t just search for technology vulnerabilities, they take the easiest path and find the human vulnerabilities. Drive by web attacks, targeted spear phishing, and more are commonplace today with the goal of delivering custom malware. In a world where delivering custom advanced malware that handily evades signature and blacklisting approaches, and does not depend on application software vulnerabilities, how do we understand when are environments are compromised? What are the telltale signs that compromise activity has started, and how can we move to arrest a compromise in progress before the attacker laterally moves and reinforces their position? The penetration testing community knows these signs and artifacts of advanced malware presence, and it is up to us to help educate defenders on what to look for.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...Sean Whalen
Respond proactively to threats like a defense contractor. It’s more realistic than you might think!
A practical guide of how to build intelligence-driven cyber defenses using open source software, based on real implementations of best practices, adapted from the Lockheed Martin Cyber Kill Chain model.
Supply Chain Security for Developers.pdfssuserc5b30e
https://teachingcyber.gumroad.com/
The Software Supply Chain Security for Developers course takes you from little or no knowledge and shows you how to build security into development projects with practical demonstrations. You will learn the principles of configuring environments in a practical way using minimal lectures and focusing on step by step demonstrations. There are very few courses like this that get straight into the practicalities application security and devsecops. With this capability, you will be able to provide professional and consistent service to your company or clients and help secure your organisation. You will learn to implement security using GitHub and Azure DevOps.
This is a fast-growing area, specialist developers with skills in security are in high demand and using the skills here will enable your career, giving you cyber security experience in Azure DevOps, GitHub and command line. If you are a beginner, this course is for you as it will give you the foundations in a practical way, not theoretical. If you are an experienced practitioner you are now becoming aware of conducting supply chain assessments, this course is absolutely essential for you.
Some of the key areas you will learn are:
Software Supply Chain Security
Building software supply supply chain security into the development using GitHub
Building software supply chain security into the development using Azure DevOps
Practical application security skills
Increase knowledge and skills around DevSecOps
This course will give you the grounding you need to help you learn, retain and replicate the security skills necessary to build and improve your DevSecOps processes. The lectures are to the point and concise because your time, like many practitioners, is precious. All demos can be followed using your own software accounts and replayed time and again as your one-stop security reference.
https://teachingcyber.gumroad.com/
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Security Training: Making your weakest link the strongest - CircleCityCon 2017Aaron Hnatiw
It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?
Transferring Software Testing Tools to PracticeTao Xie
ACM SIGSOFT Webinar co-presented by Nikolai Tillmann (Microsoft), Judith Bishop (Microsoft Research), Pratap Lakshman (Microsoft), Tao Xie (University of Illinois at Urbana-Champaign) http://www.sigsoft.org/resources/webinars.html
By the end of this webinar you should be able to understand
Top five skills needed to break into a career in information security analysis
Tips and tricks to study for the CS0-001
IDS, Firewalls, etc CompTIA Cybersecurity Analyst (CSA+) is an international, vendor-neutral cybersecurity certification that applies behavioral analytics to improve the overall state of IT security. CSA+ validates critical knowledge and skills that are required to prevent, detect and combat cybersecurity threats.
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Teemu Tiainen
The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications.
Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations.
These are some of the themes we covered:
• How to ease your workload with allow-listing.
• Is allow-listing difficult? (A hint: it is not.)
• Implementing AppLocker to trim down your application portfolio.
• Restricting admin rights to control your IT environment.
• Managing and updating applications after allow-listing operations.
Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.
Outpost24 webinar: Turning DevOps and security into DevSecOpsOutpost24
DevOps is a revolution starting to deliver. The “shift left” security approach is trying to catch up, but challenges remain. We will go over concrete security approaches and real data that overcome these challenges.
It takes more than adding “hard to find” security talent to your DevOps team to reach DevSecOps benefits. Our discussion focuses on the practical side and lessons-learned from helping organizations gear up for this paradigm shift.
(SPOT205) 5 Lessons for Managing Massive IT Transformation ProjectsAmazon Web Services
Choice Hotels is undertaking a multiyear, $20 million project to recreate our core business engines on AWS. In trying to approach this complex undertaking, we determined that the project itself is a system too. You can apply principles of good architecture and design work in how you approach the project structure and management. Come to this talk by Choice Hotels’ CTO to learn five key lessons and 20 concrete takeaways that you can implement today to help your AWS projects succeed.
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
An overview of how to change security from a reactive part of the org to a collaborative part of the agile development process. Using concepts from agile and DevOps, how can applicaton security get as nimble as product development has become.
This webinar lays the foundation for your PHP app. If you have at least one year of PHP experience, this webinar explains these key building blocks for creating and maintaining enterprise-class applications, mobile services, and third-party libraries. It covers: what makes mission-critical PHP different? (including cloud-based solutions); how to maintain your PHP stack; how to ensure code security; and what to do when your system goes down?
