Latinoware 2019 - Securing Clouds Wide Open

•Download as PPTX, PDF•

1 like•130 views

The document discusses securing clouds and some of the security challenges with cloud computing. It begins with an introduction of the presenter and their background. Several examples of common security issues with cloud environments are demonstrated, such as exposed credentials, open S3 buckets, and exposed EC2 services. The presentation emphasizes the importance of credentials and understanding cloud resources. It concludes that the most secure environment is one with the best understanding of deployed resources.

Technology

Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Securing Clouds
Wide Open
Felipe “Pr0teus” Espósito, Senior Researcher
@pr0teusbr
Foz do Iguaçu, 27 de Novembro de 2019

The document discusses the speaker's journey from an infrastructure background to embracing DevOps culture. It describes how the speaker initially distrusted developers due to siloed work processes. Through experiences on both the development and infrastructure sides, the speaker learned the importance of collaboration between teams. The speaker advocates that DevOps requires cross-functional skills and a mindset of working as a team rather than separate roles. True DevOps culture change involves both technical automation and shifting organizational processes and mindsets.

Business Of Open Source

Liza Kindred

Deepfake Videos on the Rise: Examining the Alarming Concerns

bluetroyvictorVinay

Ceh v8 labs module 11 session hijacking

Asep Sopyan

This document provides an overview of a lab on session hijacking using the Zed Attack Proxy (ZAP) tool. The objective is to help students learn about session hijacking and how to defend against it. In the lab, students will intercept and modify web traffic by simulating a Trojan that modifies a workstation's proxy settings using ZAP. ZAP is designed for penetration testing and allows intercepting proxy functionality and automated scanning to test for weak session IDs and insecure handling.

Deep Dark Web - How to get inside?

Anshu Prateek

This document provides an overview of the deep web and dark web. It defines the deep web as parts of the internet not indexed by traditional search engines, while the dark web can only be accessed through tools like Tor and cannot be accessed by normal browsers. It explains how to access the dark web safely using Tor, discusses staying secure by avoiding JavaScript, updating browsers daily, and using secure passwords. Overall, the document aims to explain what the deep/dark web are and how to safely explore the dark web.

Losing battles, winning wars

Rafal Los

When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals. This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.

Dev oops slashing the find-fix cycle

OrcaConfig.com

TLS State of the Union

Sander Temme

This document summarizes the state of TLS and SSL security. It discusses how the Heartbleed vulnerability exposed vulnerabilities in over 60% of websites. It also discusses increased efforts to improve TLS security like the Linux Foundation providing funding to OpenSSL and the rise of free certificate authorities like Let's Encrypt. The document advocates for best practices like enabling forward secrecy, moving to TLS 1.3, and avoiding SHA-1 certificates.

Today’s WordPress environment generally results in numerous organisations managing either our data or the hardware and software that it relies upon. Although we subcontract out parts of our WordPress infrastructure we are still accountable for the data processed by our Websites. This talk takes a look at a typical WordPress set up and follows the journey that a user’s data might take and some potential threats at each point on its journey. It looks at what we can do to minimise our exposure to risk of outsourcing management of our infrastructure, the considerations we should make and what questions we should be asking of our hosts.

Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report

Cyren, Inc

This document summarizes a CYREN CyberThreat Report from April 2015. It discusses several cybersecurity topics from the first quarter of 2015, including a watering hole attack on Forbes.com, advanced blackhat search engine optimization techniques called SEOHide, the continuing rise of macro malware, lessons learned from security breaches at Slack and HipChat, and how secure hashed passwords are. It also provides statistics on Android threats, phishing, and spam for Q1 2015. The document is intended to discuss current cybersecurity issues and threats based on CYREN's threat intelligence gathered from over 500,000 global data points.

What is so special about working with Digital Natives - the good, the bad & t...

