This is the first iteration of a talk that goes through some of the more ..."interesting" failures in web app security over the 2009-2010 assessment calendar.
How to integrate paytm payment gateway using react js in seven easy stepsKaty Slemon
Are you stuck with integrating a payment gateway into your project? If Yes, here learn how to Integrate Paytm Payment Gateway using ReactJS in this guide.
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
The vast chasm between business and Information Security must be bridged. In this talk from AtlSecCon in Halifax (Mar 2011) I discuss how Information Security professionals can 'hack' the management and budget layers of their daily work to get things done more effectively.
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
These slides are from the talk given by me at the Chicago chapter of the Cloud Security Alliance, on January 11th '12 - speaking to the challenges that "Cloud Security" brings.
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which mid-market enterprises should be benefiting from.
When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals.
This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.
How to integrate paytm payment gateway using react js in seven easy stepsKaty Slemon
Are you stuck with integrating a payment gateway into your project? If Yes, here learn how to Integrate Paytm Payment Gateway using ReactJS in this guide.
Rebooting the Enterprise Security Program for Defensibility - ISSA Internatio...Rafal Los
These are the talk slides from ISSA International - discussing the need to reboot Enterprise Security to facilitate better defensibility, more intelligent security, and better operational capabilities.
Ultimate Hack! Layers 8 & 9 of the OSI ModelRafal Los
The vast chasm between business and Information Security must be bridged. In this talk from AtlSecCon in Halifax (Mar 2011) I discuss how Information Security professionals can 'hack' the management and budget layers of their daily work to get things done more effectively.
Cloud Security Alliance- Challanges of an elastic environment v8a [public]Rafal Los
These slides are from the talk given by me at the Chicago chapter of the Cloud Security Alliance, on January 11th '12 - speaking to the challenges that "Cloud Security" brings.
Operationalizing security intelligence for the mid market - Rafal Los - RSA C...Rafal Los
Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which mid-market enterprises should be benefiting from.
When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals.
This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
Jak nejlépe uchopit komunikaci mezi mobilním zařízením a síťovými službami, jak nastavit spolupráci, pokud server a klient vyvíjí různé, často vzdálené organizace, a proč vůbec psát webové služby, když máme mobilní internet...
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
A long time ago in code base not so far away...
It's a time of prosperity and happiness. Development Teams have improved their coding skills and are now very familiar with writing code with proper DocBlock comments and unit tests, safeguarding their code bases against unwanted behaviour. But the evil Internet is building their new weapon against the Development Teams and sneaks through the gaps still uncovered by tests.
Will the Development Teams be in time to safeguard their code base again and bring peace and balance in the universe?
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications. HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, the bad guys already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE, and introduce a universal method of cloning any Android contactless payment to a different device, demoed using Google’s own Android Pay. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications in Poland. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Tadhack madrid June 2014: Joris Swinnen and WebRTC Nederland "Invite my colle...Bart Uelen
Tadhack madrid June 2014: Joris Swinnen and WebRTC Nederland "Invite my colleagues for video conference" showcase. Or how to invite your colleagues to a video chat room by giving them a phone call from a webpage or sending an SMS from the same page using WebRTC and telco API's.
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
Make it easier on yourself. Find out how the APIs in SparkPost, SparkPost Elite and Momentum can do more than generate and send messages. Take a lesson on obtaining fine-grained information about your customers’ preferences and actions using metadata and tags. Learn how to measure if open- and-click rates are meeting your objectives. And leave with ample intelligence to enrich your business processes using real-time analytics.
Veryfi API for document data extraction (OCR) & tax codingErnest Semerda
Presentation of Veryfi's API to do real-time data extraction from images using Veryfi proprietary OCR. Includes tax coding. Based on Veryfi's machine models which are regularly updates.
