This document discusses security concepts and risks. It begins by defining what security is not, such as something that can be bolted on or outsourced. It then covers security principles like defense in depth, and risks to confidentiality, integrity and availability. Specific attacks like SQL injection and XSS are mentioned. Throughout, it emphasizes that all companies face risks and stresses the importance of prioritizing security as even small businesses can be targets.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
An Introduction To IT Security And Privacy In LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library
An Introduction To IT Security And Privacy In Libraries & AnywhereBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more. In this hour I focused on things to train in libraries, security awareness training and other things relevant to people in libraries. Librarians and anyone else in a library. There's a focus on practical ways to secure yourself, browsers and other things. Also some dicussion on privacy
Drupal, WordPress, and Joomla are very popular Content Management Systems (CMS) that have been widely adopted by government agencies, major businesses, social networks, and more — underscoring why understanding how these systems work and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester’s perspective of CMS’ and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists- all of which are open-source and can be downloaded and implemented following the presentation.
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Here are the slides from my recent workshop on "QAing the Security Way!"
This workshop was focused on setting up OWASP Mutillidae II application on local machines and perform hands-on OWASP Top 10 Most Critical Web Application Security Risks.
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
Your adversaries continue to attack and get into companies. You can no longer rely solely on alerts from point solutions to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Threat Intelligence is by far one of the most over-used buzz words in the security industry. Many professionals have very mixed feelings about Threat Intelligence feeds as well. This discussion is around how LogRhythm’s internal security team utilizes Threat Intelligence to operationalize efficiently and streamline Security Operations processes and help improve an organization’s defenses. We will show how you can generate your own Threat Intelligence and create information sharing loops within like industries to fully realize the team's defensive capabilities. On top of the technical aspects around building out a good Threat Intel program, we will discuss how to manage this from a leadership perspective and get buy-in from the top. Most importantly, once these systems are in place, how we can show value to leadership using key performance indicators and leverage this to improve the overall security program.
HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
Here are the slides from my recent workshop on "QAing the Security Way!"
This workshop was focused on setting up OWASP Mutillidae II application on local machines and perform hands-on OWASP Top 10 Most Critical Web Application Security Risks.
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
Your adversaries continue to attack and get into companies. You can no longer rely solely on alerts from point solutions to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...Security Weekly
A robot, a ninja and a pirate get into a fight. The question is: who wins? While we can debate this question until the end of time, likely have fun in the process; it’s a waste of time. Who are the robots, ninjas and pirates in your environment? What roles do they play in the vulnerability management process? We debate how to build a vulnerability management program all the time, however we are still spinning our wheels. Unlike the robot, ninja, pirate battle, there are concrete facts that will help you build a successful program, and avoid smoke bombs, swords, and robot death rays. Who wins? Find out in this presentation and learn how to protect your booty.
Wireless technology is inherently insecure in general, however this presentation details some unconventional attacks that have been around for years but are still incredibly effective. Discussing the basics of AP cloning, abusing captive portals, and more.
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014Security Weekly
The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
The Internet of Insecure Things: 10 Most Wanted ListSecurity Weekly
In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.
A journey into application security will cover the relation and evolution of application security with the different approaches to development from Waterfall to Devops.
Open Source Intelligence Gathering (OSINT) is growing in popularity among attackers and defenders alike. When an attacker comes knocking on your network's front door, the warning lights go off in multiple systems (IDS, IPS, SIEM, WAF). More sophisticated attackers, however, spend considerable time gathering information using tools and techniques that never touch any of your systems. As a result, these attackers are able to execute their attacks and make off with proprietary data before you even know they are there. This presentation provides an introduction to many OSINT tools and techniques, as well as methods you can use to minimize your exposure.
Security threats are growing in volume, scale, and complexity. Not a day passes that we don’t hear about another data breach; and the average organization that’s hacked goes bankrupt within a year. From small and medium-size organizations to Fortune 500 companies, across every industry, no one is immune. It’s no longer enough to keep the bad stuff out (threat protection) or just keep the good stuff in (information protection). This session is a practical discussion on the ever evolving threat landscape, how you can keep up and protect yourself, your organization, and its reputation. It will help you build awareness about the types of resources and sensitive data that your nonprofit has, with tips on practical, accessible steps that you can take to ensure that information is safeguarded.
