API Vulnerabilties and What to Do About ThemEoin Woods
The document provides an agenda and introduction for a presentation on API security. The agenda includes discussing the state of API security, introducing Software Security and OWASP, reviewing the top 10 API security risks, improving software security, and providing a summary. The introduction provides background on the presenter and an overview of Endava, the company he works for. It also lists Endava's global presence and industry expertise.
This topic will cover the most significant points of Cybersecurity trends and future perspective. We as retail or business should be more informed about this Global Issue. Linkage of Cybersecurity and Business Continuity will be discussed as well. Additionally, the topic incorporates how the Cybersecurity is perceived in the mind of people.
The main parts of the presentation are:
• Cyber resilience trends
• The Link between cyber risk and business continuity
• What ARE and what SHOULD companies doing about the threat
• Lessons learned / case studies from recent attacks
Presenter:
Mr. Bevan Lane is a PECB partner and trainer. He has more than 16 years of experience as a consultant in information security, firstly with PwC and then as an independent consultant. Mr. Lane has also an extensive experience in information security risk assessment training and has implemented solutions for major organization across the globe.
Link of the recorded session published on YouTube: https://youtu.be/WQ-HYqCrRDQ
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
This document discusses effective strategies for deploying encryption. It emphasizes that encryption requires attention to detail, good design, and project management. It warns that many encryption roll-outs are incomplete solutions that lack proper key management, documentation, and processes. The document provides steps for developing an effective encryption strategy, including defining requirements, identifying sensitive data locations, and creating detailed implementation plans. It stresses that encryption is a process, not a product, and must be properly planned and managed.
This document discusses social engineering and related projects. It begins with an introduction to social engineering, defining it as manipulating people to take actions they normally wouldn't. It then discusses the Project SAVE, a Danish project that conducted reconnaissance and 185 social engineering attacks on 3 infrastructure companies, with a 47% success rate. It also discusses the Dogana project, an EU-funded effort to develop an advanced social engineering platform and test it in field trials. It concludes with speculation about future social engineering, such as fully automated Twitter spear phishing bots and ransomware targeting IoT devices and impacting physical systems.
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
A New Security Management Approach for Agile EnvironmentsPECB
The traditional approach for security management fails in agile development projects. We summarize the cause of this failure and propose a new Agile Security Engagement Model (ASEM) to solve the issues. This model is risk-driven, supportive and robust. It embraces important innovations, such as a security services catalogue and continuous monitoring. This way of working helps organizations to properly address information security in agile environments.
Main points that have been covered are:
• Four false assumptions that make the traditional security approach fail
• ‘Feet in the mud’ with the Agile Security Engagement Model (ASEM)
• Explanation of the innovations in this Agile Security approach
Presenter:
Pascal de Koning is qualified as Information Security professional. He has the wide experience as a consultant and fills in the role of the security officer at various companies. Pascal is an active member of the Security Forum of The Open Group.
Link of the recorded session published on YouTube: https://youtu.be/08Se5Ta65v8
The document discusses security operation centers (SOCs) and their functions. It describes what a SOC is and its main purpose of monitoring, preventing, detecting, investigating and responding to cyber threats. It outlines the typical roles in a SOC including tier 1, 2 and 3 analysts and security engineers. It also discusses the common tools, skills needed for each role, and types of SOCs such as dedicated, distributed, multifunctional and virtual SOCs.
API Vulnerabilties and What to Do About ThemEoin Woods
The document provides an agenda and introduction for a presentation on API security. The agenda includes discussing the state of API security, introducing Software Security and OWASP, reviewing the top 10 API security risks, improving software security, and providing a summary. The introduction provides background on the presenter and an overview of Endava, the company he works for. It also lists Endava's global presence and industry expertise.
This topic will cover the most significant points of Cybersecurity trends and future perspective. We as retail or business should be more informed about this Global Issue. Linkage of Cybersecurity and Business Continuity will be discussed as well. Additionally, the topic incorporates how the Cybersecurity is perceived in the mind of people.
The main parts of the presentation are:
• Cyber resilience trends
• The Link between cyber risk and business continuity
• What ARE and what SHOULD companies doing about the threat
• Lessons learned / case studies from recent attacks
Presenter:
Mr. Bevan Lane is a PECB partner and trainer. He has more than 16 years of experience as a consultant in information security, firstly with PwC and then as an independent consultant. Mr. Lane has also an extensive experience in information security risk assessment training and has implemented solutions for major organization across the globe.