Lukas Ritzel

All Day DevOps: Calling Out A Terrible On-Call System

Molly Struve

Back when our team was small, all the devs participated in a single on-call rotation. As our team started to grow, that single rotation became problematic. Eventually, the team was so big that people were going on-call every 2-3 months. This may seem like a dream come true, but in reality, it was far from it. Because shifts were so infrequent, devs did not get the on-call experience they needed to know how to handle on-call issues confidently. Morale began to suffer and on-call became something everyone dreaded. We knew the system had to change if we wanted to continue growing and not lose our developer talent, but the question was how? Despite all of the developers working across a single application with no clearly defined lines of ownership, we devised a plan that broke our single rotation into 3 separate rotations. This allowed teams to take on-call ownership over smaller pieces of the application while still working across all of it. These individual rotations paid off in many different ways. With a new sense of on-call ownership, the dev teams began improving alerting and monitoring for their respective systems. The improved alerting led to faster incident response because the monitoring was better and each team was more focused on a smaller piece of the system. In addition, having 3 devs on-call at once means no one ever feels alone because there are always 2 other people who are on-call with you. Finally, cross-team communication and awareness also drastically improved with the new system.

The Business Of Open Source

Liza Kindred

This document discusses open source and how businesses can adopt open source principles. It defines open source as allowing free redistribution, access to source code, and derived works. Open source principles include no discrimination against people or fields of endeavor. The document outlines 10 criteria for open source software licenses and provides examples of how businesses can implement more openness and collaboration in their business models.

KEEPKEY AND TREZOR: BITCOIN VAULTS IN YOUR POCKET

Steven Rhyner

Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...

Steve Werby

20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline…which sometimes has a seat at the table. This talk explores what we’re doing wrong, why it’s ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!

Public Vs. Private Keys

101 Blockchains

The public key is used to encrypt the data. As it can be openly distributed, it’s called a public key. Once a public key encrypts the data, no one can use the public key to decrypt the data. On the other hand, the private key is used to decrypt the data. As it can’t be openly distributed but needs to be kept a secret, that’s why it’s called a private key. In symmetric cryptography, the private key can encrypt and decrypt data. Public and private keys both have their special objectives and uses in cryptography. As for public vs. private keys, we will discuss some key factors to better understand the situation. These are - working mechanism, performance, visibility, type, sharing, and storing. To help you better understand the differences between a public key and a private key, 101 Blockchain offers exclusive courses. These courses will help you understand the principle behind both encryption types and make it easier for you to incorporate these in your blockchain project. The following course will help you stay on top of the game -> Blockchain Like a Boss masterclass https://academy.101blockchains.com/courses/blockchain-masterclass Learn more about the certification courses from here -> Certified Enterprise Blockchain Professional (CEBP) course https://academy.101blockchains.com/courses/blockchain-expert-certification Certified Enterprise Blockchain Architect (CEBA) course https://academy.101blockchains.com/courses/certified-enterprise-blockchain-architect Certified Blockchain Security Expert (CBSE) course https://academy.101blockchains.com/courses/certified-blockchain-security-expert Learn more from our guides -> https://101blockchains.com/private-key-vs-public-key/ https://101blockchains.com/public-key-cryptography-in-blockchain/ https://101blockchains.com/public-key-cryptography/

Generating and developing idea: Function

Caksback

This document provides guidance on generating and developing design ideas while considering function. It emphasizes that as designers, all aspects of the design elements must be considered before reaching a final solution. Examples are provided to demonstrate how to develop ideas in terms of function. Designers are instructed to research alternative ways of achieving the same function and evaluate sketches to select the best idea. Reflection questions are included to help designers thoroughly develop their ideas while considering factors like safety, user experience, and technology.

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...

EC-Council

Online Privacy & Computer Security Basics (September 2017)

Kit O'Connell

In today's charged atmosphere, activists (and anyone who is politically active) are targeted for surveillance, hacking, and even threats to their safety from police, the government, hackers, even white surpemacists. This introductory class explains the basics of computer security and offer tips on protecting your privacy online. We talked about using encryption to communicate with your friends and comrades, how to select passwords and use a password manager, the basics of Virtual Private Networks, and other introductory topics.

[Workshop] Getting Started with Cryptos, NFTs & Web 3.0 for Absolute Beginners

Hessan Adnani

We are experiencing massive trends in Cryptos, NFTs, and Web 3.0 everywhere, and sooner or later, we all need to adapt to these new technologies. The DotCom Boom is repeating itself. We have two choices: to wait and be forced to learn about the Cryptos/NFTs when it's too late or to know it now and ride the current waves of opportunities. In this workshop, we will get you started with Cryptos and NFTs, even if you're an absolute beginner with no technical background. We will be discussing: The fundamentals of blockchain technology and how Cryptocurrencies, NFTs, and Web 3.0 work Setting up your digital wallet Understanding the Cryptos and NFTs markets How to keep your assets safe and spot scams How to buy and store cryptocurrency How to buy your first NFT How to spot opportunities Essential investment mindset when it comes to the Crypto world Crypto communities And many more...

