This document outlines an agenda for a 2-hour OWASP Cloud Security Workshop. The workshop will introduce participants to Behavior Driven Development (BDD) and threat modeling. It will include group exercises in story writing using BDD and threat modeling a cloud environment. Participants will learn about BDD, writing good stories, threat modeling methodology, and have the opportunity to contribute to the OWASP Cloud Security project. The project aims to grow its community and library of threat and control stories through running the workshop.
Using Stories to Test Requirements and SystemsPaul Gerrard
The document discusses using business stories to test requirements and systems. It explains that stories can help identify omissions, inconsistencies, and ambiguity in requirements. Stories are applicable at any stage of a project for different purposes. Structured stories follow a common format with a header, scenarios with given/when/then structures, and can have multiple scenarios to test different conditions. Stories can validate requirements by example and generate both manual and automated test cases. The document argues that a structured, disciplined approach to stories can benefit both agile and structured development approaches.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and focuses on user stories over functions to promote communication. The document provides an example of using BDD to generate scenarios for a life insurance risk example, and shows how TestBox can be used to write automated tests based on those scenarios.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and aims to facilitate collaboration between developers and business stakeholders. The document provides an example of using BDD to specify scenarios for generating life insurance risk quotes. It also outlines how to structure tests in TestBox and run test bundles.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and focuses on user stories over functions to promote communication. The document provides an example of using BDD to generate scenarios for a life insurance risk example, and shows how TestBox can be used to write automated tests based on those scenarios.
This document provides an introduction to Behavior Driven Development (BDD). It discusses that BDD involves collaboration between stakeholders like business analysts, developers, and testers to develop software through examples. The BDD workflow involves stakeholders discussing features and scenarios, writing them formally using a language like Gherkin, and automating the tests. BDD fits into testing by providing executable specifications and faster feedback. While tools like Cucumber support BDD, simply using the tools does not constitute BDD without the underlying collaboration process. The document outlines benefits like collaboration and challenges like requiring strong stakeholder involvement.
Scenario Based Learning using Rapid eLearning ToolsTraci Weiss
The document discusses using scenario-based learning for adult education and provides examples of incorporating scenarios into rapid eLearning tools. It describes challenges in designing scenario-based learning due to time or system constraints. Three case studies show how scenarios were used in an Adobe Presenter course, a webcast, and an Articulate/Lectora course for banking, wireless, and financial clients. The key is engaging learners through realistic scenarios that demonstrate applying concepts to their jobs.
Scenario based learning using rapid tools with screen shotsTraci Weiss
The document discusses using scenario-based learning for adult education and provides examples of incorporating scenarios into rapid eLearning tools. It describes challenges in designing scenario-based learning due to time or system constraints. Three case studies show how scenarios were used in an Adobe Presenter course, a webcast, and an Articulate/Lectora course for banking, wireless, and financial clients. Scenarios brought topics to life by modeling real-world situations.
Using Stories to Test Requirements and SystemsPaul Gerrard
The document discusses using business stories to test requirements and systems. It explains that stories can help identify omissions, inconsistencies, and ambiguity in requirements. Stories are applicable at any stage of a project for different purposes. Structured stories follow a common format with a header, scenarios with given/when/then structures, and can have multiple scenarios to test different conditions. Stories can validate requirements by example and generate both manual and automated test cases. The document argues that a structured, disciplined approach to stories can benefit both agile and structured development approaches.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and focuses on user stories over functions to promote communication. The document provides an example of using BDD to generate scenarios for a life insurance risk example, and shows how TestBox can be used to write automated tests based on those scenarios.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and aims to facilitate collaboration between developers and business stakeholders. The document provides an example of using BDD to specify scenarios for generating life insurance risk quotes. It also outlines how to structure tests in TestBox and run test bundles.
This document discusses test-driven development (TDD) and behavior-driven development (BDD). It defines TDD as a process of writing automated tests before code to define desired functionality, then writing minimum code to pass tests and refactoring. BDD combines TDD techniques with domain-driven design and focuses on user stories over functions to promote communication. The document provides an example of using BDD to generate scenarios for a life insurance risk example, and shows how TestBox can be used to write automated tests based on those scenarios.
This document provides an introduction to Behavior Driven Development (BDD). It discusses that BDD involves collaboration between stakeholders like business analysts, developers, and testers to develop software through examples. The BDD workflow involves stakeholders discussing features and scenarios, writing them formally using a language like Gherkin, and automating the tests. BDD fits into testing by providing executable specifications and faster feedback. While tools like Cucumber support BDD, simply using the tools does not constitute BDD without the underlying collaboration process. The document outlines benefits like collaboration and challenges like requiring strong stakeholder involvement.
