The document discusses how to properly invest in software security. It argues that fully securing software is impossible and unnecessary, and that the optimal approach is to find and fix bugs through practices like threat modeling, developer training, security testing, and bug bounties. The key is to train developers to write code that minimizes bugs and to have skilled hackers find and help remediate any issues.
Key Learnings
-----------------
•Tools and techniques - understanding the taxonomy
•Top use cases for the SOC
•Attack surfaces
-Insider threat (ignored at the moment)
-Credential theft
-Endpoint compromise
-Application attack
•Monitoring / Building / SWIFT Fraud
•Analytics and hunting playbooks for SWIFT
An overview of Information Security in 2016. Prepared for the Economic Roundtable in Jacksonville, focuses on helping non-IT folks understand some things they can do to make their businesses more secure.
Key Learnings
-----------------
•Tools and techniques - understanding the taxonomy
•Top use cases for the SOC
•Attack surfaces
-Insider threat (ignored at the moment)
-Credential theft
-Endpoint compromise
-Application attack
•Monitoring / Building / SWIFT Fraud
•Analytics and hunting playbooks for SWIFT
An overview of Information Security in 2016. Prepared for the Economic Roundtable in Jacksonville, focuses on helping non-IT folks understand some things they can do to make their businesses more secure.
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
ProtectWise and Demisto enable security analysts to move quickly from detection to response and resolution. ProtectWise leverages advanced analysis techniques and unlimited retention of full-fidelity network traffic to provide highly reliable detection of known and unknown threats in real-time and retrospectively. Demisto provides automation playbooks that convert these detections into action for the point products in your security infrastructure.
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
With the transition from paper to electronic medical records, the threats and potential ramifications of network security risks to physician practices have skyrocketed. From liability for loss of patient data, to the rapidly emerging, office crippling threats of "Spear Phishing" attacks and "Ransomware," the likelihood of being affected is "when," not "if." This presentation includes an eye-opening primer of cybersecurity threats for small and medium sized practices and a roadmap to help protect patient records and practice viability.
Ravi D Goel MD presented this talk at the 2016 American Academy of Ophthalmology Annual Meeting. #aao2016
-----
About Ravi Goel
Ravi D. Goel graduated with a bachelor’s degree in ethics, politics, and economics from Yale University. He earned a medical degree from the Robert Wood Johnson Medical School and completed an ophthalmology residency at the Greater Baltimore Medical Center. Dr. Goel is in private practice in Cherry Hill, NJ, and a clinical instructor at the Wills Eye Hospital in Philadelphia.
Dr. Goel is a past chair of the American Medical Association—Young Physicians Section. He is a recipient of the AMA Foundation Excellence in Medicine Leadership Award, the American Academy of Ophthalmology Achievement Award, and Secretariat Award. He is a past president of the New Jersey Academy of Ophthalmology.
He is a member of the AMA Ophthalmology Section Council. He is also a member of the New Jersey Governors School Board of Overseers, director of the American Academy of Ophthalmic Executives and a member of the Yale University Development Council.
Network security consists of the policies adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.[citation needed] Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.
Building a Threat Model & How npm Fits Into ItAdam Baldwin
Who might want to attack your application? If they tried, how would they succeed? Answering these questions is an important exercise that helps you understand how to keep your application secure, so you can sleep at night.
In this talk, Adam will teach you what threat modeling is and how to build threat models for your organization and applications. Because npm is such a critical part of how your developers build JavaScript applications, Adam will show you how npm fits into your threat model and how to use npm's tools to keep your JavaScript secure.
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
Anton Chuvakin on What is NOT Working in Security 2004: Focus on ‘what works’ is good, but sometimes negative motivation works as well! Let’s take a (fairly subjective) look at what doesn’t work for a change. Things change, technologies (and even processes) improve, that is why the title has a date. Also, please take into account that the information provided is subjective by nature and represents my outlook on things, mostly collected from working in (and watching!) the security industry.
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...adamdeja
As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions.
First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken.
This talk will allow attendees to walk away with
A holistic view of the history of computer security and how it impacts them today
The importance of extending the range of collective vision to reduce blind spots
Practical advice for BSiders to grow their mindset and improve their impact
Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
See Clearly and Respond Quickly from the Network to the EndpointProtectWise
ProtectWise and Demisto enable security analysts to move quickly from detection to response and resolution. ProtectWise leverages advanced analysis techniques and unlimited retention of full-fidelity network traffic to provide highly reliable detection of known and unknown threats in real-time and retrospectively. Demisto provides automation playbooks that convert these detections into action for the point products in your security infrastructure.
Cybersecurity 101 for Ophthalmology & Physician PracticesRavi D. Goel, MD
With the transition from paper to electronic medical records, the threats and potential ramifications of network security risks to physician practices have skyrocketed. From liability for loss of patient data, to the rapidly emerging, office crippling threats of "Spear Phishing" attacks and "Ransomware," the likelihood of being affected is "when," not "if." This presentation includes an eye-opening primer of cybersecurity threats for small and medium sized practices and a roadmap to help protect patient records and practice viability.