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
Symantec Intelligence Report December 2014Symantec
Welcome to the December edition of the Symantec Intelligence report. Symantec Intelligence aims to provide the latest analysis of cyber security threats, trends, and insights concerning malware, spam, and other potentially harmful business risks.
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
When Edward Snowden leaked classified information to the mainstream media, it brought the dangers posed by insider threats to the forefront of public consciousness, and not without reason. Today’s agencies are drowning in fears surrounding sophisticated cyber-attacks but perhaps the most concerning type of attack out there – the insider threat. According to Forrester, abuse by malicious insiders makes up 25% of data breaches. Learn about the best practices and technologies you should be implementing now to avoid becoming the next victim of a high-profile attack.
- Become aware of the different types of insider threats, including their motives and methods of attack
- Understand why conventional security tools like firewalls, antivirus and IDS/IPS are powerless in the face of the insider threat
- Gain clarity on the various technologies, policies and best practices that should be put in place to help detect and thwart insider threats
- Discover how network logs, particularly NetFlow, can be used to cost-effectively monitor for suspicious insider behaviors that could indicate an attack
- Know about emerging attack methods such as muleware that could further escalate insider threats in the coming years
A new generation of Internet startups is focused on converting malware infections into revenue. Who are these new CEOs, what can we learn from their business models? No longer in the shadows of the dark web, they are businessmen scaling operations and driving revenue. This session will discuss how malware is being monetized as a sustainable business, showing a realistic picture of what we’re up against.
(Source :RSA Conference USA 2017)
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
As recent events have proven, manufacturing organizations are especially vulnerable to cyber-attacks due to the amount of valuable data they maintain. With advanced attacks becoming so ubiquitous, how can manufacturing organizations protect their data and avoid becoming the next high-profile victim in the headlines?
The answer lies in network visibility. Manufacturing providers and others are invited to join this complimentary webinar to learn how to:
- Cost-effectively transform their network into a sensor grid for detecting sophisticated attacks
- Quickly uncover suspicious behaviors associated with zero-day attacks, APTs, insider threats and other risks that frequently evade conventional defenses
- Protect their reputation by thwarting attacks before they lead to devastating data loss
Dayton Microcomputer Association (DMA):
April 2020 - Online Meeting
Date: April 28, 2020
Topic: Stupid Cyber Criminal Tricks and How to Combat Them
Speaker: Matt Scheurer
This talk covers various techniques used by cyber criminals, and how to spot them. This is the accompanying slide deck for a presentation that covers live demos. Who does not love a good cyber-crime story?
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
With cyber attacks on the rise, securing your data is more imperative than ever. In future, organizations will face severe penalties if their data isn’t robustly secured. This will have a far reaching impact for how businesses deal with security in terms of managing their cyber risk.
Join this presentation to learn the cyber security controls prescribed by regulation, how this impacts compliance, and how cyber risk management helps CISOs understand the degree these controls are in place and where to prioritize their cyber dollars and ensure they are not at risk for fines.
Viewers will learn:
- The latest cybercrime trends and targets
- Trends in board involvement in cybersecurity
- How to effectively manage the full range of enterprise risks
- How to protect against ransomware
- Visibility into third party risk
- Data security metrics
The Business Benefits of Threat Intelligence WebinarThreatConnect
The Businees Benefits of Threat Intelligence
Take 30 minutes of your time to hear Cyber Squared Inc. CEO Adam Vincent review the need for businesses to evaluate the cost of a sophisticated threat intelligence program. Learn more about the ROI calculator that evaluates cost/benefits of threat intelligence investments and offers quantifiable financial benefits and use-cases to demonstrate the overall costs associated with data breaches, and how using threat intelligence can decrease those costs and make existing staff more efficient.