Link of the recorded session published on YouTube: https://youtu.be/WQ-HYqCrRDQ
Firewalls and border routers are still the cornerstone for perimeter security
Always will be a place for VPNs
Attacks occur at the application layer
So ensure app security
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
This document discusses effective strategies for deploying encryption. It emphasizes that encryption requires attention to detail, good design, and project management. It warns that many encryption roll-outs are incomplete solutions that lack proper key management, documentation, and processes. The document provides steps for developing an effective encryption strategy, including defining requirements, identifying sensitive data locations, and creating detailed implementation plans. It stresses that encryption is a process, not a product, and must be properly planned and managed.
This document discusses social engineering and related projects. It begins with an introduction to social engineering, defining it as manipulating people to take actions they normally wouldn't. It then discusses the Project SAVE, a Danish project that conducted reconnaissance and 185 social engineering attacks on 3 infrastructure companies, with a 47% success rate. It also discusses the Dogana project, an EU-funded effort to develop an advanced social engineering platform and test it in field trials. It concludes with speculation about future social engineering, such as fully automated Twitter spear phishing bots and ransomware targeting IoT devices and impacting physical systems.
Thinking like a hacker - Introducing Hacker VisionPECB
This webinar will explain how to improve Security by adopting the mindset of your opponent, and 'seeing like a hacker'!
Main points covered:
• Introducing ways in which you can think like a hacker, and get into your attacker's mindset so that you can better identify and assess threats.
• How to use this thinking to improve your security controls - how effective are they? And how can you better test them for readiness?
• Visual examples to really lift the lid on what your attackers see, as 'hacker vision' gets you thinking in the mindset of a hacker.
• Examples covered will include physical security, Network security, as well as IoT security.
Presenter:
Our exclusive presenter, Mark Carney is a former pen tester and now a professional security researcher for Security Research Labs in Berlin, specializing in embedded systems and IoT. His background spans compliance testing, Red Teaming, full stack pen testing, and social engineering & physical access engagements.
Link to the recorded webinar: https://youtu.be/Fx2Ha8kIqgE
A New Security Management Approach for Agile EnvironmentsPECB
The traditional approach for security management fails in agile development projects. We summarize the cause of this failure and propose a new Agile Security Engagement Model (ASEM) to solve the issues. This model is risk-driven, supportive and robust. It embraces important innovations, such as a security services catalogue and continuous monitoring. This way of working helps organizations to properly address information security in agile environments.
Main points that have been covered are:
• Four false assumptions that make the traditional security approach fail
• ‘Feet in the mud’ with the Agile Security Engagement Model (ASEM)
• Explanation of the innovations in this Agile Security approach
Presenter:
Pascal de Koning is qualified as Information Security professional. He has the wide experience as a consultant and fills in the role of the security officer at various companies. Pascal is an active member of the Security Forum of The Open Group.
Link of the recorded session published on YouTube: https://youtu.be/08Se5Ta65v8
The document discusses security operation centers (SOCs) and their functions. It describes what a SOC is and its main purpose of monitoring, preventing, detecting, investigating and responding to cyber threats. It outlines the typical roles in a SOC including tier 1, 2 and 3 analysts and security engineers. It also discusses the common tools, skills needed for each role, and types of SOCs such as dedicated, distributed, multifunctional and virtual SOCs.
The document discusses shortcomings of traditional penetration testing and proposes an attacker emulation approach. It notes doctors once performed unnecessary medical procedures without understanding effectiveness. Similarly, penetration tests focus on finding bugs but not how real attackers operate. The document advocates profiling attacker groups, rebuilding their playbooks, replaying the playbooks against organizations, and using the results to strengthen defenses. It provides examples of how different attackers operate and argues this method could improve security assessments.
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
This lecture includes detail about ethical hacking profession, there jobs description, responsibilities duties and skills required to excel in their field.
The Incident Response Playbook for Android and iOSPriyanka Aash
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
Effective Security Operation Center - present by Reza AdinehReZa AdineH
The document discusses how to effectively manage a cyber security operations center (SOC). It addresses questions about how to assess the effectiveness and maturity of a SOC, ensure sufficient threat detection capabilities through proper sensors and data collection, and utilize threat intelligence and data enrichment. The document also provides steps to implement threat management, incident response processes, and leverage machine learning and user entity behavior analytics to detect anomalous user behavior and insider threats.