Ravi D Goel MD presented this talk at the 2016 American Academy of Ophthalmology Annual Meeting. #aao2016
-----
About Ravi Goel
Ravi D. Goel graduated with a bachelor’s degree in ethics, politics, and economics from Yale University. He earned a medical degree from the Robert Wood Johnson Medical School and completed an ophthalmology residency at the Greater Baltimore Medical Center. Dr. Goel is in private practice in Cherry Hill, NJ, and a clinical instructor at the Wills Eye Hospital in Philadelphia.
Dr. Goel is a past chair of the American Medical Association—Young Physicians Section. He is a recipient of the AMA Foundation Excellence in Medicine Leadership Award, the American Academy of Ophthalmology Achievement Award, and Secretariat Award. He is a past president of the New Jersey Academy of Ophthalmology.
He is a member of the AMA Ophthalmology Section Council. He is also a member of the New Jersey Governors School Board of Overseers, director of the American Academy of Ophthalmic Executives and a member of the Yale University Development Council.
Network security consists of the policies adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.[citation needed] Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs; conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.
Building a Threat Model & How npm Fits Into ItAdam Baldwin
Who might want to attack your application? If they tried, how would they succeed? Answering these questions is an important exercise that helps you understand how to keep your application secure, so you can sleep at night.
In this talk, Adam will teach you what threat modeling is and how to build threat models for your organization and applications. Because npm is such a critical part of how your developers build JavaScript applications, Adam will show you how npm fits into your threat model and how to use npm's tools to keep your JavaScript secure.
Anton Chuvakin on What is NOT Working in Security 2004Anton Chuvakin
Anton Chuvakin on What is NOT Working in Security 2004: Focus on ‘what works’ is good, but sometimes negative motivation works as well! Let’s take a (fairly subjective) look at what doesn’t work for a change. Things change, technologies (and even processes) improve, that is why the title has a date. Also, please take into account that the information provided is subjective by nature and represents my outlook on things, mostly collected from working in (and watching!) the security industry.
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...adamdeja
As the air gap between our daily lives and the Internet continues to shrink the security of our personal data and devices grows in importance. We are facing the daily threat of putting 2000s era computers bolted to toasters online while expecting them to defend against 2017 capable attackers. This talk will explore the continuing trend of IoT, discuss how we’ve been here before, and layout strategies for keeping pace with attackers in the future. This talk will focus on enumerating this risk, discuss the challenges involved, and explore solutions.
First, we will examine this history of how we got here, and what it means to say “security is a snapshot in time.” We then introduce the idea of shared ken – the range of one’s knowledge or sight – and how it impacts security. Third, we discuss the influence of data as code, the meta game, and secrecy as a way of mastering impact and ken.
This talk will allow attendees to walk away with
A holistic view of the history of computer security and how it impacts them today
The importance of extending the range of collective vision to reduce blind spots
Practical advice for BSiders to grow their mindset and improve their impact
Adam is a founding partner and Chief Executive Officer at Deja vu Security. He is dedicated to the leadership and relentless innovation in Deja’s products and services. Previously he has lead teams conducting application and hardware penetration tests for the Fortune 500 technology firms. Adam is a contributing author to multiple security books, benchmarks, tools, and DARPA research projects. Adam holds a degree in Computer Science and a Masters from Carnegie Mellon University in Information Networking.
Deja vu Security CEO Adam Cecchetti was invited to present the keynote speech at this year's (sold-out!) Hushcon in Seattle. Rich in humorous anecdotes and practical analysis, Test For Echo explores the relationship between time, ken, and the future of computer security.
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Slides from a workshop titled Data Privacy for Activists on January 29th, 2017 for the Data Privacy PDX Meetup group.
Workshop included presentation and live demos of:
- leaked credentials
- metadata fingerprinting
- VPN use
- Encrypted Email
We presented our work at Northrop Grumman Cybersecurity Research Consortium (CRC) spring event at Washington, DC. This is part of the "Deception Group" work at Purdue. Our group is investigating how deception can be used to improve the security of computers and networks.
Presentation delivered to the Minnesota Counties Computer Cooperative (http://mnccc.org/) on October 30, 2019. The talk was given by SecurityStudio's CEO, Evan Francen and focused on how local governments play a role in protecting all of us.
Given at the BugCrowd conference in January 2019, this was the first time for doing this deck.:
For 25 years or more we have fought the battle of passwords and patches while all around us, the world has developed, data has exponentially increased, attack surfaces are everywhere and technology had quite simply forced the human race to consider the evolution cycle in single lifespans as opposed to millennia. During the last 25 years we have done little to protect the charges we are responsible for, we have failed to secure systems, allowed financial attacks, infrastructure attacks, and now attacks directly against humans. At what point will we be able to stem the bleeding and actually take charge of our realm? Have we left it too late, or are we still able to claw back out of the abyss and face our adversary in a more asymmetrical defensive manner? Can we actually provide safety and security to our charges or will we continue to fail? And, critically, how do we communicate this, and educate a population that is content to watch from the sidelines, while they are being digitally eviscerated.
