As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
We sat down with two members of the Barracuda security team to talk about the evolution of their bug bounty program since its inception in 2010, to its current space with Bugcrowd.
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
Kymberlee Price's Presentation from Black Hat 2015 In this presentation, Kymberlee discusses several highly critical vulnerabilities that have been uncovered through a variety of bug bounty programs and their impact on the customers. With participation from researchers and vendors, attendees will not only see some sweet vulnerabilities broken down, but also why wading through another submission from @CluelessSec might be worth it.
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
Kymberlee Price's Black Hat 2016 talk in a live webcast. This presentation will address some best practices and templates to help security teams build or scale their incident response practices.
View this ondemand webinar here: https://pages.bugcrowd.com/7-bug-bounty-myths-busted-ondemand-webinar
About the content:
Despite thousands of large and small organizations running bug bounty programs, there is still a lot of fear and uncertainty about these in the cybersecurity community. In this recorded webinar we will explore 7 myths about Bug Bounty programs, the hackers who are involved, and the impact they are having on the security posture of organizations around the world.
After viewing this presentation and ondemand webinar you will:
1. Learn if a bug bounty program is right for your organization
2. Understand if a bug bounty encourages hackers to attack your systems
3. Explore the real benefits of bug bounty programs – and find out if they actually work
4. Get insight on whether these programs are too hard and costly to manage
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
Her TED talk on the power of bug bounties has over a million views, on May 20, 2015, cybersecurity expert Keren Elazari joined Bugcrowd for an exclusive webinar. We did some bug bounty myth busting and trend spotting and had a great turnout. Keren's slides are here.
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
We sat down with two members of the Barracuda security team to talk about the evolution of their bug bounty program since its inception in 2010, to its current space with Bugcrowd.
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
Zephyr Health, a quickly growing company harnessing the power of global healthcare data, has spent the last year augmenting its’ product security efforts. With Bugcrowd’s help, they have transformed their development and overarching culture to prioritize security. Bugcrowd joins Zephyr Health’s CISO, Kim Green, to hear about how she came to understand and implement crowdsourced security testing within the organization.
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
Slides used during Bugcrowd's 3/5/2015 webinar with Instructure, the innovative company behind Canvas Learning Management System. Learn why they turned to crowdsourced security, and how Bugcrowd's Flex program gave them great results.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
Addressing web server vulnerabilities is key to application security. Consider the impact the Apache Struts vulnerability had on organizations that ignored it and it suddenly becomes clear that responding quickly to Common Vulnerabilities and Exposures (CVE’s) is part of an effective appsec security posture.
Real world business conditions are not always conducive to patching software in a timely manner. An automated method of identifying and triaging CVEs from qualification to virtual patches can be achieved with a robust process for staying on top of the latest CVE related vulnerabilities.
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers."
19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
For more information, please visit our website at www.synopsys.com/standards
Insider Threat: How Does Your Security Stack Measure Up?ThinAir
Security technologists, practitioners, and the media love to talk about the latest malware, and zero-day attacks that hackers and nation states direct against their targets. The reality is that a significant portion of security incidents and data breaches come from within an organization’s security perimeter. The insider threat is the unglamorous side of security, and one that most vendors and industry professionals tend to ignore. Which tools in your security stack truly address the insider threat problem? What percentage of your security budget is dedicated to this issue?
This presentation will explore the rise of the insider threat, and the five essential components of an effective approach to identifying and investigating breaches that result from the malicious or innocent actions of internal actors.
Learning Objectives:
• Learn about the trends, size & scope of the insider threat problem
• How to Evaluate your security stack against the insider threat problem
• Explore emerging concept of insider detection and investigation and the five required components of an insider threat approach.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The Business Benefits of Threat Intelligence WebinarThreatConnect
The Businees Benefits of Threat Intelligence
Take 30 minutes of your time to hear Cyber Squared Inc. CEO Adam Vincent review the need for businesses to evaluate the cost of a sophisticated threat intelligence program. Learn more about the ROI calculator that evaluates cost/benefits of threat intelligence investments and offers quantifiable financial benefits and use-cases to demonstrate the overall costs associated with data breaches, and how using threat intelligence can decrease those costs and make existing staff more efficient.