Scenario Based Learning using Rapid eLearning ToolsTraci Weiss
The document discusses using scenario-based learning for adult education and provides examples of incorporating scenarios into rapid eLearning tools. It describes challenges in designing scenario-based learning due to time or system constraints. Three case studies show how scenarios were used in an Adobe Presenter course, a webcast, and an Articulate/Lectora course for banking, wireless, and financial clients. The key is engaging learners through realistic scenarios that demonstrate applying concepts to their jobs.
Scenario based learning using rapid tools with screen shotsTraci Weiss
The document discusses using scenario-based learning for adult education and provides examples of incorporating scenarios into rapid eLearning tools. It describes challenges in designing scenario-based learning due to time or system constraints. Three case studies show how scenarios were used in an Adobe Presenter course, a webcast, and an Articulate/Lectora course for banking, wireless, and financial clients. Scenarios brought topics to life by modeling real-world situations.
Xp 2016 superchargeyourproductbacklogwithuserstories-suzannelazLaz Allen
This document summarizes a workshop on supercharging a product backlog with user stories. The workshop covers defining user stories, examples of user stories, splitting large stories into smaller ones, acceptance criteria, and product backlog refinement. Attendees participate in hands-on exercises to practice writing, critiquing, and splitting user stories. The document emphasizes that user stories should describe features from the perspective of users or stakeholders and focus on value and benefits.
The document discusses a project to implement a dynamic workflow system using EMC Documentum xCP to streamline an approval process for over 200 documents per month at a financial services company. Key aspects included gathering requirements, designing a single workflow to handle 30+ document types and reviews by 16 departments, and using custom methods like "Gatekeeper" and "Keymaster" to dynamically route documents and track completion. The results were a significant increase in productivity and cost savings of $9700 per user.
Cucumber is a tool that supports Behavior Driven Development (BDD). It allows writing automated tests in a natural language format called Gherkin. Cucumber reads executable specifications written in Gherkin and verifies that the software behaves as described. It generates reports indicating whether each test scenario passed or failed. Gherkin scenarios use keywords like "Given", "When", "Then" to describe initial contexts, events, and expected outcomes. Step definitions connect the Gherkin steps to code that implements the test behavior. Cucumber helps involve non-technical stakeholders and focuses testing on the user experience.
Through the webinar, she will give an introduction to the user story concept. How to create them? How they can help us build better products for our customers. Do's and Don'ts.
Reviewing progress in the machine learning certification journey
𝗦𝗽𝗲𝗰𝗶𝗮𝗹 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻 - Short tech talk on How to Network by Qingyue(Annie) Wang
C𝗼𝗻𝘁𝗲𝗻𝘁 𝗿𝗲𝘃𝗶𝗲𝘄 𝗼𝗻 AI and ML on Google Cloud by Margaret Maynard-Reid
𝗔 𝗳𝗼𝗰𝘂𝘀𝗲𝗱 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 𝗿𝗲𝘃𝗶𝗲𝘄 𝗼𝗻 𝗠𝗟 𝗽𝗿𝗼𝗯𝗹𝗲𝗺 𝗳𝗿𝗮𝗺𝗶𝗻𝗴, 𝗺𝗼𝗱𝗲𝗹 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝗳𝗮𝗶𝗿𝗻𝗲𝘀𝘀 by Sowndarya Venkateswaran.
A discussion on sample questions to aid certification exam preparation.
An interactive Q&A session to clarify doubts and questions.
Previewing next steps and topics, including course completions and material reviews.
The document discusses test-driven development (TDD) and behavior-driven development (BDD) principles and practices for writing concise, valuable acceptance tests and user stories. Key points include using the INVEST criteria to evaluate user stories, focusing tests on business value through concrete examples and domain language over implementation details, and organizing testing code and files effectively.
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
Building the "right" regression suite using Behavior Driven Testing (BDT)Anand Bagmar
This document discusses building an effective regression test suite using Behavior Driven Testing (BDT). It introduces key concepts like the test pyramid, which describes the ideal distribution of test types from unit to UI tests. BDD and BDT are also covered, explaining how they help define testable behaviors and ensure tests are business-focused. Finally, different styles of writing test specifications like imperative and declarative are compared. The overall goal is to establish a shared understanding of what is being tested through well-defined behavioral tests.