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
This talk was done at OGGCamp 2013 and the theme was to discuss that balance between how security is not advancing as fast as the criminal.
I also talk about the security supply chain and also bring in evidence from 'The Beat' and 'echoSEC' and how location tags may harm your presence online.
Similar to Human is an amateur; the monkey is an expert. How to stop trying to secure your software. (20)
Exhibit your support to the Cyber Security community
Grow your employer brand at a high demand job market Increase user base of your professional products and services Extend your professional social network
Meet new partners and old friends
Find new business opportunities
Increase your brand visibility
Showcase your expertise
Share your experience
Help Ukraine’s Cyber Security industry grow and prosper!
Contact us to know more: sponsors@nonamecon.org
Cybersecurity Framework 021214 Final UAVlad Styran
Методика з підвищення рівня інформаційної безпеки критично важливих об'єктів інфраструктури.
Переклад NIST Framework for Improving Critical Infrastructure Cybersecurity.
Перекладено та social thanks to: Cisco Ukraine.
Fantastic Beasts and where to hide from themVlad Styran
My presentation at IT Weekend Lviv 2017. Overview of modern cyber threat agents and their modus operandi. Practical recommendations on how to be a less likely cyber threat.
Berezha Security was founded in 2014 and provides penetration testing services. Penetration test (pentest) - is a controlled simulation of a real hacker attack which reveals the real state of organization's information security and its ability to withstand an attack with minimal losses.
Berezha Security was established by the most experienced Ukrainian experts in the field of information security. In our work we use only reliable, proven methodologies and tools, some of which we created ourselves. Due to our own developments and vast experience we were able to significantly reduce the cost of our work and offer our customers high quality services for a perfectly balanced price, which is easy to calculate using the price calculator that is publicly available on the Berezha Security website.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Human is an amateur; the monkey is an expert. How to stop trying to secure your software.
1. Human is an amateur; the monkey is an expert.
How to stop trying to secure your software.
Vlad Styran
OSCP CISSP CISA
2. # whoami
15 years in security
10 years in appsec
5 years cofounder
Running cons for 10 years
Podcasting for 9 years
Marathons finisher
Father of two
3. Today I will show you
1. that there is no way to fully
secure our software
2. that there is no good reason to
try to do that
3. what we should do instead
4. how we should do it*
____
* Spoiler: we should train the monkey
7. Good news:
There is no reason to try to do it
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
Probability
Security Loss, 1000 USD
8. This is what we should do instead:
Find optimal investment options
0,00%
10,00%
20,00%
30,00%
40,00%
50,00%
60,00%
70,00%
80,00%
90,00%
100,00%
0 10 20 30 40 50 60 70 80 90 100
12. How to invest
into software
security
Buy a firewall and put all sensitive stuff behind it
Buy a WAF (Web Application Firewall)
Buy Static & Dynamic Application Security Testing tool
Deploy to AWS/GCP/Azure
Use military-grade encryption
Pay lawyers to carefully design EULA
Use a distributed ledger for transaction data storage
13. Wrong! It’s all about the root cause
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no bugs
Find and fix all the bugs
14. But let’s be honest with ourselves
Put it all behind a firewall, it will be secure
WAF will stop all attacks, it will be secure
NG Super-Duper Security Scanner 3000 will find all bugs, it will be secure
Put it into “the cloud”, it will be secure
Encrypt all the data, it will be secure
Threaten to put all hackers to jail, it will be secure
Use the Blockchain (which is secure), it will be secure
Write code in a way that there are no fewer bugs
Find and fix all the as many bugs as you can
15. How to secure our software
1. WRITE CODE IN A WAY THAT
THERE ARE FEWER BUGS
2. FIND AND FIX AS MANY
BUGS AS YOU CAN
31. Hard lessons from 40
years on earth
1. We move brain activities from System2 to
System1 ASAP
2. True expertise = professional skill +
deliberate practice
3. Expert intuition exists and it’s in your
System1
Monkey knows the answer
when human doesn’t know why.
32. Wicked vs Kind learning domains
1. Patterns repeat
2. Feedback accurate and rapid
3. Rules of game well-defined
Classical music, aviation pilots,
emergency room nurse, fire fighter…
Security Testing
1. Patterns not obvious or repeating
2. Feedback delayed and inaccurate
3. Rules unclear and incomplete
Improvisational jazz, surgeon, radiologist,
financial & political analyst…
Secure Development
33. Hard lessons from 10 years in
appsec
1. We cannot slow down the DEVs
2. We cannot prevent all bugs
3. We cannot automate efficient security testing
34. Bright side of things
1. With enough skilled hackers, we can move as fast as DEVs
2. With enough practice, we can find and fix most severe bugs
3. With enough expertise, we can train to do it automatically
35. Hopes for the
future
One day we can
automate bug
hunting properly
One day the DEVs’
monkey will learn to
make fewer bugs
36. What we can do right now
Web Application Hacker’s Handbook PortSwigger Web Security Academy