Introduction and a Look at Security TrendsPriyanka Aash
The security industry has significantly changed over the last 25 years, as reflected in the content at RSA Conference. This introductory session will look at some of the major shifts, the economics that are driving the shifts, and the trends that are shaping current and future directions.
(Source: RSA USA 2016-San Francisco)
Peter B. Lange: Collaborative threat intelligence and actionable integration
http://www.infinit.dk/dk/nyheder-og-reportager/cyber-security-4-0-reportage.htm
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
This document provides an overview of PCI compliance presented by Erika Powell-Burson. It covers the threat landscape including data breaches, PCI standards and requirements, key compliance areas, and milestones for achieving compliance. It emphasizes having proper documentation, access controls, encryption, logging, testing and monitoring. It provides tips such as prioritizing compliance goals, leveraging existing tools, inventorying systems, implementing firewalls and access controls, patching, and training employees. The document is intended to help organizations understand PCI compliance and provide a framework to work towards being compliant.
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
La mission de Cryptocat pour faire les conversations cryptées accessible aux masses a été couronnée de succès – mais quels sont les dangers cryptographiques et les limitations techniques?
Avec plus que 65,000 utilisateurs réguliers, Cryptocat a réussi à rendre le chat crypté accessible à toute personne qui sait comment utiliser Facebook Chat ou Skype. Mais avec l’accessibilité, nous avons rencontré de nombreux problèmes de sécurité que nous avons besoin de répondre. Cette conférence traite de ces défis et pourquoi la poursuite des travaux sur Cryptocat est nécessaire, compte tenu d’eux.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
This document outlines a presentation about security software given by Alexander Antukh. It introduces SEC Consult, who they are and what they do. It then covers what security software is, provides a historical review of different types of security software and how they have evolved. It poses the question of whether security software can have vulnerabilities itself. Examples are then given of vulnerabilities found in products from Symantec, F5, AppliCure and Sophos. Methods for identifying vulnerabilities like application testing, fuzzing and reverse engineering are discussed. The presentation concludes with an afterword and time for questions.
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
The threat posed by rogue insiders affects every organization worldwide. The difficulties in balancing employees’ legitimate need to access corporate data along with the need to compartmentalize access are often in conflict. This presentation will walk through several real-world insider threat cases and discuss proactive measures that could have greatly mitigated the damage and losses.
(Source: RSA USA 2016-San Francisco)
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Threat modeling web application: a case studyAntonio Fontes
Threat modeling is a technique to identify security risks in a web application before development. The speaker conducted a threat modeling exercise for a newspaper company developing a new paid electronic edition feature. He identified threats such as unauthorized access to paid content and financial data theft. Controls like access control, authentication, encryption, and logging were recommended to address these threats. The threat modeling process and results were documented in a report to guide secure development of the new feature.
The document discusses shortcomings of traditional penetration testing and proposes an attacker emulation approach. It notes doctors once performed unnecessary medical procedures without understanding effectiveness. Similarly, penetration tests focus on finding bugs but not how real attackers operate. The document advocates profiling attacker groups, rebuilding their playbooks, replaying the playbooks against organizations, and using the results to strengthen defenses. It provides examples of how different attackers operate and argues this method could improve security assessments.
This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.
This lecture includes detail about ethical hacking profession, there jobs description, responsibilities duties and skills required to excel in their field.
The Incident Response Playbook for Android and iOSPriyanka Aash
What is your mobile device incident response plan? If you cannot answer that question, you should attend this session. The session will cover the challenges in mobile, how and why it is different from traditional incident response, and the building blocks you can use to craft your own mobile incident response plan.
(Source: RSA USA 2016-San Francisco)
Effective Security Operation Center - present by Reza AdinehReZa AdineH
The document discusses how to effectively manage a cyber security operations center (SOC). It addresses questions about how to assess the effectiveness and maturity of a SOC, ensure sufficient threat detection capabilities through proper sensors and data collection, and utilize threat intelligence and data enrichment. The document also provides steps to implement threat management, incident response processes, and leverage machine learning and user entity behavior analytics to detect anomalous user behavior and insider threats.