Agile Requirements are lightweight by design, so what can you do as the BA to convey requirements in a concise yet comprehensive way? How can you include real examples in your requirements to increase clarity and reduce ambiguity when working with your team?
In this presentation, Rebecca Halstead shares how to incorporate examples in your requirements as a way to encourage collaboration and build a shared understanding about the acceptance criteria. Rebecca delivered this presentation on Agile Requirements at the International Institute of Business Analysis, DC Chapter meeting on March 20, 2014.
Generative AI Masterclass - Model Risk Management.pptxSri Ambati
Here are some key points about benchmarking and evaluating generative AI models like large language models:
- Foundation models require large, diverse datasets to be trained on in order to learn broad language skills and knowledge. Fine-tuning can then improve performance on specific tasks.
- Popular benchmarks evaluate models on tasks involving things like commonsense reasoning, mathematics, science questions, generating truthful vs false responses, and more. This helps identify model capabilities and limitations.
- Custom benchmarks can also be designed using tools like Eval Studio to systematically test models on specific applications or scenarios. Both automated and human evaluations are important.
- Leaderboards like HELM aggregate benchmark results to compare how different models perform across a wide range of tests and metrics.
Product design for Non Designers - Montreal Digital Nomad MeetupSebastian Tory-Pratt
The basic principles of product design are very simple. And you don't need to be able to code to start building your product. This deck introduces some basic principles to help you start moving from idea to tangible product.
The document provides an overview of event processing, including its history, current state, and future trends. It discusses event processing concepts like events, patterns, context, and languages. It also outlines some challenges like ordering events in distributed systems and dealing with uncertainty. The future trends highlighted include expanding applications of event processing, diversifying platforms and quality of service needs, standardizing aspects of event processing, and making it more accessible to non-programmers.
MEMSI January 2018: DE2- What can you do for your customer? + DE 5 - Hypothes...Elaine Chen
This document discusses product development and testing methodologies. It emphasizes defining hypotheses about customer needs and desires, then rapidly building minimum viable products to test those hypotheses. Several examples are provided of hypotheses that could be tested for a hypothetical frozen treat business, as well as examples of minimum viable products and experiments used to validate or invalidate hypotheses. The document stresses testing assumptions early and often through small, low-cost experiments.
Maelscrum / Business Story Manager OverviewPaul Gerrard
The document provides an overview of the Business Story Method, Story Platform, and Maelscrum tool. It describes how the method is used for requirements analysis, planning, execution and reporting. The Story Platform brings together the Business Story Manager and Maelscrum tools to support the method. Maelscrum allows users to create requirements, stories, scenarios, processes and link them to enable traceability and testing.
EuroSTAR Software Testing Conference 2013 presentation on Readable, Executable Requirements: Hands-On by Emily Bache.
See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
This document provides an overview of using VBA (Visual Basic for Applications) to automate tasks in Microsoft Word. It discusses the macro recorder's limitations and introduces the VBA editor. It also covers basic VBA concepts like objects, properties, methods, and events. Finally, it shows how to add user interfaces, loops, and conditional logic to macros to make them more intelligent and customizable.
Specification-by-Example: A Cucumber ImplementationTechWell
We've all been there. You work incredibly hard to develop a feature and design tests based on written requirements. You build a detailed test plan that aligns the tests with the software and the documented business needs. When you put the tests to the software, it all falls apart because the requirements were updated without informing everyone. But help is at hand. Enter business-driven development and Cucumber, a tool for running automated acceptance tests. Join Mary Thorn as she explores the nuances of Cucumber and shows you how to implement specification-by-example, behavior-driven development, and agile acceptance testing. By fostering collaboration for implementing active requirements via a common language and format, Cucumber bridges the communication gap between business stakeholders and implementation teams. If you experience developers not coding to requirements, testers not getting requirements updates, or customers who feel out of the loop and don't get what they ask for, be here!
The document discusses planning for content reuse, including analyzing existing content, anticipating future needs, and building a content repository. It recommends designing a content model that supports topic-based writing and reusable content units. The document provides examples of content inventories, information types, and templates to help structure content for reuse.
The importance of graphs in a security domain and a process of identifying risks and mapping with required mitigation activities.
Keynote presentation delivered at the Open Security Summit 2018 by Dinis Cruz.
Working in cross functional teams - The benefits (and Moonpig’s learnings)Open Security Summit
This document discusses the benefits of cross-functional teams over traditional functional structures. It outlines Moonpig's journey of reorganizing from functional to cross-functional teams called "honeycombs" and "squads". While this initial approach had some issues, it led to growth and improved efficiency. Moonpig is now further evolving its structure with "tribes" of aligned squads and "pods" to better organize larger squads. The overall goal is to continuously improve processes and embed a culture of learning through experimentation.
