An overview of the information security job market and the Netflix security organization. Presented at Binghamton University's Upsilon Pi Epsilon (CS Honor Society) meeting on 10/30/2015.
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:
- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations
Code: https://github.com/r3ver53r/AppSecEU_2016
Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf
Micro-services are social beings: they can’t function without talking with other services. Every microservice has its own domain, and it usually relies on other micro-services to function properly. But this also raises an interesting question: do we trust all of our micro-services? The truth is that not all micro-services are the same: some micro-services are more sensitive - for example, services that handle user data. Others are user-facing and therefore riskier. We cannot treat all services as equal. We need a good and robust mechanism to describe who can talk with who. At Soluto, we are dealing with this challenge for a while. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. In talk, I’ll share how we build this solution, using open source tools like Open Policy Agent, so you can easily build something similar.
An overview of the information security job market and the Netflix security organization. Presented at Binghamton University's Upsilon Pi Epsilon (CS Honor Society) meeting on 10/30/2015.
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
These are the slides from my lightning talk at OWASP AppSec Europe 2016. The session broadly consisted of:
- Quick run through of ZAP GUI
- Understanding what can be automated
- How to integrate ZAP with automation scripts
- Example scripts/Hands-on
- Some delicate considerations
Code: https://github.com/r3ver53r/AppSecEU_2016
Download: https://2016.appsec.eu/wp-content/uploads/2016/07/OWASP_AppSec_EU2016-Security_Automation_Using_ZAP_v1.3.pdf
Micro-services are social beings: they can’t function without talking with other services. Every microservice has its own domain, and it usually relies on other micro-services to function properly. But this also raises an interesting question: do we trust all of our micro-services? The truth is that not all micro-services are the same: some micro-services are more sensitive - for example, services that handle user data. Others are user-facing and therefore riskier. We cannot treat all services as equal. We need a good and robust mechanism to describe who can talk with who. At Soluto, we are dealing with this challenge for a while. In this talk, I’ll share the journey we went through until we found a solution we’re happy with: a simple and declarative system that allows services to define who can access them. Any dev can request access to any service, and the service owner can review it. In talk, I’ll share how we build this solution, using open source tools like Open Policy Agent, so you can easily build something similar.
Entity framework core v3 from sql to no sqlAndrea Tosato
Entity framework core v3, from SQL to NoSql.
Marco Minerva and Andrea Tosato samples: https://github.com/andreatosato/Entity-FrameworkCore3-from-SQL-2-NoSQL
JIRA Data Center Implementation at Pitney Bowes - Peter StricklandAtlassian
Take a peek under the hood of JIRA Data Center. Learn how Pitney Bowes implemented Data Center including configuring shared resources between nodes, and getting nodes to talk to each other. Peter will also touch on issues to consider before implementing JIRA Data Center.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Entity framework core v3 from sql to no sqlAndrea Tosato
Entity framework core v3, from SQL to NoSql.
Marco Minerva and Andrea Tosato samples: https://github.com/andreatosato/Entity-FrameworkCore3-from-SQL-2-NoSQL
JIRA Data Center Implementation at Pitney Bowes - Peter StricklandAtlassian
Take a peek under the hood of JIRA Data Center. Learn how Pitney Bowes implemented Data Center including configuring shared resources between nodes, and getting nodes to talk to each other. Peter will also touch on issues to consider before implementing JIRA Data Center.
Malware Analysis 101 - N00b to Ninja in 60 Minutes at BSidesLV on August 5, ...grecsl
Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the the big boys. This presentation covers several analysis environment options and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a "ninja" per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 6 - Malware Sandbox Analysissecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
APIsecure 2023 - API First Hacking, Corey Ball, Author of Hacking APIsapidays
APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Closing Keynote: API First Hacking
Corey Ball, Chief Hacking Officer APIsec University| Author of Hacking APIs
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
DevOps puts an intense focus on automation – taking humans out of the loop whenever possible to allow frequent, incremental updates to production systems. However, thorough application testing often has multiple components – much of this can be automated, but manual testing is also required. This is inconvenient and not “DevOps-y,” but is unfortunately an unavoidable requirement in the real world. In addition, managing these multiple sources of application vulnerability intelligence often requires manual interaction – to clear false positives, de-duplicate repeated results, and make decisions about triage and remediation.