Introduction and a Look at Security TrendsPriyanka Aash
The security industry has significantly changed over the last 25 years, as reflected in the content at RSA Conference. This introductory session will look at some of the major shifts, the economics that are driving the shifts, and the trends that are shaping current and future directions.
(Source: RSA USA 2016-San Francisco)
Peter B. Lange: Collaborative threat intelligence and actionable integration
http://www.infinit.dk/dk/nyheder-og-reportager/cyber-security-4-0-reportage.htm
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Advanced Persistent Threat Life Cycle Management
This presentation will cover the full Advanced Persistent Threat (APT) Life Cycle and Management of the resulting intrusions. It will cover both what the APTs are doing as attackers and what we as defenders should be doing for both the APT Mission Flows and the Computer Network Defense (CND) Mission Flows.
This document provides an overview of PCI compliance presented by Erika Powell-Burson. It covers the threat landscape including data breaches, PCI standards and requirements, key compliance areas, and milestones for achieving compliance. It emphasizes having proper documentation, access controls, encryption, logging, testing and monitoring. It provides tips such as prioritizing compliance goals, leveraging existing tools, inventorying systems, implementing firewalls and access controls, patching, and training employees. The document is intended to help organizations understand PCI compliance and provide a framework to work towards being compliant.
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
La mission de Cryptocat pour faire les conversations cryptées accessible aux masses a été couronnée de succès – mais quels sont les dangers cryptographiques et les limitations techniques?
Avec plus que 65,000 utilisateurs réguliers, Cryptocat a réussi à rendre le chat crypté accessible à toute personne qui sait comment utiliser Facebook Chat ou Skype. Mais avec l’accessibilité, nous avons rencontré de nombreux problèmes de sécurité que nous avons besoin de répondre. Cette conférence traite de ces défis et pourquoi la poursuite des travaux sur Cryptocat est nécessaire, compte tenu d’eux.
Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.
This document outlines a presentation about security software given by Alexander Antukh. It introduces SEC Consult, who they are and what they do. It then covers what security software is, provides a historical review of different types of security software and how they have evolved. It poses the question of whether security software can have vulnerabilities itself. Examples are then given of vulnerabilities found in products from Symantec, F5, AppliCure and Sophos. Methods for identifying vulnerabilities like application testing, fuzzing and reverse engineering are discussed. The presentation concludes with an afterword and time for questions.
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
The threat posed by rogue insiders affects every organization worldwide. The difficulties in balancing employees’ legitimate need to access corporate data along with the need to compartmentalize access are often in conflict. This presentation will walk through several real-world insider threat cases and discuss proactive measures that could have greatly mitigated the damage and losses.
(Source: RSA USA 2016-San Francisco)
The document discusses upcoming security challenges for the Internet of Things (IoT) and introduces Warden, an autonomous security solution developed by Delve Labs. Current security strategies are insufficient for IoT due to a shortage of security professionals and incomplete asset visibility. Warden uses artificial intelligence to autonomously perform continuous vulnerability assessments without human supervision, scaling to cover all IoT assets. It aims to mimic expert methodology while reducing false positives through deep learning. Warden generates data to help prioritize issues and integrate with other tools via APIs.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Threat modeling web application: a case studyAntonio Fontes
Threat modeling is a technique to identify security risks in a web application before development. The speaker conducted a threat modeling exercise for a newspaper company developing a new paid electronic edition feature. He identified threats such as unauthorized access to paid content and financial data theft. Controls like access control, authentication, encryption, and logging were recommended to address these threats. The threat modeling process and results were documented in a report to guide secure development of the new feature.
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Nick Galbreath
This document discusses fraud engineering at Etsy. It begins by introducing the author, Nick Galbreath, and his background in security. It then provides context about Etsy as an online marketplace. It outlines different types of risk like fraud, security threats, and business continuity. It emphasizes thinking about risk from both a fraud and security perspective. The document then provides examples of how different parts of the organization like technical operations, quality assurance, product, business operations, engineering, and customer service can work together on fraud prevention and leverages their existing tools and resources. It also provides a case study example of investigating mysterious data center logins. The overall message is about taking a holistic organizational approach to fraud engineering.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.
This document provides instructions for a lab on configuring and using the open source intrusion detection system Snort to detect network intrusions. The objectives of the lab are to install and configure Snort to monitor network traffic, log alerts to a syslog server, and detect attacks. Students will learn how to set up Snort, validate the configuration, test it by carrying out attacks, and analyze intrusion detection logs.