More Related Content
Similar to #w-owasp-cld-sec-wkshp Owasp cloud security workshop
Xp 2016 superchargeyourproductbacklogwithuserstories-suzannelazLaz Allen
This document summarizes a workshop on supercharging a product backlog with user stories. The workshop covers defining user stories, examples of user stories, splitting large stories into smaller ones, acceptance criteria, and product backlog refinement. Attendees participate in hands-on exercises to practice writing, critiquing, and splitting user stories. The document emphasizes that user stories should describe features from the perspective of users or stakeholders and focus on value and benefits.
The document discusses a project to implement a dynamic workflow system using EMC Documentum xCP to streamline an approval process for over 200 documents per month at a financial services company. Key aspects included gathering requirements, designing a single workflow to handle 30+ document types and reviews by 16 departments, and using custom methods like "Gatekeeper" and "Keymaster" to dynamically route documents and track completion. The results were a significant increase in productivity and cost savings of $9700 per user.
Cucumber is a tool that supports Behavior Driven Development (BDD). It allows writing automated tests in a natural language format called Gherkin. Cucumber reads executable specifications written in Gherkin and verifies that the software behaves as described. It generates reports indicating whether each test scenario passed or failed. Gherkin scenarios use keywords like "Given", "When", "Then" to describe initial contexts, events, and expected outcomes. Step definitions connect the Gherkin steps to code that implements the test behavior. Cucumber helps involve non-technical stakeholders and focuses testing on the user experience.
Through the webinar, she will give an introduction to the user story concept. How to create them? How they can help us build better products for our customers. Do's and Don'ts.
Reviewing progress in the machine learning certification journey
𝗦𝗽𝗲𝗰𝗶𝗮𝗹 𝗔𝗱𝗱𝗶𝘁𝗶𝗼𝗻 - Short tech talk on How to Network by Qingyue(Annie) Wang
C𝗼𝗻𝘁𝗲𝗻𝘁 𝗿𝗲𝘃𝗶𝗲𝘄 𝗼𝗻 AI and ML on Google Cloud by Margaret Maynard-Reid
𝗔 𝗳𝗼𝗰𝘂𝘀𝗲𝗱 𝗰𝗼𝗻𝘁𝗲𝗻𝘁 𝗿𝗲𝘃𝗶𝗲𝘄 𝗼𝗻 𝗠𝗟 𝗽𝗿𝗼𝗯𝗹𝗲𝗺 𝗳𝗿𝗮𝗺𝗶𝗻𝗴, 𝗺𝗼𝗱𝗲𝗹 𝗲𝘃𝗮𝗹𝘂𝗮𝘁𝗶𝗼𝗻, 𝗮𝗻𝗱 𝗳𝗮𝗶𝗿𝗻𝗲𝘀𝘀 by Sowndarya Venkateswaran.
A discussion on sample questions to aid certification exam preparation.
An interactive Q&A session to clarify doubts and questions.
Previewing next steps and topics, including course completions and material reviews.
The document discusses test-driven development (TDD) and behavior-driven development (BDD) principles and practices for writing concise, valuable acceptance tests and user stories. Key points include using the INVEST criteria to evaluate user stories, focusing tests on business value through concrete examples and domain language over implementation details, and organizing testing code and files effectively.
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...Izar Tarandach
How to do threat modeling in the age of Agile and DevOps. A practical methodology for teams focusing on developers. Also, an introduction to PyTM as a tool for threat-modeling-with-code.
DIY guide to runbooks, incident reports, and incident responseNathan Case
In this session, we explore the cost of incidents and consider creative ways to look at future threats. We walk you through the threat landscape, looking at what has happened over the last year. Learn about the best open-source tools to have in your security arsenal now and in the future to help you detect and deal with the threats of today and tomorrow. Finally, learn how to identify where these threats are coming from and how to detect them more easily. The information in this session is provided by various teams and sources
Building the "right" regression suite using Behavior Driven Testing (BDT)Anand Bagmar
This document discusses building an effective regression test suite using Behavior Driven Testing (BDT). It introduces key concepts like the test pyramid, which describes the ideal distribution of test types from unit to UI tests. BDD and BDT are also covered, explaining how they help define testable behaviors and ensure tests are business-focused. Finally, different styles of writing test specifications like imperative and declarative are compared. The overall goal is to establish a shared understanding of what is being tested through well-defined behavioral tests.