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
2. Build | Protect | Learn
Agenda
2
• ~$ whoami
• Overview
• Platforms for Information
• Tips For Skill Development
• Find a Mentor
• Education
• Certifications
• DoD 8570 Requirements
• DoD vs. Commercial
• Professional Networking
• Networking, Linux, and Python
• Life of a Pentester (Offense) + Example
• Life of a Security Analyst (Defense) + Example
• Practice
• Recap
• Useful Links
3. Build | Protect | Learn
~$ whoami
• Founded in 2015 to deliver effective and sustainable cyber solutions
• Currently provides technical services to the Federal Government and commercial sectors
• Prides itself on leveraging technology advancements to solve our clients’ most critical cyber challenges
General
Major Service Areas
• We embrace a “Geeky” company culture.
• Engage with security community (Blog, Twitter, Exploit-db, Github, Conferences, etc.).
• Large focus put on learning and sharing knowledge.
• Company CTFs and other technical challenges to improve skills.
Company Culture
• Cybersecurity Assessments
• Defensive Cyber Operations
• Research and Development
• Cybersecurity Training
3
4. Build | Protect | Learn
Overview
4
• Let's get you started!
• The goal of this presentation is to share our teams knowledge and lessons learned
while working in the industry.
• The keys to success in infosec can link to a continuous effort of knowing your
environment and improving knowledge/skills.
• Our industry requires not only knowledge of terms and topics, but also hands on the
keyboard skills to succeed.
• Ultimately being able to keep yourself up to date is a key component to being an
InfoSec Professional.
5. Build | Protect | Learn
Platforms for Information
• One of the best resources for keeping yourself current is Twitter.
• Often people will report news via a tweet before it’s even blogged.
• Build Your Network! Follow various infosec professionals, vendors and companies.
Twitter
Blogs
RSS Feeds
• Learning from blogs can lead to lessons learned and discovery of new topics.
• Blogs are a great way to share ideas and thoughts among the community.
• Bookmark some of your favorite blogs and podcasts to check regularly for new interesting content.
• If you want a combination of twitter and blogs consider an RSS reader (i.e. digg, feedly, etc)
• A RSS Feed can help keep track of blogs and news items
5
6. Build | Protect | Learn 6
Tips for Skill Development
• Technical skills require hands-on practice.
• Labs can be simple: Your computer + VirtualBox or VMware + VMs
Build a Lab
Capture-the-Flag Exercises
• If you want to acquire and/or maintain technical skills then you should participate in a CTF
• Many online CTFs available: vulnhub.com
• Good resource for learning how to excel in CPT events:
https://trailofbits.github.io/ctf/vulnerabilities/source.html
Free Training and Online Resources
• You can also find most conference talks online: (Irongeek YouTube)
• Loads of free training resources: Cybray, OffSec, etc.
8. Build | Protect | Learn 8
Education
• If in doubt go Computer Science.
Programming skills are always in high demand.
Learning to write your own scripts and tools will separate you from the pack.
You do not need a CS degree to be able to write code.
• Some jobs require it, others do not it is really a mixed bag.
• Can be a good way to show you are worth investing in.
• Can help you potentially skip lower-level IT roles (Help Desk and System Administrator)
roles.
You still need hands-on skills with the technology.
• College is really what you make of it, challenge yourself to learn things beyond the scope of
the class requirements.
9. Build | Protect | Learn 9
Certifications
• Offers many entry-level certifications (Security+, Linux+, etc.).
• Multiple-choice exam usually a couple hundred questions.
CompTIA
Offensive Security
• Offers hands-on technical certifications (OSWP, OSCP, OSCE, etc.).
• Skills-based exam (24 hours to break into 5 VMs and provide detailed penetration test report).
SANS/GIAC
• Offers a wide variety of technical and policy focused certifications (GSEC, GPEN, GCIA, GCIH, etc.)
• Multiple-choice exam usually 75-150 questions and vary with passing percentage minimum.
ISC2 and Others
• Many other certifications that can help your career: CISSP, SSCP, Microsoft, Cisco, etc.
• Depends highly on your specific career goals.
11. Build | Protect | Learn 11
DoD vs. Commercial
• Mixture of Government (CIV) and Contractors employees working together
• A lot of policy in place and separation of information (Unclassified/Classified)
• Often requires a clearance or public trust
• Compliance is a huge focus
• Has Infrastructure that is on the Internet and on separate Govt Networks (NIPR, DODIN, etc)
• Most contractor work will have to be bid upon before the government awards it.
DoD/Govt.
Commercial
• Hired to work as an employee under a company or organization
• Has regulations of compliance enforced (PCI, HIPPA, FISMA, etc)
• Potential work with big businesses and small businesses
• Has less policy enforcement (depends more upon the company's enforcement)
• Often times will not require any clearance but may have company policy in place to protect information.
12. Build | Protect | Learn 12
Professional Networking
• Helps build online professional profile “Google your Name”
LinkedIn
Twitter
• Most active in the security community are on twitter.