Web security – application security roads to software security nirvana iisf...Eoin Keary
Approaching Web Security, Secure application development and how to fix what matters. A useful talk for application developers and security experts alike.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
The document discusses cyber security and provides an overview of key topics including reconnaissance techniques, corporate IT security policies, and recommendations. It begins with an introduction to cyber security concepts like confidentiality, integrity and availability. It then covers low-tech reconnaissance methods like social engineering, physical break-ins and dumpster diving, and their countermeasures. The document also discusses IT security policies and components of an effective policy. It concludes with recommendations around building national cyber security capacity and the importance of organizations having security policies.
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
This document is a colloquium report on ethical hacking presented by Khushboo Aggarwal to the Department of Information Technology at ABES Engineering College in Ghaziabad, India in 2014-2015. The report provides an introduction to ethical hacking, describing what it is and its purpose. It discusses the different types of hackers, the methodology used in hacking, and some important ethical hacking tools. The report aims to increase understanding of ethical hacking and how systems can be better secured against vulnerabilities.
Presented on May 9, 2018 at SOURCE Conference Boston
(https://sourceconference.com/events/bos18/).
This version contains minor updates from previous presentations.
This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.
The document provides an overview of ethical hacking, including definitions, legal aspects, and certification programs. It describes the role of an ethical hacker as someone who performs penetration testing and security assessments with a company's permission to help identify vulnerabilities. Key points covered include common tools used in security testing, examples of legal and illegal activities, and various certification programs for security professionals like the Certified Ethical Hacker and CISSP certifications.
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
The document discusses the importance of using checklists to optimize security operations. It provides an initial security checklist for internet service providers (ISPs) to assess positive control, virtual terminal access control lists (VTY ACLs), vendor security partnerships, upgrade plans, IPv6 security, attack tree analysis, border gateway protocol (BGP) policies, DNS architecture resilience, and developing a security community. The checklist highlights key areas ISPs should review to strengthen their defenses against evolving cyber threats from criminals, hackers, and nation states. Regular use of such checklists is encouraged to proactively address vulnerabilities before exploits can be launched.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
In today's presentation, we'll explore Security Onion, a powerful open-source platform designed to fortify your network security. Security Onion, much like its namesake vegetable, peels back the layers of your network traffic, enabling you to identify and address potential threats. We'll delve into its functionalities, core components, and the advantages it brings to your cybersecurity posture.
New challenges to secure the IoT (with notes)Caston Thomas
The document discusses several key concepts regarding IoT security:
1. IoT security is not the same as BYOD security, as IoT encompasses a wider range of connected devices beyond just personal devices, including devices built into emerging technologies like smart home systems.
2. Many IoT devices have inherent security weaknesses like a lack of encryption, weak authentication, and inability to receive software updates. These weaknesses are similar to issues previously seen with wired devices and software.
3. Securing IoT requires a multi-pronged approach including education on risks, network segmentation, supplier certification of new devices, and using technologies to scan for and assess IoT security regularly. The complexity of interconnected IoT systems poses
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
This document discusses penetration testing approaches from the past compared to today. It notes that in the past, penetration testing was easier because networks had fewer security controls like firewalls and patches. The document then provides tips and techniques for identifying security controls like load balancers, intrusion prevention systems, and web application firewalls that may be in place on modern networks. It also discusses ways to potentially bypass these controls like using encryption, proxies, or virtual private networks.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
Similar to IT Security Days - Threat Modeling (20)
This document summarizes an OWASP training session on integrating security and privacy into web application projects. It discusses what OWASP is and its goals of open web application security. It then outlines the agenda and modules to be covered in the training, which include security best practices for the inception, design, coding, and post-coding phases of a web application project. The training aims to help participants understand security risk management and how to incorporate security and privacy into each phase of the development lifecycle.
Securing your web apps before they hurt the organizationAntonio Fontes
This document summarizes a presentation on securing web projects. It discusses how vulnerabilities commonly occur during design, implementation, and deployment phases due to issues like incomplete specifications, lack of security requirements analysis, coding mistakes, and insecure default configurations. The presentation covers common web attacks, secure development principles, and steps organizations can take to move from a reactive to proactive security posture.
Source code security review challenge at Confoo 2012 - Montreal (confoo.ca)
The audience was challenged in attempting to spot security vulnerabilities in a series of source code examples.