Agile Requirements are lightweight by design, so what can you do as the BA to convey requirements in a concise yet comprehensive way? How can you include real examples in your requirements to increase clarity and reduce ambiguity when working with your team?
In this presentation, Rebecca Halstead shares how to incorporate examples in your requirements as a way to encourage collaboration and build a shared understanding about the acceptance criteria. Rebecca delivered this presentation on Agile Requirements at the International Institute of Business Analysis, DC Chapter meeting on March 20, 2014.
Generative AI Masterclass - Model Risk Management.pptxSri Ambati
Here are some key points about benchmarking and evaluating generative AI models like large language models:
- Foundation models require large, diverse datasets to be trained on in order to learn broad language skills and knowledge. Fine-tuning can then improve performance on specific tasks.
- Popular benchmarks evaluate models on tasks involving things like commonsense reasoning, mathematics, science questions, generating truthful vs false responses, and more. This helps identify model capabilities and limitations.
- Custom benchmarks can also be designed using tools like Eval Studio to systematically test models on specific applications or scenarios. Both automated and human evaluations are important.
- Leaderboards like HELM aggregate benchmark results to compare how different models perform across a wide range of tests and metrics.
Product design for Non Designers - Montreal Digital Nomad MeetupSebastian Tory-Pratt
The basic principles of product design are very simple. And you don't need to be able to code to start building your product. This deck introduces some basic principles to help you start moving from idea to tangible product.
The document provides an overview of event processing, including its history, current state, and future trends. It discusses event processing concepts like events, patterns, context, and languages. It also outlines some challenges like ordering events in distributed systems and dealing with uncertainty. The future trends highlighted include expanding applications of event processing, diversifying platforms and quality of service needs, standardizing aspects of event processing, and making it more accessible to non-programmers.
MEMSI January 2018: DE2- What can you do for your customer? + DE 5 - Hypothes...Elaine Chen
This document discusses product development and testing methodologies. It emphasizes defining hypotheses about customer needs and desires, then rapidly building minimum viable products to test those hypotheses. Several examples are provided of hypotheses that could be tested for a hypothetical frozen treat business, as well as examples of minimum viable products and experiments used to validate or invalidate hypotheses. The document stresses testing assumptions early and often through small, low-cost experiments.
Maelscrum / Business Story Manager OverviewPaul Gerrard
The document provides an overview of the Business Story Method, Story Platform, and Maelscrum tool. It describes how the method is used for requirements analysis, planning, execution and reporting. The Story Platform brings together the Business Story Manager and Maelscrum tools to support the method. Maelscrum allows users to create requirements, stories, scenarios, processes and link them to enable traceability and testing.
EuroSTAR Software Testing Conference 2013 presentation on Readable, Executable Requirements: Hands-On by Emily Bache.
See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
This document provides an overview of using VBA (Visual Basic for Applications) to automate tasks in Microsoft Word. It discusses the macro recorder's limitations and introduces the VBA editor. It also covers basic VBA concepts like objects, properties, methods, and events. Finally, it shows how to add user interfaces, loops, and conditional logic to macros to make them more intelligent and customizable.
Specification-by-Example: A Cucumber ImplementationTechWell
We've all been there. You work incredibly hard to develop a feature and design tests based on written requirements. You build a detailed test plan that aligns the tests with the software and the documented business needs. When you put the tests to the software, it all falls apart because the requirements were updated without informing everyone. But help is at hand. Enter business-driven development and Cucumber, a tool for running automated acceptance tests. Join Mary Thorn as she explores the nuances of Cucumber and shows you how to implement specification-by-example, behavior-driven development, and agile acceptance testing. By fostering collaboration for implementing active requirements via a common language and format, Cucumber bridges the communication gap between business stakeholders and implementation teams. If you experience developers not coding to requirements, testers not getting requirements updates, or customers who feel out of the loop and don't get what they ask for, be here!
The document discusses planning for content reuse, including analyzing existing content, anticipating future needs, and building a content repository. It recommends designing a content model that supports topic-based writing and reusable content units. The document provides examples of content inventories, information types, and templates to help structure content for reuse.
Similar to #w-owasp-cld-sec-wkshp Owasp cloud security workshop (20)
The importance of graphs in a security domain and a process of identifying risks and mapping with required mitigation activities.
Keynote presentation delivered at the Open Security Summit 2018 by Dinis Cruz.