Perfect for companies wanting to automate their document data extraction in real-time and those doing anything with pre-accounting (bookkeeping) duties. Let the machines help you :-)
The API has been fine tuned on receipts and we are expanding our invoice support. This is the same API used in all our Veryfi apps https://veryfi.app/
More info on the API here: https://www.veryfi.com/api/
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCloudIDSummit
In just under two-years the FIDO Alliance has produced a pair of specifications for strong authentication that have already been deployed at scale by some of the biggest brands in the world; Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). Now the Alliance is working on adding additional methods for standards-based strong authentication. Come learn about these protocols and walk away with knowledge on what is available now, what is coming (hint: BLE, NFC, platform optimization), and what it takes to roll out strong authentication across your enterprise and to your customer base.
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...Start Pad
Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
I've been in the field of "Cyber Security" in its many incarnations for about 25 years. In that time I've learned some lessons, some the hard way.
Here are my slides presented at BSides New Orleans in April 2024.
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
Preparedness for cyber security incidents - of all kinds - is formulaic. Unfortunately, many organizations don't follow these five principles, or don't take them seriously enough.
More Related Content
Similar to Oh No They Didn't! 7 Web App Security Stories (v1.0)
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Petr Dvořák: Mobilní webové služby pohledem iPhone developeraWebExpo
Jak nejlépe uchopit komunikaci mezi mobilním zařízením a síťovými službami, jak nastavit spolupráci, pokud server a klient vyvíjí různé, často vzdálené organizace, a proč vůbec psát webové služby, když máme mobilní internet...
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
A long time ago in code base not so far away...
It's a time of prosperity and happiness. Development Teams have improved their coding skills and are now very familiar with writing code with proper DocBlock comments and unit tests, safeguarding their code bases against unwanted behaviour. But the evil Internet is building their new weapon against the Development Teams and sneaks through the gaps still uncovered by tests.
Will the Development Teams be in time to safeguard their code base again and bring peace and balance in the universe?
CONFidence 2017: Hacking Card Emulation - how to clone any Android HCE contac...PROIDEA
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications. HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, the bad guys already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE, and introduce a universal method of cloning any Android contactless payment to a different device, demoed using Google’s own Android Pay. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications in Poland. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Tadhack madrid June 2014: Joris Swinnen and WebRTC Nederland "Invite my colle...Bart Uelen
Tadhack madrid June 2014: Joris Swinnen and WebRTC Nederland "Invite my colleagues for video conference" showcase. Or how to invite your colleagues to a video chat room by giving them a phone call from a webpage or sending an SMS from the same page using WebRTC and telco API's.
Insight User Conference Bootcamp - Use the Engagement Tracking and Metrics A...SparkPost
Make it easier on yourself. Find out how the APIs in SparkPost, SparkPost Elite and Momentum can do more than generate and send messages. Take a lesson on obtaining fine-grained information about your customers’ preferences and actions using metadata and tags. Learn how to measure if open- and-click rates are meeting your objectives. And leave with ample intelligence to enrich your business processes using real-time analytics.
Veryfi API for document data extraction (OCR) & tax codingErnest Semerda
Presentation of Veryfi's API to do real-time data extraction from images using Veryfi proprietary OCR. Includes tax coding. Based on Veryfi's machine models which are regularly updates.
Perfect for companies wanting to automate their document data extraction in real-time and those doing anything with pre-accounting (bookkeeping) duties. Let the machines help you :-)
The API has been fine tuned on receipts and we are expanding our invoice support. This is the same API used in all our Veryfi apps https://veryfi.app/
More info on the API here: https://www.veryfi.com/api/
CIS 2015b FIDO U2F in 10 minutes - Dirk BalfanzCloudIDSummit
In just under two-years the FIDO Alliance has produced a pair of specifications for strong authentication that have already been deployed at scale by some of the biggest brands in the world; Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F). Now the Alliance is working on adding additional methods for standards-based strong authentication. Come learn about these protocols and walk away with knowledge on what is available now, what is coming (hint: BLE, NFC, platform optimization), and what it takes to roll out strong authentication across your enterprise and to your customer base.