Watch the full webinar here: https://attendee.gotowebinar.com/recording/7218699913172089858
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
Bobby Dominguez is an accomplished Internet pioneer and an acknowledged security, risk, and privacy expert. Mr. Dominguez has successfully integrated information security into top-level business initiatives at Home Shopping Network, PSCU Financial Services, and PNC Bank, where he implemented a new technology risk management framework. Under his leadership, the Sykes Global Security and Risk Management team was nominated and selected as one of the 5 best by 2008 SC Magazine “Best Security Team in the US.” Mr. Dominguez was also selected as one of the top 5 Chief Security Officers for the 2009, 2010, and 2013 SC Magazine “CSO of Year.” In 2012 he was a finalist for (ISC)2 Americas Information Security Leadership Awards.
Applied cognitive security complementing the security analyst Priyanka Aash
Security incidents are increasing dramatically and becoming more sophisticated, making it almost impossible for security analysts to keep up. A cognitive solution that can learn about security from structured and unstructured information sources is essential. It can be applied to empower security analysts with insights to qualify incidents and investigate risks quickly and accurately.
(Source : RSA Conference 2017)
Failing well: Managing Risk in High Performance ApplicationsAlison Gianotto
These are the slides from my 2013 Foocamp ignite talk. For more on risk management, please see the blog post I wrote while creating this presentation: http://www.snipe.net/2013/08/failing-well-managing-risk-in-web-applications/
Deck I created for noise to help clients understand what changes with the FB Timeline for business fan pages, how it affects them, and best practices moving forward.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
2. Alison Gianotto (aka “snipe”)WHO AM I?
• Former
agency
CTO/CSO
• Security
&
privacy
advocate
• 20
years
in
IT
and
so<ware
development
• Co-‐author
of
a
few
PHP/MySQL
books
• Survivor
of
more
corporate
audits
than
I
care
to
remember
• @snipeyhead
on
TwiJer
2
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
3. WHAT SECURITY ISN’T
1 Bolted on
2 Compliance
3 A Single Person
4 Outsourced
3
You
don’t
add
it
on
at
the
end.
You
can
be
compliant
and
not
secure.
Just
ask
Target.
Security
is
everyone’s
responsibility.
Throwing
money
at
this
problem
won’t
work.
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
4. WHAT SECURITY ISN’T
5 An Appliance
6 Silver Bullet
7 Straightforward
4
Firewalls
and
IDS
are
part
of
the
soluUon,
but
not
the
end.
There
is
no
one
thing.
Defence
in
depth
maJers.
Sort
of.
SomeUmes
implemenUng
security
tools
increases
your
aJack
surface.
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
8 Done Security
is
where
you
start,
not
where
you
finish.
5. WHAT RISK ISN’T
1 Stifling
2 Boring
3 Avoidable
5
Managing
risk
doesn’t
have
to
hinder
innovaUon
Our
job
is
finding
creaUve
soluUons
to
problems.
This
is
one
more
tool.
Risk
isn’t
inherently
bad.
Not
understanding
your
risk
is.
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
4 One Size Acceptable
risk
to
your
company
may
not
be
the
same
as
someone
else’s.
6. IT IS IMPOSSIBLE TO ANTICIPATE
EVERY RISK.
6
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Srsly.
7. DEFENSE IN DEPTH PROMISES
7
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• MiUgates
single
points
of
failure.
(“Bus
factor”)
• Requires
more
effort
on
the
part
of
the
aJacker,
theoreUcally
exhausUng
aJacker
resources.
Except...
8. DEFENSE IN DEPTH PROBLEMS
8
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Larger,
more
complicated
systems
are
harder
to
maintain.
• Leads
to
more
cracks
for
bad
guys
to
poke
at
• More
surfaces
that
can
get
be
overlooked
• The
bad
guys
have
nearly
limitless
resources.
We
don’t.
• AJacks
are
commodiUzed
now.
Botnets
for
$2/hour.
10. CONFIDENTIALITY IS A SET OF
RULES THAT LIMITS ACCESS TO
INFORMATION
10
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
11. CONFIDENTIALITY EXAMPLES
11
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Passwords.