Working in cross functional teams - The benefits (and Moonpig’s learnings)Open Security Summit
This document discusses the benefits of cross-functional teams over traditional functional structures. It outlines Moonpig's journey of reorganizing from functional to cross-functional teams called "honeycombs" and "squads". While this initial approach had some issues, it led to growth and improved efficiency. Moonpig is now further evolving its structure with "tribes" of aligned squads and "pods" to better organize larger squads. The overall goal is to continuously improve processes and embed a culture of learning through experimentation.
Two scenarios were mapped by participants following an explanation/overview by Tony Richards. First, we mapped how to make a cup of tea Second, we mapped an AWS attack
This document discusses using Slack bots and Zapier to automate tasks and integrate various tools. It provides instructions on setting up Zapier to read messages from Slack and write responses. Example bots presented include a help function, sending notifications via webhooks, checking weather using an API, receiving Github pull notifications, and receiving new JIRA tickets. The document concludes by mentioning building more complex automated workflows and processes using Zapier.
#w-cell-struc-security Wardley Maps: Cell Bases structures for SecurityOpen Security Summit
The document discusses doctrines and principles for organizing work using cell-based structures. It advocates dividing teams into smaller cells based on aptitude and attitude. The doctrines emphasize using appropriate methods for each problem, thinking small by focusing on details, and designing organizations for constant evolution.
Deng Xiaoping once described managing the economy as crossing the river by feeling the stones—in other words have a direction but be adaptive. But in a world of constant change, how do you determine the right thing to do? Which pebble to tread on? How do you understand where you’re going and where you need to go? How do you know if your strategy is right? Is there even such a thing?
Simon Wardley examines the issue of situational awareness and explains how it applies to technology. Using examples from government and the commercial world, he explores how you can map your environment, identify opportunities to exploit, and learn to play the game.
Keynote session by Simon Wardley.
Presented at: https://open-security-summit.org/
This document discusses Wardley mapping, which is a technique for visualizing value chains and markets. It provides examples of using maps to understand user needs, product evolution, flows of capital and risk, bottlenecks in processes, and costs. Wardley mapping helps analyze how products transition from custom to commodity and how this impacts strategy, execution, and policy around standards and regulation.
This document describes Focal Point's cyber risk quantification services for insurance underwriting. It outlines a four-step roadmap for measuring an organization's cyber risk profile to inform insurance strategies. The first step leverages an organization's existing NIST Cybersecurity Framework assessment. The second step involves further evaluating cyber risks through an online self-assessment or deeper evaluation. The third step uses Monte Carlo modeling to measure potential cyber loss scenarios. The fourth step provides insights to define an appropriate risk strategy and optimize insurance coverage, limits, and deductibles. The document argues this approach helps organizations better understand cyber risks, prioritize mitigation options, and make informed decisions about cyber insurance.
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
2. Agenda
• Workshop introduction - 5 mins
• Introduction to Behaviour Driven Development - 10 mins
• Group story writing and discussion - 20 mins
• Introduction to threat modeling - 10 mins
• Group threat modeling and discussion - 20 mins
• Using BDD for security - 10 mins
• Group threat story writing and discussion - 20 mins
• Individual threat story writing - 20 mins
• Final remarks - 5 mins
28. Example feature
Feature: Google Searching
As a web surfer, I want to search
Google, so that I can learn new things.
Scenario: Simple Google search
Given a web browser is on the
Google page
When the search phrase "panda" is
entered
Then results for "panda" are shown
The user story. A free-text description of the feature.
Generally covers who, what and why, but not
necessarily in that order. More than one story is
possible.
A free-text description of the test case. A feature can
have one or more scenarios. In this case we’re using
a BDD language called Gherkin
Scenarios are made up of Given, When, Then
statements (also And, But). Each statement is a
step that is executed by the BDD framework.
https://automationpanda.com/2017/01/26/bdd-101-the-gherkin-language/
29. Feature: Buying food
In order to eat, as a citizen, I want to buy food
Scenario: Going to the supermarket
Given a shopping list of items
| item |
| milk |
| bread |
| eggs |
And a shopping basket
When I add the items to my basket
And I pay for the items in my basket
Then I can take the items home
A few more examples...
A table with one or more columns used in the
step above it.
Multiple Givens and Whens combined with And.
31. Adding numbers feature
Feature: Adding numbers
In order to solve simple maths problems
As an engineer
I want to add numbers together
Scenario Outline: Adding two numbers
Given two input integers "<a>" and "<b>"
When we add the two numbers together
Then the result must equal the integer "<result>"
Examples: Numbers
| a | b | result |
| 5 | 5 | 10 |
| 5 | 3 | 8 |
| 15 | -5 | 10 |
Who wants to add numbers, and why?