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

Startup pitch deck series 1 of 7: How can i get my startup funded

SlideBlueprint.com

This document outlines the roadmap for getting startup funding. It begins with sending an introductory email to investors, who may then ask for a pitch deck. An appealing pitch deck should then be sent by email. If the investor shows interest through follow-up questions, it could lead to a scheduled meeting. The meeting typically involves a 15-20 minute pitch presentation followed by Q&A. Additional meetings may then occur, potentially culminating in receiving funding. The document also advertises a startup pitch toolkit that can save founders time in developing the content and design of a winning pitch deck.

Get started with hacking

Ham'zzah Mir-zza

This document provides an overview of how to get started with penetration testing, also known as hacking. It recommends developing skills in programming languages like Python and C, networking concepts like TCP/IP, using Linux instead of Windows, learning cryptography, and staying anonymous by using a VPN or proxy. Kali Linux is mentioned as a starting point but the document cautions that it does not make someone a hacker on its own and recommends learning to configure hacking tools independently.

Your e image presentation 2

opiedog1

This document discusses digital footprints and online ethics. It begins by explaining that students should understand how to safely and responsibly use the internet to create a positive digital footprint. It then provides two codes of ethics for computer and internet use - the Ten Commandments of Computer Ethics and the High School/University Code of Ethics. Both codes outline responsible behaviors around topics like privacy, property, honesty and respect. The document concludes by asking students to consider what kind of digital footprint they are creating and stresses the importance of only posting online what they would be proud of in the future.

Webinar: Is your web security broken? - 10 things you need to know

Cyren, Inc

So You Want to be a Hacker?

Christopher Grayson

Top 10 cryptocurrency security tips for 2019

Blockchain Council

Cybersafety

Tom Waspe Teach

Internet safety, also called online safety or cyber safety, involves protecting individuals and their information when using the Internet. It includes protecting against fraud and dangers from contact with others or accessing inappropriate content. Common dangers for children online include interacting with strangers in chat rooms, accessing unsuitable material, and cyberbullying. Education, parental controls, and awareness of risks can help promote internet safety.

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...

Tenchi Security

Attackers do not always land close to their objectives (data to steal). Consequently, they often need to move laterally to accomplish their goals. That is also the case in cloud environments, where most organizations are increasingly storing their most valuable data. So as a defender, understanding the possibilities of lateral movements in the cloud is a must. Because the control plane APIs are exposed and well documented, attackers can move between networks and AWS accounts by assuming roles, pivoting, and escalating privileges. It is also possible for attackers to move relatively easily from the data plane to the control plane and vice-versa. In this talk, we are going to explore how attackers can leverage AWS Control and Data Planes to move laterally and achieve their objectives. We will explore some scenarios that we discovered with our clients and how we approached the problem. We will also share a tool we created to help us visualize and understand those paths.

Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...

Tenchi Security

Slides of the talk presented at DEF CON Cloud Village on August 12th, 2022 by Alexandre Sieira. Contains research content from Glaysson Tomaz and Marcelo Lima as well. Recently the Conti ransomware group internal chat leaks was fascinating reading. Among other things, it reminded us that both well-intentioned and malicious actors are constantly trying to find ways to find vulnerabilities and develop exploits to widely used IT products. This is particularly true those that are externally exposed firewalls, VPNs and load balancers, or security products that might thwart their techniques and tools. The timeline from the chats seems to show a gap of several months between Conti members trying to procure either appliances or commercial software that they were trying to get for these purposes. This got us thinking about how the major cloud service providers these days have marketplaces where you can easily buy virtual appliances or SaaS licenses for lots of widely used IT and security products with little more than a valid credit card, in minutes. And we decided to check how feasible it is to use this to conduct vulnerability research. In this presentation we will show what kind of access one can get to the internals of IT and security products using these marketplaces, particularly in the case of products only typically offered in hardware appliances. Which cloud providers try to prevent this sort of activity, how they do it, which ones simply don't care, and what techniques we were able to use to access these appliance's internals. The objective here is threefold: 1) help well intentioned vulnerability researchers find an easier avenue to do their work; 2) allow cloud providers to get a better understanding of how their marketplaces can be abused and which controls they could implement to mitigate that risk, and 3) let IT and security vendors realize the added exposure of publishing their products on these marketplaces.