Watch the full webinar here: https://attendee.gotowebinar.com/recording/7218699913172089858
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
What are the key challenges and opportunities ahead with cloud security? And what happens when you don't have a security strategy in place? Learn how organizations can leverage cloud for better security.
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
Addressing web server vulnerabilities is key to application security. Consider the impact the Apache Struts vulnerability had on organizations that ignored it and it suddenly becomes clear that responding quickly to Common Vulnerabilities and Exposures (CVE’s) is part of an effective appsec security posture.
Real world business conditions are not always conducive to patching software in a timely manner. An automated method of identifying and triaging CVEs from qualification to virtual patches can be achieved with a robust process for staying on top of the latest CVE related vulnerabilities.
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
During a recent webinar, Lewis Ardern, senior security consultant presented "OWASP Top 10 for JavaScript Developers."
19_10_EMEA_WB_Owasp Top 10 for Java Script Developers With the release of the OWASP Top 10 2017, we saw new contenders for the most critical security issues in the web application landscape. Much of the OWASP documentation concerning issues, remediation advice, and code samples focuses on Java, C++, and C#. However, it doesn’t give much attention to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the growing use of Node.js and its libraries and frameworks. This talk will introduce you to the OWASP Top 10 by explaining JavaScript client and server-side vulnerabilities.
For more information, please visit our website at www.synopsys.com/standards
Insider Threat: How Does Your Security Stack Measure Up?ThinAir
Security technologists, practitioners, and the media love to talk about the latest malware, and zero-day attacks that hackers and nation states direct against their targets. The reality is that a significant portion of security incidents and data breaches come from within an organization’s security perimeter. The insider threat is the unglamorous side of security, and one that most vendors and industry professionals tend to ignore. Which tools in your security stack truly address the insider threat problem? What percentage of your security budget is dedicated to this issue?
This presentation will explore the rise of the insider threat, and the five essential components of an effective approach to identifying and investigating breaches that result from the malicious or innocent actions of internal actors.
Learning Objectives:
• Learn about the trends, size & scope of the insider threat problem
• How to Evaluate your security stack against the insider threat problem
• Explore emerging concept of insider detection and investigation and the five required components of an insider threat approach.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
The Business Benefits of Threat Intelligence WebinarThreatConnect
The Businees Benefits of Threat Intelligence
Take 30 minutes of your time to hear Cyber Squared Inc. CEO Adam Vincent review the need for businesses to evaluate the cost of a sophisticated threat intelligence program. Learn more about the ROI calculator that evaluates cost/benefits of threat intelligence investments and offers quantifiable financial benefits and use-cases to demonstrate the overall costs associated with data breaches, and how using threat intelligence can decrease those costs and make existing staff more efficient.
Watch the full webinar here: https://attendee.gotowebinar.com/recording/7218699913172089858
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Deception in Cyber Security (League of Women in Cyber Security)Phillip Maddux
Presented on August 23, 2017 at the League of Women in Cyber Security meetup (https://www.meetup.com/League-of-Women-in-Cybersecurity/events/242071337/). his talk will provide an intro to honeypots and their benefits, an intro to deception in cyber security, and an overview of HoneyPy and HoneyDB.
What are the key challenges and opportunities ahead with cloud security? And what happens when you don't have a security strategy in place? Learn how organizations can leverage cloud for better security.
Black Duck & IBM Present: Application Security in the Age of Open SourceBlack Duck by Synopsys
Keeping applications secure, whether you're developing for internal use or for your customers, isn't easy. Today, applications are a mix of open source and custom code. Identifying and resolving security vulnerabilities in both requires the right tools and know-how. Black Duck and IBM are working together to help you keep your applications secure.