A Scenario Outline can repeat a
scenario for each of the provided
examples.
32. Writing feature steps
import behave
from add import *
@given('Two input integers "{a}" and "{b}"')
def step_impl(context, a, b):
context.a = int(a)
context.b = int(b)
@when('We add the two numbers together')
def step_impl(context):
context.result = add(context.a, context.b)
@then('The result must equal the integer "{result}"')
def step_impl(context, result):
assert context.result == int(result)
35. Writing good stories
• Don’t worry about perfections - just write something
• Pretend somebody is standing in front of you and you are
casually explaining the subject to them - ELI5
• Remember, it’s about communicating an idea - capture the
essence of the story to be told
• Make sure your “In order to” contains the why and not the how
37. Example: Making a phone call
Feature: Redial a recent call
In order to save time
As a mobile phone user
I want to call someone I have spoken to recently
Scenario: Calling from history
Given a phone app showing recent calls
When I tap on a call in the list
And I tap on the “Call” button
Then the phone will immediately start calling the number from the call
38. Example: Going to the gym
Feature: Going to the gym
In order to stay fit and healthy
As a busy person
I want a quick and comprehensive exercise routine
Scenario: Using the resistance equipment
Given a resistance exercise machine
And instructions for the exercise machine
When I correctly follow the instructions
And I set the resistance correctly
Then I will strengthen and tone the muscle areas indicated
39. Example: Connecting to 3rd party
Feature: Validate data against 3rd party service
In order to ensure data quality and correctness
As business analyst
I want to the data to be validated
Scenario: Successfully validating against the ACME API
Given the ACME data validation API
And a data object to be validated
When call the ACME API
And we provide the data to be validated
Then the API responds with a “status” of “valid”
44. Vocabulary - Car example
Bug - Window stuck open
Vulnerability - Window glass
can be smashed
(security/usability tradeoff)
Threat - Car is broken into
Threat actor - Bad dude
breaking into cars
Exploit - The brick used
Mitigation - Bulletproof glass,
alarm (detective)
Compound threat - Car is
broken into and stolen
Risk - Impact: Insured? New
car? Inconvenient? Likelihood:
Flashy car? Environment
54. Overview of STRIDE
• Spoofing - impersonating an entity or service
• Tampering - making unauthorised changes
• Repudiation - “wasn’t me”
• Information disclosure - getting unauthorised access to
information
• Denial of service - preventing legitimate access
• Elevation of privilege - being able to do things as someone or
something else
58. What are you going to do about it?
• Eliminate - there’s no threat if the component or feature is
removed
• Mitigate - add preventative, detective or other controls
• Transfer - make the risk someone else’s problem (e.g.
through legal contract, or physical security for Cloud
services)
• Accept - don’t do anything about the threat and hope for the
best (the default even if you don’t threat model)
78. Threat story example: SQLi
Feature: SQL Injection
In order to retrieve the contents of the database, As an attacker, I want the
web application to insufficiently validate user input
Scenario: Timing based blind injection
Given a web form with text input fields
When we enter the value “test+SLEEP(30)” in one of the fields
And we submit the form
Then the “SLEEP(30)” function should execute
And the form should respond after “30” seconds
79. Feature: SSH brute force
In order to get shell access to a system, As an attacker, I want the system to
use weak authentication
Scenario: Online password brute force
Given a system running an accessible SSH daemon
And a wordlist of users
And a wordlist of passwords
When we SSH to the system using each combination of username and password
Then we should get shell access to the system
SSH brute force
80. Feature: Phishing corporate users
In order to bypass the security perimeter, As an attacker, I want users to
visit a malicious URL sent via email
Scenario: Targeted phishing
Given background information on the target
And a convincing email template using background information
And a convincing website URL that executes a malicious payload
And the email is sent to the target email recipients
When the user reads the email
And the user clicks on the link
Then the payload should execute
And we should get code execution on the user’s machine
The threat
Attack scenarios
Phishing
85. Using the control stories
In order to improve the security of systems and
services
As a subject matter expert
I want to share possible mitigations that
others can implement
87. This is Mark. He’s a developer.
Profile
● Working to tight deadlines
● Needs to get something working asap
● Will have to support services once live
● Loves full-stack work
● New to cloud
● Always considers end users, accessibility
champion
Image credit: Rebecca Manning
88. Mark’s task
Feature:
In order to ensure the quality of 3rd-party data submissions
As a business analyst
I want a data parsing and validation engine
Requirements:
● Web-based API to replace existing system
● Validate subset of the data against our 3rd-party partner
● Transform and scrub data where needed
● Write processed data objects to S3 so new backend process
can pick them up
89.