Similar to Latinoware 2019 - Securing Clouds Wide Open

Follow the data

mainplus

Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report

Cyren, Inc

What is so special about working with Digital Natives - the good, the bad & t...

Lukas Ritzel

All Day DevOps: Calling Out A Terrible On-Call System

Molly Struve

The Business Of Open Source

Liza Kindred

KEEPKEY AND TREZOR: BITCOIN VAULTS IN YOUR POCKET

Steven Rhyner

Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...

Steve Werby

Public Vs. Private Keys

101 Blockchains

Generating and developing idea: Function

Caksback

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...

EC-Council

Online Privacy & Computer Security Basics (September 2017)

Kit O'Connell

[Workshop] Getting Started with Cryptos, NFTs & Web 3.0 for Absolute Beginners

Hessan Adnani

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

Startup pitch deck series 1 of 7: How can i get my startup funded

SlideBlueprint.com

Get started with hacking

Ham'zzah Mir-zza

Your e image presentation 2

opiedog1

Webinar: Is your web security broken? - 10 things you need to know

Cyren, Inc

So You Want to be a Hacker?

Christopher Grayson

Top 10 cryptocurrency security tips for 2019

Blockchain Council

Cybersafety

Tom Waspe Teach

Similar to Latinoware 2019 - Securing Clouds Wide Open (20)

Follow the data

Webinar: Insights from CYREN's Q1 2015 Cyber Threats Trend Report

What is so special about working with Digital Natives - the good, the bad & t...

All Day DevOps: Calling Out A Terrible On-Call System

The Business Of Open Source

KEEPKEY AND TREZOR: BITCOIN VAULTS IN YOUR POCKET

Bad Advice Unintended Consequences and Broken Paradigms - Think && Act Differ...

Public Vs. Private Keys

Generating and developing idea: Function

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...

Online Privacy & Computer Security Basics (September 2017)

[Workshop] Getting Started with Cryptos, NFTs & Web 3.0 for Absolute Beginners

Why isn't infosec working? Did you turn it off and back on again?

Startup pitch deck series 1 of 7: How can i get my startup funded

Get started with hacking

Your e image presentation 2

Webinar: Is your web security broken? - 10 things you need to know

So You Want to be a Hacker?

Top 10 cryptocurrency security tips for 2019

Cybersafety

More from Tenchi Security

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...

Tenchi Security

Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...

Tenchi Security

Hunting for AWS Exposed Resources

Tenchi Security

Like all major public cloud providers, AWS allows users to expose managed resources like S3 buckets, SQS queues, RDS databases, and others publicly on the Internet. There are legitimate uses for making resources public, such as publishing non-sensitive data. However, we often find that this functionality is mistakenly used, often due to a lack of cloud security expertise, to erroneously expose sensitive data. News of exposed S3 buckets are sadly very frequent in the specialized media. It is important to note, however, that there are many other relevant kinds of AWS resources that can be equally dangerous when publicly exposed but that doesn't get nearly as much scrutiny as S3 buckets. In this talk we are going to describe some of the methods that researchers and attackers use to discover and exploit these publicly exposed resources, and how cloud providers and defenders can have taken action to monitor, prevent and respond to these activities. Presented at DEF CON 29 Cloud Village.

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...

Tenchi Security

Serverless applications are a really interesting new trend that promises benefits such as increased scalability and reduced cost. Frameworks like Serverless Application Model (SAM) and Serverless Framework are increasingly used to build them. APIs are a natural part of serverless applications, and in AWS that typically is implemented using the AWS API Gateway backed by Lambdas that implement the actual API endpoint logic. Our research focused on API Gateway Lambda Authorizers. This is a feature that allows developers to use a custom authentication and authorization scheme that uses a bearer token authentication strategy (like JWTs, OAuth or SAML), or that uses request parameters to determine the caller's identity and enforce which API endpoints they are allowed to access. We will present (AFAIK novel) techniques to attack the authentication and authorization of APIs that use Lambda Authorizers. We show how IAM policy injection is possible in theory but highly unlikely in practice due to some good decisions by AWS. We also show a class of problems based on incorrect security assumptions baked into AWS' own documentation and Lambda Authorizer open source code templates. Sample source code will be provided to demonstrate all techniques. Presented at DEF CON 29 Cloud Village.