The DevSecOps Showdown: How to Bridge the Gap Between Security and DevelopersDevOps.com
DevSecOps requires processes and tools that enable weaving security throughout the DevOps pipeline. It is much more than a buzzword, and if you'd ask most organizations, well, they believe they are in the process of adopting DevSecOps tools and practices. But, are they?
In order to deeply understand the state of DevSecOps implementation we need to learn more about the relationship between developers and security teams. After surveying more than 560 application security professionals and software developers we found several insights.
Join Jeff Martin, associate VP of product management, and Rhys Arkins, director of product management at WhiteSource, to learn about:
The current challenges of the security and development teams when it comes to AppSec
The contradicting views and gaps between the teams on DevSecOps maturity
How to break the silos and advance toward DevSecOps maturity
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
Outpost24 webinar - Why security perfection is the enemy of DevSecOpsOutpost24
The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.
In this session, the focus will be on OWASP Top 10 mobile risks and prevention tips. Hackers’ exploitation of these most common mobile vulnerabilities will be demonstrated in the session.
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
Mobile devices are not simply PCs. While one knows to look for an Advanced Persistent Threat(APT) on their desktop endpoints, mobile tends to be ignored. Setting up an MDM solution is not enough. Installing AV on as many devices as possible is not enough. The holes in the net are still too wide; attackers have more options than just malicious apps for getting on your network.
Topics covered will be:
How attackers are moving to mobile in order to bypass traditional protection.
Apps are only one part of the problem. Documents, email, messaging are still left wide open
Bypassing Mobile Antivirus
Bypassing MDM, MAM and Containers
Attackers are turning from apps to exploits.
Finally we’ll cover what to do next – how to effectively deal with Mobile APT.
This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.
How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its TracksAlienVault
Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those within a particular industry. The AlienVault Open Threat Exchange is different. It is one of the first (and most diverse) threat sharing networks, open to any and all who wish to join. And, free services like new ThreatFinder help make the threat data in OTX available and actionable by all. Join AlienVault VP of Product Strategy, Russ Spitler, and Systems Engineer, Tom D'Aquino for a practical session covering how to use OTX to improve network security.
Russ & Tom will cover:
How threat intelligence is gathered and vetted in the Open Threat Exchange
How to use the threat data provided by OTX free services
Examples of the types of threats you can identify with OTX
Best practices to investigate and mitigate threats, including a quick tour of AlienVault USM
2017 Phishing Trends & Intelligence Report: Hacking the HumanPhishLabs
PhishLabs' Phishing Trends and Intelligence annual report provides insight on significant trends, tools, and techniques used by threat actors to carry out phishing attacks. It provides context and perspective into HOW and WHY these trends are occurring
By understanding the threat, we can better defend against it. The report data is sourced from more than one million confirmed phishing sites residing across more than 170,000 unique domains. We investigated more than 7,800 phishing attacks every month, identifying the underlying infrastructure used in the attacks and shutting them down. The report uses this data to illuminate significant trends, tools, and techniques being used by the threat actors.
Do download the on-demand full webinar, click here: https://info.phishlabs.com/phishing-trends-and-intelligence-pti-report-webinar
Do download the PTI Report, click here: https://info.phishlabs.com/2017-phishing-trends-and-intelligence-report-pti
Ending the Tyranny of Expensive Security ToolsSolarWinds
A long time ago, in a galaxy far far away, AV was invented. Then firewalls and IDS and SIEM and NAC and DLP and on and on. With all these products, it seems like a career in information security is really more about managing tools than defeating a galactic empire of hackers and miscreants. But like the Rebel Alliance, you can take back your enterprise, because many of our existing monitoring systems and network devices also have security functionality. Moreover, there are many excellent open source applications that work just as well as commercial ones.
This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
Mobile Security: Preparing for the 2017 Threat LandscapeBlackBerry
For years, security researchers and leaders have warned: “The mobile threat is coming.” Well, in 2016 it arrived in full force. Attackers are finding new, creative means of stealing user credentials and penetrating critical systems via the mobile channel. And healthcare entities—with an increasingly mobile workforce and patient population—are square in the middle of this expanding mobile threatscape, as attackers seek to capture and monetize critical healthcare data.