This document summarizes a presentation on web security given at the Confoo Conference in 2012. The presentation was given by Antonio Fontes from L7 and David Mirza from Subgraph. They discussed the history of web attacks moving from host/network intrusion to modern vulnerabilities like XSS and SQL injection. They explained that all business logic and data is now on the web, making it the main target for attacks. The motivations for these attacks include money, ideology, fame, and supporting other criminal activities. They outlined the impacts such as financial costs, reputation damage, and legal/compliance issues. Finally, they provided recommendations on technical controls like web application testing and process controls like secure development practices and training to help address these ongoing
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
Préparer la sécurité dès la phase contractuelle lors de projets d'externalisation liés aux applications web: développement, hébergement cloud et location (SaaS)
Symposium GRI/CLUSIS sur le rôle de l'état dans la cybsécurité des entreprises suisses / 27 mai 2011
Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
The top 10 web application intrusion techniquesAntonio Fontes
The document discusses the top 10 attack techniques used by hackers to compromise web applications, as presented by Antonio Fontes at the Confoo 2011 conference. The techniques are: 1) Injecting code inside the system, 2) Attacking client systems, 3) Attacking authentication and session systems, 4) Exploiting direct object references, 5) Controlling a 3rd party browser, 6) Exploiting an insecure configuration, 7) Breaking weak cryptography. For each technique, the objective, strategy, and potential impacts are described, along with examples and checks developers can perform to prevent attacks.
Mise au point sur le contexte et les motivations autour des cyberattaques dont il est fait référence dans la presse.
Audience: juridique (avocats, juristes, etc.)
Niveau technique: faible
Lieu: 2 décembre 2010, faculté de Droit à l'Université de Genève
Infos:
http://lexgva.ch/index.php?subaction=showfull&id=1290112460
You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself?
Agenda:
-Understanding the need for information security and privacy
-Secure design: key principles
-Threat modeling and analysis: building your first threat model and identifying the major risks in your web application
- Testing the security of your web application
- Understanding the big picture: what is a secure SDLC
- Cheap and efficient security activities that might be started immediatly in your SDLC
Within end of March, the OWASP foundation will release the 2010 version of its major documentation project, the "Top 10 security risks in web applications."
Agenda:
- The 10 most common web application attacks
- Discovering the OWASP Top 10 document
- Integrating the Top 10 within an existing SDLC, as a software vendor, or a software buyer.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Session 1 - Intro to Robotic Process Automation.pdfUiPathCommunity
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program:
https://bit.ly/Automation_Student_Kickstart
In this session, we shall introduce you to the world of automation, the UiPath Platform, and guide you on how to install and setup UiPath Studio on your Windows PC.
📕 Detailed agenda:
What is RPA? Benefits of RPA?
RPA Applications
The UiPath End-to-End Automation Platform
UiPath Studio CE Installation and Setup
💻 Extra training through UiPath Academy:
Introduction to Automation
UiPath Business Automation Platform
Explore automation development with UiPath Studio
👉 Register here for our upcoming Session 2 on June 20: Introduction to UiPath Studio Fundamentals: https://community.uipath.com/events/details/uipath-lagos-presents-session-2-introduction-to-uipath-studio-fundamentals/
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
Must Know Postgres Extension for DBA and Developer during Migration
IT Security Days - Threat Modeling
1. Threat Modelingidentifying threats in your webapp before coding: a case study Antonio FontesLength: 45+15 minutes IT Security Days – March 16th 2011 Yverdon-Les-Bains
2. Speaker info Antonio Fontes Owner L7 Sécurité (Geneva, Switzerland) 6+ years experience in information security Lecturer at HEIG-VD Fields of expertise: Web applications defense Security in the development lifecycle Threat modeling & risk management OWASP: Chapter leader – Geneva Board member - Switzerland L7 Sécurité - http://L7securite.ch 2
3. My objectives for today: You understand the concept of threat modeling You can build a basic but still actionable threat model for your web application You know when you should build a threat model and what you should document in it This new technique helps you feel more confident about the security of your web application. L7 Sécurité - http://L7securite.ch 3
5. Case study A local pediatrician is constantly receiving phone calls (and messages on Facebook) from desperate parents, outside cabinet hours. L7 Sécurité - http://L7securite.ch 5