Detecting AWS control plane abuse in an actionable way using Det{R}ails

Tenchi Security

This document summarizes a system called Det{R}ails that analyzes AWS CloudTrail logs to detect abuse of the AWS control plane. It begins with an overview of AWS threats and CloudTrail. It then describes how Det{R}ails uses the Elastic Stack along with custom enrichments to analyze CloudTrail logs. Det{R}ails generates detection dashboards and detects two example scenarios: a policy rollback that enables privilege escalation, and exploitation of a service using PACU. Future work includes improving use cases, adding more enrichments and services, and publishing the code.

Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...

Tenchi Security

Apresentação de Dani Dilkin no Mind The Sec São Paulo de 2020. A tecnologia da informação está passando pela maior mudança de paradigma desde que migramos dos mainframes para redes Novell. A tecnologia de nuvem está permitindo que times cada vez menores, usando cada vez menos capital, e de forma mais ágil criem soluções altamente complexas e profissionais. Isso ajuda a explicar a profusão de novas startups e serviços SaaS, tais como FinTechs, MedTechs e outras. A aparente simplicidade da nuvem, a falta de conhecimento detalhado de como implementar sua segurança e o perfil de tomadores de risco dos empreendedores são fatores críticos que podem ser observados em muitas destas empresas. De outro lado, os reguladores estão atuando de forma cada vez mais ativa para exigir que as organizações sejam responsabilizadas por eventuais incidentes de segurança em sua cadeia de suprimentos. Grandes empresas que estão confiando dados pessoais, financeiros, médicos e outros dados sensíveis a seus fornecedores estão expostas cada vez mais a penalidades regulatórias advindas destas relações. A combinação destes fatores está criando uma tempestade perfeita de oportunidades e riscos para o mercado. Durante esta palestra vamos abordar de forma objetiva como lidar com as principais regulamentações envolvidas (LGPD/GDPR, PCI DSS, BACEN 3909 e 4658), e indicar estratégias e melhores práticas para lidar com o desafio de conformidade e segurança neste novo cenário tão desafiador.

Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)

Tenchi Security

O documento discute problemas de privilégios excessivos no AWS IAM. Apresenta uma introdução ao IAM, tipos de políticas e vazamentos de chaves. Mostra como analisar políticas existentes e detectar quando privilégios foram elevados indevidamente, como no caso de uma política de terceiros que recebeu permissões adicionais de forma inadequada. Conclui enfatizando a importância do princípio do mínimo privilégio e da análise contínua do ambiente.

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

Tenchi Security

Slide deck of the presentation at DEF CON 28 "Safe Mode" Cloud Village by Alexandre Sieira. In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts. SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.

Novos Paradigmas de Segurança com adoção de Nuvem (AWS)

Tenchi Security

Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT

Tenchi Security

Introdução à Segurança de Containers e Kubernetes

Tenchi Security

Webinar Segurança de DevOps

Tenchi Security

A Tenchi Security tem o prazer de convidá-lo para um evento da série de Security and Cloud. O formato é uma sequência de webinars para profissionais de operações, desenvolvimento, tecnologia e segurança da informação, dependendo do tema do webinar. Nesta 1ª edição temos apoio da Aqua Security e iremos tratar do tema segurança de DevOps em ambientes de nuvem. Serão discutidos o uso de alta freqüência de deployment, pipelines de CI/CD, e o uso de containers ou adoção de aplicações serverless no contexto corporativo. Em especial, quais os benefícios para o negócio, os riscos à segurança da informação e os controles que o mercado tem adotado para mitigá-los. O evento terá duração de 1 hora, sendo: * 25 min - Apresentação de Segurança de DevOps por Alexandre Sieira, Fundador da da Tenchi Security; * 25 min - Apresentação de Soluções de Segurança de Aplicativos Cloud Native por Carolina Bozza, Regional Sales Director da Aqua Security; e * 10 min – Dúvidas e respostas. Gravação do webinar pode ser assistida em https://youtu.be/ac339gAqtj4

More from Tenchi Security (12)

us-east-1 Shuffle_ Lateral Movement and other Creative Steps Attackers Take i...

Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can He...