What are the most prevalent new threats, and what are leading organizations doing to bolster mobile security as we head into 2017?
This interview with BlackBerry VP Government Solutions Sinisha Patkovic, on Mobile Security: Preparing for the 2017 Threat Landscape, was produced for of a recent ISMG Security Executive Roundtable sponsored By BlackBerry.
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
Take a deep-dive into the benefits of incorporating improved security protection into your organization’s mobile application development lifecycle, from testing phase to run-time.
In this on-demand webinar, you’ll learn how to:
- Better identify application integrity risks (vulnerable portions of your apps that could serve as attractive attack targets to hackers, even after you’ve adhered to safe-coding practices), and to bolster your overall level of mobile security protection.
- Deploy protection tools—based on AppScan-aided risk assessment technology and supplemented by manual analysis—to design and implement “defend”, “detect”, and “react” protections inside your applications, without modifying their source code.
- Augment your code-testing with proactive protections inside your mobile applications, by learning more about IBM’s and Arxan’s partnered solutions.
View the full on-demand webcast: http://securityintelligence.com/events/incorporating-security-protection-organizations-mobile-application-development-lifecycle/#.VYxU1_lVhBf
The OWASP Mobile Top 10 is a nice start for any developer or a security professional, but the road is still ahead and there is so much to do to destroy most of the possible doors that hackers can use to find out about app’s vulnerabilities. We look forward to the OWASP to continue their work, but let’s not stay on the sidelines!
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
Arxan Technologies, FS-ISAC, and IBM joined forces to deliver a presentation on how to protect your applications and data from emerging risks. This session will cover:
- The threat landscape regarding mobile payments
- How cybercriminals can hack your applications
- Comprehensive prevention and protection techniques
Mobile Enterprise Application PlatformNugroho Gito
mobile enterprise application, mobile application development, mobile enterprise, hybrid mobile, mobile security, reverse engineer, obfuscation, ibm, mobilefirst platform, bluemix, api management, mobile backend as a service
Given this, it's imperative for companies to think about mobile app security for both themselves and their customers. To do this, you must collaborate with the best mobile app development company in Bangalore that is familiar with cybersecurity.
Keeping up with the Revolution in IT SecurityDistil Networks
For many of today’s businesses, web applications are their lifeline. The growing complexity involved in keeping these applications fast, secure, and available can be seen as a byproduct of shifts in how these apps are developed, deployed, and attacked. This discussion will explore how high level trends in today’s web environments and the cyber attack landscape are shaping tomorrow’s application security solutions.
Key Takeaways:
- Trends in contemporary web applications that are forcing security evolution
- How today’s cyber attack landscape impacts cybersecurity
- What modern IT security solutions look like
- Distil Networks Overview
This course provides an introduction to security for mobile applications. It walks through a basic threat model for a mobile application. This threat model is then used as a framework for making good decisions about designing and building applications as well as for testing the security of existing applications. Examples are provided for both iOS (iPhone and iPad) and Android platforms and sample code is provided to demonstrate mobile security assessment techniques.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
This webcast will analyze the key differences between the penetration testing and bug bounty models and explore why one company replaced their pen tests over the last three years.
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
You don’t need a license for bug hunting season anymore. Bug bounty programs are becoming well established as a valuable tool in identifying vulnerabilities early. The Department of Defense has authorized its first bug bounty program, and many vendors are taking a fresh look. While the programs are highly effective, many questions remain about how to structure bug bounty programs to address the concerns that vendors and researchers have about controlling bug hunters, security and privacy, contractual issues with bug hunters, what happens if there is a rogue hacker in the crowd, and liability and compliance concerns. This presentation will cover the best practices for structuring effective bug bounty programs.
Talk originally given at AppSecUSA 2016 | October 13, 2016
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
Recorded on September 21, 2016, Casey Ellis, Bugcrowd CEO and Kymberlee Price, Sr. Director of Researcher Operations, explore current trends in the bug bounty market.