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...Start Pad
Damon Cortesi of Alchemy Security presents the most effective ways to plug the most common holes found in web services. Learn about XSS, SQL injection, and why you should care about these things now instead of later.
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
I've been in the field of "Cyber Security" in its many incarnations for about 25 years. In that time I've learned some lessons, some the hard way.
Here are my slides presented at BSides New Orleans in April 2024.
The 5 Ps of Preparedness - Hope is Not a Strategy [1].pdfRafal Los
Preparedness for cyber security incidents - of all kinds - is formulaic. Unfortunately, many organizations don't follow these five principles, or don't take them seriously enough.
Irrational But Effective - Applying Parenthood Lessons to Cyber SecurityRafal Los
It might seem crazy, but as a parent you're more prepared than you think to be a cyber security professional and leader. Check this talk to see what I, with 8yr old twins, can tell you from my experiences.
From management, to leadership, to threat analysis and incident response - it's all related.
SAINTCON 21 - Of Sandcastles and Luck (Fixing Vulnerability Management)Rafal Los
Vulnerability Management.
Yes, it's an old topic, and technical debt (tech debt) is overwhelming - but accountability in IT is fraught with peril.
Vulnerability Management needs an overhaul, and this talk discusses all the things you're probably not thinking about, but should be addressing right now.
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
Vulnerability Management is more than patching your systems. A programmatic approach to risk reduction is critical, but often under-performing. This talk provides insight on how to implement a functional program.
5 Things CFOs Need to Know About Enterprise Security - HP CFO Summit 2013Rafal Los
The Chief Financial Officer (CFO) plays a critical role in Enterprise Security - but rarely gets a direct glimpse at some of the challenges, and no-frills realities of the challenge of defending an enterprise. This talk provides 5 key take-aways for CFOs.
Operationalizing Security Intelligence [ InfoSec World 2014 ]Rafal Los
Security intelligence is only worthwhile if a relevant piece of information is obtained and analyzed in a timely manner and able to aide a rapid decision-making process to mitigate an imminent threat – this capability is part of the new school security approach of Detect, Respond, Resolve with greater efficiency and speed which all enterprises should be benefiting from.
Threat modeling the security of the enterpriseRafal Los
Many IT Security professionals simply do not understand "threat modeling" - or how an attack at component A can ultimately affect component B, C, and D ... this example-based (and very, very high-level) talk hopes to get you interested in threat modeling and understanding how things are connected - in orer to give you a chance to build your defenses.
Making Measurable Gains - Contextualizing 'Secure' in BusinessRafal Los
What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.
Security BSides Atlanta - "The Business Doesn't Care..."Rafal Los
This is my talk from Security BSides Atlanta ... the talk discusses how the disconnect between security and business keeps getting wider, why, and what to do about it.
The Future of Software Security AssuranceRafal Los
This talk is from ISSA International 2011, reflecting a look out over the horizon of Software Security Assurance for the next 20 years. Fundamentally, we must be able to start with 1 question - "Can you trust your software?" ...and if you can't say "Yes!" for certain, it's time to start somewhere.
Defying Logic - Business Logic Testing with AutomationRafal Los
Straight from Black Hat Europe - this talk lays the foundation for going-forward research and development into whether 'business logic' can be tested using automation and seeks to define boundaries, key assertions, and a roadmap for further work.
Into the Rabbithole - Evolved Web App Security Testing (OWASP AppSec DC)Rafal Los
This talk from the 2010 OWASP AppSec DC talk of the same title is all about better, more evolved web application security testing utilizing automation!
The QA Analyst's Hacker's Landmark Tour v3.0Rafal Los
This talk is geared towards QA Analysts who want to start to understand the mindset of the 'hacker', and start thinking about web application security testing concepts.
Magic Numbers - 5 KPIs for Measuring SSA Program Success v1.3.2Rafal Los
If you've ever wanted to know how a Software Security Assurance program can have a closer tie-in with a business-level conversation, this is the presentation you can't miss.