6. Case study He hired an assistant but he refuses to answer late evening phone calls (and apparently, law is on his side…) He tried hiding his personal phone number (and configuring his Facebook profile to hide his phone number) but parents keep finding ways to contact him outside regular hours. L7 Sécurité - http://L7securite.ch 6
7. Case study He has a stunning idea: building a webapp for managing his appointments! L7 Sécurité - http://L7securite.ch 7
8. Case study Basically, he just wants his clients to be able at any time (night and day): to schedule for an appointment at the closest free slot available to describe a few symptoms, to help him, if necessary, reschedule the appointment or even contact the family back (in case it looks worse than it appears). L7 Sécurité - http://L7securite.ch 8
9. Case study He contacts a local web agency and describes his need. The web agency accepts to build the solution. (easy job, easy money!) They actually just started designing the system on last Monday… L7 Sécurité - http://L7securite.ch 9
10. Case study It happens (by total chance) that the pediatrician attend the IT Security Days #1 conference He heard about pesky guys, who hack into web applications seeking chaos by destroying databases, stealing personal data and selling it on a black market to large corporations that want to control the world! L7 Sécurité - http://L7securite.ch 10
11. Case study He also meets a guy, who tells him about an obscure technique called threat modeling. He says it might help project teams detecting major threats and appropriate countermeasures to their web applications at design time. L7 Sécurité - http://L7securite.ch 11
12. Case study L7 Sécurité - http://L7securite.ch 12 He suddenly realises that the web agency did not talk a lot about security the other day...
13. Case study He hires you, for one day. Your job is to observe the project, gather information,and eventually, issue some recommendations... L7 Sécurité - http://L7securite.ch 13
15. 1. Describe (understand) the system What is the business requirement behind it? What role is the system playing in the organization? Will it bring money? Will it be the main revenue source? Is the system processing online transactions? Is it storing/collecting sensitive/private information? Should it be kept always online or is it okay if it stops sometimes? Is the business exposed to particular data regulations? (Privacy? Healthcare? Food? Drugs? Legal? Financial?) L7 Sécurité - http://L7securite.ch 15
16. "The system is not built to generate revenue." "It is not processing orders." "It just allows my clients to schedule for an appointment. " "Oh yes, and also provide some basic information on the case (symptoms)." L7 Sécurité - http://L7securite.ch 16
17. 1. Describe (understand) the system What is the motive of your presence? L7 Sécurité - http://L7securite.ch 17
20. "I never had a website for my cabinet." (well, I think…) "I just don't want a bad thing to happen when this service comes online." "No, I don't really know of particular regulatory requirements…" L7 Sécurité - http://L7securite.ch 20
21. 1. Describe (understand) the system Let's add the developer and the architect to the discussion… L7 Sécurité - http://L7securite.ch 21
22. 1. Describe (understand) the system What will the system look like? Technologies? Architecture? Functionalities? (use cases?) Components? What will be the typical use cases? L7 Sécurité - http://L7securite.ch 22
23. "It's a standard web project, including a frontend application connected to a backend database." "Users must create a profile with basic personal information (patient name/lastname, parent name/lastname, address, email address, phone numbers, username, password." "Once they have logged in, they can schedule for an appointment." L7 Sécurité - http://L7securite.ch 23
24. 1. Describe (understand) the system What will be its typical usage scenarios? Visitors? Members? Other doctors? Access from outside? How will users be authenticated? Where will the system be hosted? Where will users connect from? and where will the doctor connect from? L7 Sécurité - http://L7securite.ch 24
25. "Users can connect and see their appointments, edit their info or cancel them." "The cabinet will be using a supervising access, who has entire view on the agenda and can access details of every appointment." "Authentication is made by username/password." "The credentials will be stored securely." "The system will be hosted on our web farm." L7 Sécurité - http://L7securite.ch 25
26. "I will connect from work! Of course!" …"okay, and sometimes from home. If I can…" L7 Sécurité - http://L7securite.ch 26
35. 1. Describe (understand) the system What would be the assets of highest value? Is there sensitive/private/proprietary/regulated information anywhere? Where are credentials stored? Are there any financial flows? Is one of these components critical for your business? Has the system access (is it connected) to other more sensitive systems? L7 Sécurité - http://L7securite.ch 35