Grant Mccracken and Daniel Trauner give tips for running a successful bug bounty program. From writing a clear bounty brief, to communicating efficiently and effectively with researchers, this presentation, given originally at BSides Austin on April 1, 2016, is a great first step in thinking about running a bug bounty program.
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
When used correctly, gamification can be one of the most effective tools for changing behavior on a large scale, but it requires more than just designing a few digital merit badges for doing security training. In this talk Kati Rodzon will discuss how games like Portal and Candy Crush were able to make millions and how those same techniques can be used to change security as we know it.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Penetration testing is a security standard, but that doesn't mean it's the most effective means of assessment.
We'll discuss why crowdsourcing your security results in increased coverage and more complex security vulnerabilites while meeting your compliance requirements. We'll also introduce Flex, our crowdsourced pen test that provides increased results.
How to run a kick ass bug bounty program - Node Summit 2013bugcrowd
Bug bounty programs are all about getting good guys who think like bad guys to help you protect your business from application security flaws. In this workshop Casey Ellis and Chris Raethke from Bugcrowd, The Bug Bounty Company, will go through some of the tricks and tips of setting up and running a successful bug bounty program.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
2. Mobile Application Security Threats through the Eyes of the Attacker
2
Our Speaker
Jason is the Director of Technical
Operations at Bugcrowd. He trains and
works with internal application security
engineers to triage and validate hardcore
vulnerabilities in mobile, web, and IoT
applications/devices. He also works with
Bugcrowd to improve the security
industry’s relations with the researchers.
Jason’s interests and areas of expertise
include mobile penetration testing, black
box web application auditing, network/
infrastructural security assessments, binary
reverse engineering, and static analysis.
Jason Haddix
@jhaddix
3. Mobile Application Security Threats through the Eyes of the Attacker
3
Agenda
o Mobile is everywhere
o Top Ten Mobile App Risks
What are they?
What are some examples?
o Focusing on the big 3
o Resources for security and dev teams
o Questions
4. Mobile Application Security Threats through the Eyes of the Attacker
4
Mobile is everywhere
Mobile is computing
• There are 1.2 billion mobile users. By 2018 that number
with be 5 billion.
• Mobile adoption is growing 8x faster than traditional web
applications.
• Mobile payments will exceed $90 Billion
by 2017
5. Mobile Application Security Threats through the Eyes of the Attacker
5
Mobile is everywhere
Attackers go where the users are
• It’s not just phones, tables, IoT devices, etc are all
“mobile” now.
• With that kind of adoption hackers have shifted to
these new surface areas.
6. Mobile Application Security Threats through the Eyes of the Attacker
6
2014 Draft
OWASP Mobile Top 10 Risks
M1 – Weak
Server Side
Controls
M10 – Lack
of Binary
Protections
M9 –
Improper
Session
Handling
M5 – Poor
Authorization
and
Authentication
M6 – Broken
Cryptography
M7 – Client
Side
Injection
M8 – Security
Decisions Via
Untrusted Inputs
M2 –
Insecure
Data
Storage
M3 –
Insufficient
Transport
Layer
Protection
M4 –
Unintended
Data
Leakage
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
8. Mobile Application Security Threats through the Eyes of the Attacker
8
Take a look at your mobile OS and ensure that none of the operating systems features leak private data.
Unintended Data Leakage
iOS:
• Logging (NSLog in production)
• Application Background Screenshot
• URL Caching
• Keyboard Press Caching
• Copy/Paste buffer Caching
• Photo Sharing
Android
• URL Caching (Both request and
response)
• Logging (log.d)
• Exported Content Providers
9. Mobile Application Security Threats through the Eyes of the Attacker
9
http://s3jensen.blogspot.com/2014/02/credit-karma-ios-vulnerability.html
10. Mobile Application Security Threats through the Eyes of the Attacker
10
Pro-Tips for the mobile dev
Don’t Store or Store Securely
• If at all possible don’t store passwords or PII.