Personal Blog
• Great way to share knowledge, showcase skills, and research.
Opensource Projects (Github, Sourceforge, etc.)
• Contributing or creating an open source project is a great way to get noticed by companies.
LinkedIn
Conferences
• Expand your TTP's and knowledge in person.
16. Build | Protect | Learn
Life of a Pentester (Offense)
16
• Lots of failure:
Pentesting is all about failing over and over again.
• Lots of research:
Facing a new type of technology will force you to do a lot of research on the fly.
• Lots of skill development:
I find I have to spend a lot of time to sharpen skills.
Staying up to date on vulnerabilities and attacks.
• Consistently thinking like an attacker:
Thinking how to misuse technology in creative ways?
• Scripting:
Normally this required for senior roles
• Tools: Metasploit, Burp Suite, Nmap, Masscan, Recon-ng, Linux/Windows, Nessus,
Acunetix, WebInspect, Mimikatz, Python, and many other tools in Kali Linux.
20. Build | Protect | Learn
Offensive Example: debug.php
20
• Step 3: Systems/Ports/Systems are validated from Shodan results using Masscan
and Nmap. Then web technology footprint enumerated with whatweb.
* Linux utilities were used to build input files/parse output files (sed, grep, awk, egrep,
sort, uniq)
21. Build | Protect | Learn
Offensive Example: debug.php
21
• Step 4: Enumerate an unlinked resource "debug.php" that gives an HTTP 200 OK
and blank screen. This is where automated tools stop.
22. Build | Protect | Learn
Offensive Example: debug.php
22
• Step 5: Parameters are fuzzed in an attempt to enumerate inputs "page=" gives back
a different response "Failed opening 'test' for inclusion".
23. Build | Protect | Learn
Offensive Example: debug.php
23
• Step 6: Attempt to point the page parameter to local and remote resources and
attempt to execute code on the server.
24. Build | Protect | Learn
Offensive Example: debug.php
24
• Step 7: PHP was running as SYSTEM on the vulnerable application. An attacker
could dump password hashes and pivot throughout the organization with admin
privileges.
25. Build | Protect | Learn
Life of a Security Analyst (Defense)
25
• Attention to Detail:
Digging through logs, pcap, alerts, etc. requires a lot of attention to detail.
• Hunting:
Often going through large amounts of “normal” data to find what is “odd”.
• Desire to Improve:
Most Defensive jobs are what you make it, you can sit on facebook and check the
box, or you can dig and go beyond alerts.
• Scripting:
Normally required for senior technical roles.
• Lots of Research:
It can often be hard to explain a network event using only pcap as a resource.
Staying up to date on the latest attacks and vulnerabilities is important.
• Tools: Tcpdump, Wireshark, Bro, Snort, SIEM Tools, Python, Windows/Linux, etc.
26. Build | Protect | Learn
Hunt for the needle in the haystack...
26
28. Build | Protect | Learn
Defensive Example: PCAP
28
• You leverage some tcpdump/bash Kung Fu to quickly summarize DNS.
• You notice a domain that looks legit, but is misspelled! Can you see it?
29. Build | Protect | Learn
Defensive Example: PCAP
29
• You investigate this further and notice some odd parameters in the corresponding
HTTP traffic. What is interesting about the HTTP GET request below?
30. Build | Protect | Learn
Practice
● We’ve created a CTF VM + Question and Answer guide to help expose you to
various hands-on security challenges.
30
31. Build | Protect | Learn
Recap
● Stay up to date with latest news and trends (Twitter, RSS Feeds, Blogs, etc.)
● Build a lab
● Learn Python!
● Use Linux
● Research and participate in Capture the Flag (CTF) events / Vulnerable VMs
● Be aware of the free online resources for technical training
● Find a mentor
● Learn about job requirements for target job (skills, certifications, education, etc.)
● Develop a professional/InfoSec network (Twitter, LinkedIn, etc.)
● Start a personal blog
● Consider contributing to or starting an open source project
● Attend conferences or watch conference talks on YouTube
Find your passion...you’ll always go further if you really love the subject matter.
Some really enjoy hunting through pcap, others by getting shells. Figure out what
you like and sharpen those skills.
31
32. Build | Protect | Learn
Useful Links
32
• Cybrary.it
• OWASP
• Pentesting Execution Standard (PTES)
• SANS ISC
• Vulnhub
• Pentester Lab
• Metasploit Unleashed
• IronGeek YouTube channel
• SecurityTube
• Jason Haddix How to Shot Web Talk
• How to be an InfoSec Geek Talk
• Pcap Resources:
http://www.netresec.com/?page=PcapFiles
http://contagiodump.blogspot.com/2013/08/deepend-research-list-of-malware-pcaps.html
• Malwr.com
• Dump of common InfoSec interview questions (isdpodcast)
33. Build | Protect | Learn
Connect with Us
www.breakpoint-labs.com
info@breakpoint-labs.com
@0xcc_labs
33