(boo!)
• Data
encrypUon
(at
rest
and
in
transmission.)
• Two-‐factor
authenUcaUon/
biometrics.
(Yay!)
• Corporate
VPN
• IP
WhitelisUng
• SSH
keys
12. CONFIDENTIALITY RISKS
12
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• No
brute-‐force
detecUon
• No
velng
of
how
third-‐
party
vendors
use/store
customer
data
• InformaUon
leakage
from
login
messages
(Uming
aJacks,
etc.)
• SQL
injecUon
• Privilege
escalaUon
leading
to
admin
access
• Passwords
shared
across
websites
• Improper
disposal/
destrucUon
of
personal
data
• Lost/stolen
devices
13. INTEGRITY IS THE ASSURANCE
THAT THE INFORMATION IS
TRUSTWORTHY & ACCURATE.
13
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
14. INTEGRITY RISKS
14
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Data
loss
due
to
hardware
failure
(server
crash!)
• So<ware
bug
that
unintenUonally
deletes/
modifies
data
• Data
alteraUon
via
authorized
persons
(human
error)
• Data
alteraUon
via
unauthorized
persons
(hackers)
• No
backups
or
no
way
to
verify
the
integrity
of
the
backups
you
have
• Third-‐party
vendor
with
inadequate
security
15. AVAILABILITY IS A GUARANTEE OF
READY ACCESS TO THE INFO BY
AUTHORIZED PEOPLE.
15
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
17. THINK YOU’RE TOO SMALL
TO BOTHER WITH?
17
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Think again.
18. WHY HACK?
18
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• To
steal/sell
idenUUes,
credit
card
numbers,
corporate
secrets,
military
secrets
• Fun,
Excitement
and/or
Notoriety
• PoliUcal
(“HackUvism”)
• Revenge
• Blackhat
SEO
• ExtorUon/Ransomware
19. COMMON ATTACKS
19
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Reflected
XSS
• Persistent
XSS
• CSRF
• SQL
InjecUon
• Remote
file
inclusion
• Local
file
inclusion/directory
traversal
• HosUng
malware
• Defacement
for
SEO
(pharma,
etc)
• Privilege
escalaUon
20. WHY MEEEEEEEEEEEE??
20
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Users
re-‐use
passwords
across
websites
• Watering
hole
aJack
• Low-‐hanging
fruit
• Assumed
fewer
defenses
• To
gain
more
informaUon
on
users
to
execute
spear-‐
phishing
aJacks
• Because
you
are
vulnerable.
Period.
21. IN 2013, 61% OF REPORTED
ATTACKS TARGETED SMALL AND
MEDIUM BUSINESSES, UP FROM
50% IN 2012.
21
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
22. 1 2 43
REFLECTED XSS
SOCIAL
ENGINEERING
XSS
SESSION
HIJACK
PWNED
22
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
23. 77% OF LEGITIMATE WEBSITES HAD
EXPLOITABLE VULNERABILITIES.
1-IN-8 HAD A CRITICAL
VULNERABILITY.
23
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
24. MEGA BREACHES: RESULTING IN
PERSONAL DETAILS OF >= 10
MILLION IDENTITIES EXPOSED IN AN
INDIVIDUAL INCIDENT.
24
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
25. THERE WERE EIGHT IN 2013,
COMPARED WITH ONLY ONE IN 2012.