• There are several storage mechanisms for each platform.
Some are safer than others.
• iOS: When storage is necessary for small
data fragments, use the iOS keychain. In
addition store all strings in encrypted
format, even in the keychain. Never use
plists for data storage (NSUserDefaults)
• iOS: For larger data-sets, files, and
databases (coredata or sqlite), utilize
Apple’s Data Protection API with a
minimum of the designation
NSFileProtectionCompleteUnlessOpen
• Android: Use the Andriod Keystore
(crypted values) and avoid saving to
the external storage (Sdcard) as it is
a shared storage mechanism.
12. Mobile Application Security Threats through the Eyes of the Attacker
12
Poor TLS implementations
Common Vulnerabilities
13. Mobile Application Security Threats through the Eyes of the Attacker
13
Over the Wire
o When the application runs, it will be talking to multiple servers.
o It will also be using an untrusted network 50% of the time.
o Always use HTTPS, disable HTTP endpoints.
o Set appropriate cookies: secure, HTTPonly
o Use appropriate cipher strength for SSL
o Use appropriate certificate management calls
o Use Certificate pinning where possible
o https://github.com/iSECPartners/ssl-conservatory
14. Mobile Application Security Threats through the Eyes of the Attacker
14
Poor TLS implementations
Common Vulnerabilities
• Trusting any certificate it sees
• Allows expired certificates
• Allows trivial MiTM attacks
• Can connect to HTTPS once, and then fall back (mixed mode)
• ++
SSL Checklist for Penetration Testers
16. Mobile Application Security Threats through the Eyes of the Attacker
16
Highlights
Protect the Server
• The server side is the most often overlooked piece of the mobile
application, and therefore usually yields the most critical
vulnerabilities.
• Validate all input, use whitelisting approach for special/control
characters.
• While not a silver bullet, there are several open source WAF’s and
libraries depending on platform (modsecurity, OWASP ESAPI, IIS Sec
modules)
• Think about authentication API requests and how they can be
abused.
• Keep webserver software and framework updated. (this includes XML
parsers ;)
• If the backend is WS based, return the proper content type.
• Use POST instead of GET where possible.
• "Cache-Control : no-cache, no-store“ is important
17. Mobile Application Security Threats through the Eyes of the Attacker
17
OWASP Proactive Controls
1: Parameterize Queries
2: Encode Data
3: Validate All Inputs
4: Implement Appropriate Access Controls
5: Establish Identity and Authentication Controls
6: Protect Data and Privacy
7: Implement Logging, Error Handling and Intrusion Detection
8: Leverage Security Features of Frameworks and Security Libraries
9: Include Security-Specific Requirements
10: Design and Architect Security In
19. Mobile Application Security Threats through the Eyes of the Attacker
19
Proxy the application during QA testing
to audit for data leakage
http://codewithchris.com/tutorial-using-charles-proxy-with-your-ios-development-and-http-debugging/
20. Mobile Application Security Threats through the Eyes of the Attacker
20
Check for unencrypted files
https://github.com/dmayer/idb
21. Mobile Application Security Threats through the Eyes of the Attacker
21
Data storage, protection, and testing on the device
iOS Developer
ü iOS: Data Protection
Classes
ü iOS: Encrypted Core Data
guide
ü iOS Security Guide
iOS Tester
ü idb iOS assessment tool
ü OWASP iOS Testing Cheat
sheet
Android Developer
ü Android: CERT Secure Coding
Practices for Android
ü Jssec.org Secure Android
Coding Manual
Android Tester
ü Android Debug Bridge (adb)
ü Drozer Android Toolkit
22. Mobile Application Security Threats through the Eyes of the Attacker
2222
Key Takeaways
1. Start with identifying and fixing the “top 3”
2. Keep a well trained and staffed
development and assessment team
3. Utilize provided resources
23. Mobile Application Security Threats through the Eyes of the Attacker
23
QUESTIONS?
bugcrowd.comjhaddix@bugcrowd.com @jhaddix