Axway has rolled out an application security program that incorporates automated static and dynamic testing, attack surface analysis, component analysis, as well as inputs from 3rd parties including manual penetration testing, automated and manual dynamic testing, automated and manual static testing, and test results from vendors providing test data on their products. Automation has allowed Axway to increase the frequency of web application testing, thus reducing the cycle time in the application vulnerability “OODA loop.” Moving beyond the identification of vulnerabilities, Axway has deployed ThreadFix to automatically aggregate the results of the automated testing and de-duplicate findings. 3rd party penetration testers are also finding vulnerabilities and reporting them in reasonably structured CSV files requiring Axway to convert this manual test data and incorporate it into the aggregated vulnerability model in ThreadFix. Centralizing this pipeline allows for metric tracking – both for the application security program as a whole as well as on a per-vulnerability-source basis. This automation and consolidation now covers 50% of Axway’s application vulnerability review process - with plans to extend further.
This presentation walks through Axway’s construction of their application security-testing pipeline and the decisions they were forced to make along the way to best maximize the use of automation while accommodating the reality of manual testing requirements. It then looks at how this testing regimen and the associated automation have allowed them to impact deployment practices as well as collect metrics on their assurance program. Finally, it looks at lessons learned along the way – the good and the bad – and identifies targeted next steps Axway plans to take to increase the depth and frequency of application security testing while dealing with the deployment realities placed on them to remain agile and responsive to business requirements.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
Jobvite: A Holistic Approach to SecurityTheodore Kim
AWS Loft presentation on 04/28/16.
You’ve configured host and network based ACLs, enabled CloudTrail logging, encrypted all data at rest (EBS & S3), secured your AMIs, regularly patch EC2 instances, and locked down IAM roles. But are you secure? How do you know if/when a security incident has occurred, detect unauthorized access to data, identify vulnerabilities in your application, block online attacks in real-time, or certify your application as truly secure?
Theodore Kim, VP of Technical Operations at Jobvite, and his team will present a holistic approach to securing your application environment hosted in AWS. Topics will include:
- Do I need an Intrusion Detection/Prevention (IDS/IPS) System?
- How to detect and block network/application intrusion attempts in real time.
- Log file parsing/alerting via Security Information & Event Management (SIEM) systems to identify anomalous system activity.
- An overview of penetration/vulnerability testing services.
- Auditing your environment to identify security vulnerabilities and support compliance efforts.
- How to incorporate security vulnerability scanning into the build and release process.
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
Automotive safety has been a major concern for manufacturers everywhere and now the threat of automotive hacking looms. Your team may be familiar with safety standards and defensive coding techniques but do you know how to handle security threats at the code level? What can you do next to transform your processes and development strategies?
Join automotive experts from Rogue Wave Software for the first in a three-part series on securing your code and solidifying processes to ensure safe, defect-free software. By educating teams and understanding proven techniques, you’ll be able to take the next step towards less risk and more value for your applications.
In this first one-hour webinar you'll learn:
- Techniques to protect your automotive software systems from risk
- Tools that accelerate compliance with security and safety standards
- Tips to ensure defects are eliminated as early as possible
ATAGTR2017 Cost-effective Security Testing Approaches for Web, Mobile & Enter...Agile Testing Alliance
The presentation on Cost-effective Security Testing Approaches for Web, Mobile & Enterprise Application was done during #ATAGTR2017, one of the largest global testing conference. All copyright belongs to the author.
Author and presenter : Varadarajan V. G.
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
Join security experts from Rogue Wave Software for the first in a three-part series on ensuring your code and processes are secure.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
In this first one-hour webinar you'll learn how to:
- Protect your systems from risk
- Comply with security standards
- Ensure the entire codebase is bulletproof
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training-advanced-malware-analysis.php
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training-advanced-malware-analysis.php
Advanced Malware Analysis Training Session 5 - Reversing Automationsecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 4 - Anti-Analysis Techniquessecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Advanced Malware Analysis Training Session 3 - Botnet Analysis Part 2securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.