Hunting for AWS Exposed Resources

The Fault in Our Stars - Attack Vectors for APIs Using Amazon API Gateway Lam...

Detecting AWS control plane abuse in an actionable way using Det{R}ails

Aprendizados da Gestão de Riscos e Conformidade Regulatória de sua Organizaçã...

Mapeando problemas de privilégios no AWS IAM (Identity & Access Management)

SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

Novos Paradigmas de Segurança com adoção de Nuvem (AWS)

Palestra Medindo seu nível de Visibilidade e Detecção usando ATT&CK e DeTT&CT

Introdução à Segurança de Containers e Kubernetes

Webinar Segurança de DevOps

Recently uploaded

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

How to use Firebase Data Connect For Flutter

Daiki Mogmet Ito

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Zilliz

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

20 Comprehensive Checklist of Designing and Developing a Website

Pixlogix Infotech

Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Recently uploaded (20)

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Large Language Model (LLM) and it’s Geospatial Applications

RESUME BUILDER APPLICATION Project for students

Essentials of Automations: The Art of Triggers and Actions in FME

Monitoring Java Application Security with JDK Tools and JFR Events

How to use Firebase Data Connect For Flutter

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Video Streaming: Then, Now, and in the Future

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Climate Impact of Software Testing at Nordic Testing Days

Introduction to CHERI technology - Cybersecurity

UiPath Test Automation using UiPath Test Suite series, part 6

20240607 QFM018 Elixir Reading List May 2024

20 Comprehensive Checklist of Designing and Developing a Website

“I’m still / I’m still / Chaining from the Block”

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

Removing Uninteresting Bytes in Software Fuzzing

Securing your Kubernetes cluster_ a step-by-step guide to success !

UiPath Test Automation using UiPath Test Suite series, part 5

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Latinoware 2019 - Securing Clouds Wide Open

1. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Securing Clouds Wide Open Felipe “Pr0teus” Espósito, Senior Researcher @pr0teusbr Foz do Iguaçu, 27 de Novembro de 2019

2. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 2 Sobre mim ● Former Co-Founder BlueOps (acquired by Tenchi) ● Senior Cloud Researcher & Consultant @ Tenchi Security ● Speaker / CTF organizer (BlueWars) ● Master’s Degree in Network Security ● Love coffee & Chocolate

3. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Um dos problemas 3

4. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 4 Mais problemas

5. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Agenda 1. Cloud computing 2. On Premises Vs. Nuvem 3. Vuln Time ! 4. Fix Time ! 5. Conclusões 5

6. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Cloud Computing 6 O que minha mãe pensa que é O que o Chefe de Tecnologia Pensa que é O que o estagiário acha que é

7. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Cloud Computing 7 O que na verdade é...

8. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. On Premises Vs. Nuvem 8

9. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 9 Diferenças

10. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 10 Vuln time! - Como explorar - Dinâmica do ataque. - Como corrigir Pray for the DEMO God!

11. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Credenciais de acesso 11

12. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Fix 12

13. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Still they do… 13 https://github.com/UnkL4b/GitMiner

14. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Incident Response ● Invalidate the credentials. ● Change Passwords OR delete the user ● Done =D 14 ● Are you sure ?! ● Check if any other credential was created temporary can last up to 36 hours.

15. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Bucket S3 Aberto 15

16. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 16

17. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 17

18. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. EC2 com serviço exposto 18

19. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 19

20. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Fixing Rever a arquitetura do projeto. 20

21. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Server Side Request Forgery 21

22. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. 22

23. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Conclusões 1. Cloud computing traz novos desafios à segurança. 2. Credenciais são muito importante, não as perca. 3. O ambiente mais seguro é aquele que você mais domina os recursos. 23

24. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. https://latinsec19.rtfm-ctf.org Registre-se em: Premiação: 3 ingressos do H2HC

25. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited. Q&A fesposito@tenchisecurity.com @Pr0teusBR @tenchisecurity

Latinoware 2019 - Securing Clouds Wide Open

Recommended

Recommended

More Related Content

Similar to Latinoware 2019 - Securing Clouds Wide Open

Similar to Latinoware 2019 - Securing Clouds Wide Open (20)

More from Tenchi Security

More from Tenchi Security (12)

Recently uploaded

Recently uploaded (20)

Latinoware 2019 - Securing Clouds Wide Open