36. "The accounts database contains personal information about my customers and patients." "The accounts database contains credentials." "Money doesn't flow through the application." "If they can't reach it, they will call me…" "They also host other customers databases on the same network." L7 Sécurité - http://L7securite.ch 36
37. 1. Describe (understand) the system How many occurrences of these assets are you expecting in say…two years? (We are gathering volumetric data here) L7 Sécurité - http://L7securite.ch 37
38. "In two years? I'd say 200-400 families entered in the system. 2'400 appointments. And 400 urgent appointments…" L7 Sécurité - http://L7securite.ch 38
40. 2. Identifypotentialthreat sources Given what we know, who might be interested in compromising your system? Who wants to steal the data? Who wants to sell it? Who wants to corrupt it? Who wants to stop it? L7 Sécurité - http://L7securite.ch 40
45. 2. Identifypotentialthreat sources Information can also come directly from the customer: In information critical organizations, some managers have access to undisclosed threat information: National level, international level, industry level, etc. Don’t forget to ask: "Yeah, there is another pediatrician who recently moved here…" L7 Sécurité - http://L7securite.ch 45
47. 3. Identify major threat scenarios What would be (really) bad for the business? Which threat source would trigger that scenario? How would she/he/they proceed technically? What would be the impact for my business? Shameful (bad news)? Bad (financial loss)? Catastrophic (end of the my world)? Some helpers: Think about threats induced naturally, by the technology itself. Think about what the CEO really doesn't want. Think AIC: availability, integrity, confidentiality L7 Sécurité - http://L7securite.ch 47
53. 4. Document what you found(aka "opportunities for risk mitigation") L7 Sécurité - http://L7securite.ch 53
54. 4. Document the opportunity Document: The threats we identified The controls, which prevent these threats from being exercised by the threat-sources Recommend and prioritize: What should be absolutely done? In what order? L7 Sécurité - http://L7securite.ch 54
55. 4. Document the opportunity L7 Sécurité - http://L7securite.ch 55
56. 4. Document the opportunity L7 Sécurité - http://L7securite.ch 56
59. Conclusion TM seemsimprecise, inexact, undefined: Requires good understanding of the business case Requires good knowledge of web application threats Requires common sense Can be frustrating the first times… L7 Sécurité - http://L7securite.ch 59
60. Conclusion Repeating the basic process a few timesquickly brings good results: 1. Characterize the system 2. Identify the threat sources 3. Identify the major threats 4. Document the countermeasures 5. Transmit (translate) to the team L7 Sécurité - http://L7securite.ch 60
61. Conclusion "Who should make the TM?" Theoretically: the design team Practically: an appsec guy with good knowledge of internet threats, web attack techniques and the ability to understand what isimportant for the business underassessment will definitely setthe "efficiency" attribute. L7 Sécurité - http://L7securite.ch 61
62. Conclusion "When should I make a TM?" Sometime is good. Early is better. If the objective is to avoid implementing poor code do it at design time. After v1 is online: when new data "assets" appear in the data-flow diagram, it's usually a good sign to update the TM. yes, it can be updated! If you conduct risk-driven vulnerability assessments or code reviews, the TM will help. L7 Sécurité - http://L7securite.ch 62
65. Conclusion TMing can be performed from an asset perspective: Aka the asset-centric approach (what we just did today) It can be performed from an attacker perspective: Aka the attacker-centric approach Who would attack the system with what means? L7 Sécurité - http://L7securite.ch 65
66. Conclusion TMing can also be performed according to the system description: Aka the system-centric approach Most detailed and rigorous technique Use of threat identification tools: STRIDE Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges… Use of threat classification tools: DREAD Damageability, Reproducibility, Exploitability, Affected population, Discoverability… Structured DFD analysis (see next slide) L7 Sécurité - http://L7securite.ch 66
69. Conclusion "What should I document in a TM? " Basically: what you think is right. There is no rule (yet). TM'ing is never absolute. If you spend days writing a threat model for a single web app, there might be a problem… Remember that threat modeling is often a way of both formalizing and engaging on the most important controls, which might be forgotten later. L7 Sécurité - http://L7securite.ch 69
70. Conclusion "Your example was really 'basic'. How can I reach next level?" Practice your DFD drawing skills Stay updatedon new web attacks, threats and intrusion trends Read feedback from field practitioners (some good references are provided at end of presentation) Standardizeyour technique: ISO 27005 : Information security risk management (§8.2) NIST SP-800-30: Risk management guide (§3) L7 Sécurité - http://L7securite.ch 70