25
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
+700%
26. OCT 2013: ADOBE
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, SOURCE
IMPACTED: 152 MILLION USERS
26
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
27. DEC 2013: TARGET
EXPOSED CUSTOMER DATA, DEBIT/
CREDIT CARD NUMBERS, PINS
IMPACTED: 110 MILLION USERS
27
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
28. BREACHGrowth
• credit card info
• birth dates
• government ID numbers
• home addresses
• medical records
• phone numbers
• financial informa9on
• email addresses
• login
• passwords
Data Stolen
28
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
232
552
0
100
200
300
400
500
600
2011
2013
Iden99es
Stolen
by
Year
(in
Millions)
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
29. 190,000
464,000
570,000
2011
2012
2013
ATTACKS
29
Source:
Symantec
Internet
Security
Threat
Report
2014
::
Volume
19,
Published
April
2014
Per Day
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
30. APPSEC STRATEGY
PICK
TWO
30
COMPLETELY
BONED
COMPLETELY
BONED
COMPLETELY
BONED
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
31. CREATING A RISK MATRIX
31
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
• Type
• Third-‐Party
• Dataflow
diagram
ID
• DescripUon
• Triggering
AcUon
• Consequence
of
Service
Failure
• Risk
of
Failure
• User
Impact
• Method
used
for
monitoring
this
risk
• Efforts
to
MiUgate
in
Case
of
Failure
• Contact
info
Grab
a
starter
template
here!
hJp://snipe.ly/risk_matrix
32. 29 THINGS YOU CAN START
DOING TODAY.
32
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
Dooo eeeeeet.
33. 33
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
1. Start
every
project
risk-‐first.
2. Start
using
a
risk
matrix
for
every
major
project
or
product.
3. Build
a
clear
inventory
of
surface
areas
and
their
value.
Get
stakeholders
involved.
4. Make
sure
you
understand
what
happens
when
third-‐
party
services
fail
or
behave
unexpectedly.
29 THINGS TO DO TODAY
34. 34
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
5. Trust
your
gut.
If
something
doesn’t
look
right,
it
probably
isn’t.
6. Keep
your
systems
as
simple
as
possible.
Document
them.
7. Favor
self-‐documenUng
systems
so
that
code,
systems
and
docs
don't
fall
out
of
sync.
8. Increased
transparency
reduces
risk
across
departments.
Consider
devops.
29 THINGS TO DO TODAY
35. 35
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
9. Don't
abstract
code/systems
if
you
don’t
have
to.
Premature
opUmizaUon
is
the
devil.
Build
light
and
refactor
as
needed.
10.
Get
to
know
your
users’
behavior.
Use
tools
like
Google
AnalyUcs
and
heat-‐mapping
to
understand
what
users
do
on
your
site.
Be
suspicious
if
it
changes
for
no
apparent
reason.
29 THINGS TO DO TODAY
36. 36
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
11.
Automate
EVERYTHING
(Chef,
Vagrant,
Ansible,
Salt,
Fabric,
etc.)
12.
Log
(almost!)
EVERYTHING.
Know
where
your
logs
are.
Use
a
central
logging
server
if
at
all
possible.
13.
Always
employ
the
principles
of
“least
privilege.”
14.
Give
preference
to
vendors
that
integrate
with
your
AD/
OD/LDAP.
29 THINGS TO DO TODAY
37. 37
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
15.
Create
a
reliable
data
backup
plan
and
TEST
IT.
(MORE
THAN
ONCE.)
16.
Create
a
Business
ConUnuity
Plan.
17.
Create
an
Incident
Response
Plan.
Test
it.
18.
Create
a
Disaster
Recovery
Plan.
TEST
IT.
(Seriously.)
19.
Get
your
team
to
parUcipate
in
at
least
one
CTF
every
year.
29 THINGS TO DO TODAY
38. 29 THINGS TO DO TODAY
38
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
20.
Strip
specific
messaging
from
login
forms.
21.
Use
solid
password+salUng
like
bcrypt.
22.
Implement
brute-‐force
prevenUon
for
all
login
systems.
23.
Encrypt
everything,
where
feasible.
24.
Only
collect
the
data
that
you
absolutely
need.
25.
Implement
two-‐factor
authenUcaUon.
It’s
easier
than
you
think.
39. 29 THINGS TO DO TODAY
39
Lonestar
PHP
-‐
April
2014
-‐
#lsp14
26.
Supress
debugging
and
server
informaUon
(PHP
versions,
Apache
versions)
27.
Leverage
framework
CSRF
protecUon
and
data
saniUzaUon/validaUon.
28.
Perform
regular
penetraUon
tests
and
vulnerability
assessments
29.
Become
a
passionate
security
ambassador
for
your
users
and
co-‐workers.