StarWest 2009 - Detective Work For Testers: Finding Workflow Based DefectsRafal Los
Do you know why your software testing strategy isn't finding many of the "really big" bugs hidden in the web-based software your company churns out? Find out now...
For those of you who missed it, this is my slide deck from SecTor 2009, "When Web 2.0 Attacks!" ... reference to Web 2.0, and many of the technologies that make up the mish-mash that makes today's web application landscape so impossible to secure.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
3. Story #1 – “Loyalty-free” The Story… Utilizing a restaurant delivery service; website driven interaction During transaction, credit card input incorrectly, transaction rejected but “loyalty points” accrue Result: Logic flaw exposing the website to scripted attack via CSRF Lesson(s) Learned… Purchase process should be protected against CSRF (many options) Test, test, test and test again Manual security testing is required; you can’t just “scan”! Logic flaws can be discovered … advanced EFD-based tools needed 3 15 October 2010
4. Story #2 – Web coupons The Story… Large national pizza chain wants 2-part marketing campaign 2 coupons: 1 for $5 pizza, one for FREE pizza Marketing agency creates Flash! app, codes logic into client (both coupon codes) Accidental discovery leads to 11,000 free pizzas …oops Lesson(s) Learned… Never perform critical business logic on the client Marketing teams don’t know about security … don’t understand Flash! can/will be decompiled and inspected…be aware 4 15 October 2010
6. Story #3 – Hold this encryption key The Story… Flash application sending “encrypted” data across the wire; context: play a game, win a prize “Encryption” scheme (including key) embedded in Flash application Download, decompile, repurpose and win every time? Lesson(s) Learned… It’s not encryption if you also give me the scheme + key Flash! can/will be decompiled and inspected…be aware Security testing would reveal weakness … other ideas for solving this? 6 15 October 2010
8. Story #4 – Pwn3d (ouch) The Story… Commercial, templated online restaurant menu & ordering system Developer believed there was no need to test “why would anyone want to hack this?” SQL Injection hole found … app had already been compromised App was distributing Zeus bot (and other malware) to customers! Lesson(s) Learned… Arrogance is more deadly than lack of knowledge SQL Injection is not a highly complex attack (‘or 1=1 to detect) Not only vulnerable, now a liability and an investigation 8 15 October 2010
9. Story #5 - Predictable The Story… Online retail shopping cart, sends email with “customer ID” –based order retrieval system (no passwords!) Customer can save shipping details, payment information… Predictable customerID parameter in URL (CustID=aaaabbbcccdddd) Alpha-numeric, non-case-sensitive …but predictable Lesson(s) Learned… It can be a hassle, but require users to fully “register” (userID + pwd) Randomize at least a 32-bit alpha-numeric string for CustID Predictable IDs exposed customer data, critical payment info! 9 15 October 2010
10. Story #6 – Name your own price The Story… Critical application for customers to purchase extremely high-value replaceable parts for power-generation systems Parameter “NetCost” present in URL and POST body Server acceptsNetCost price from POST body, final page of checkout Lesson(s) Learned… Never, ever, ever, ever trust anything you send to the client The server should always hold the “record of truth” Validate against server-known data, prior to processing checkout Test, test, test … this is a business logic flaw! 10 15 October 2010
11. Story #7 – But wait, there’s MORE The Story… Demonstrating web app security testing tool vs customer application SQL Injection hole found, exploited at the MS SQL Server Server was clustered, on internal network, extended stored procedures Mission-critical web-application database on internal, AD-based network Lesson(s) Learned… So many layers of fail … layered upon SQL Injection (testable!) Separate your databases by criticality Remove non-necessary stored procedures, secure priviliges 11 15 October 2010
12. Contribute … Do you have a story that’s too funny not to be true? SHARE IT! 12 15 October 2010
13. 13 15 October 2010 Done. Rafal M. Los Security Evangelist @Wh1t3Rabbit Rafal@HP.com Hp.com/go/white-rabbit