90. Hey Tara. Would you mind taking a look at this
design with me? I’d love to know whether I’m
missing any key operational things.
91. This is Tara. She’s an operations engineer.
Profile
● Loves metrics and graphs
● Big fan of IaC and config management
● Works closely with devs, helping them to
automate deployments etc.
● Believes containers are the future
● Moto is “Fail fast, fail often”
Image credit: Rebecca Manning
92. This looks great Mark. How are you
doing monitoring, logging and backups?
Not sure yet. Is there a cloud service I
could be use?
Of course! You can use CloudWatch for
monitoring and logging, and Snapshots
for backups. Something like this….
94. Hmmm. Some of the data we’re
handling is pretty sensitive. Do you think
it looks ok in terms of security?
I can’t see anything obviously bad.
Perhaps we can ask Emily to take a
look. She works in the security team.
Great! I don’t really know anyone in that
team. Thanks for helping.
95. This is Emily. She’s a security engineer.
Profile
● Used to be a developer, then got into
pentesting
● Got bored of breaking stuff and wanted to
start fixing things
● Wants to help people build awesome and
secure services
● Privacy and digital rights advocate
Image credit: Rebecca Manning
96. Hi Emily, I’m Mark. Tara and I were
wondering if you could take a look at a
design. We need to know there aren’t
any obvious security problems.
Absolutely! I can take a look, or we
could even try threat modeling it.
Threat modeling? What’s that?
97. Well, there are lots of different ways to threat model,
but it essentially involves findings threats and deciding
what to do about them. A great starting point is to ask 4
questions:
What are you building?
What can go wrong?
What are you going to do about it?
Are you doing a good job of answering the above 3
questions.
99. So now we know what we’re building, let’s add some
trust boundaries. These are demarcation points
between different levels of privilege, access or security
concern.
101. Now we need to think about possible
threats. As you’re using various cloud
services, we could look at the OWASP
Cloud Security project to see if any of
those threats are relevant.
What’s that?
It’s a growing collection of cloud threats
and mitigations expressed as BDD
stories.
Oh cool! I’m a huge fan of BDD!
104. # Id: OCST-1.1.1
# Status: Confirmed
# Service: AWS EC2
# Components:
# - User Data
# STRIDE:
# - Elevation of privilege
# - Information disclosure
# References:
# - https://docs.aws.amazon.com/...
105. Feature: User Data contains sensitive information
In order to obtain sensitive information about the target
As an attacker
I want the target to have inappropriately placed sensitive
information in User Data that I can access
Scenario: Access via CloudFormation
Given an instance built using CloudFormation
And a principal with the ability to read CloudFormation templates
When the attacker searches the CloudFormation templates
Then the sensitive information is returned to the attacker
106.
107. @aws @ec2
Feature: User Data does not contain sensitive information
In order to prevent exposure of sensitive or proprietary information
As an engineer
I want to avoid putting sensitive information in User Data
108. Feature: Restoring a snapshot that contains sensitive information
In order to retrieve sensitive instance data
As an attacker
I want to restore snapshots into an instance I control
Scenario: Restoring a snapshot
Given an EBS snapshot for an instance containing sensitive information
And an instance that the attacker controls
And a principal with the allowed permissions needed to read and restore snapshots
| action | description |
| ec2:DescribeSnapshots | Get a list and details of the available snapshots |
| ec2:CreateVolume | Creates a new volume from the snapshot |
| ec2:AttachVolume | Attach the new volume to the EC2 instance |
When the attacker restores the snapshot to the instance
And the attacker searches the snapshot filesystem for interesting data
| data |
| credentials |
| private keys |
| log files |
Then the sensitive information is returned to the attacker
109.
110. In order to prevent unauthorised access to Snapshot backups
As an engineer
I want to limit the roles that have the ability to read and
restore snapshots
111. Feature: S3 buckets containing proprietary or sensitive information are public
In order to get access to secret, sensitive or customer data
As an attacker
I want companies to accidentally make private S3 buckets public
Scenario: Discovering public buckets using Bucket Finder
Given an S3 bucket containing sensitive information
And the bucket has a predictable global name
And a wordlist of possible bucket names
When Bucket Finder is executed using the wordlist
Then the public bucket is found
And the contents is available to download
112.
113. In order to prevent accidental exposure of sensitive data via a public S3 bucket
As an engineer
I want to ensure private buckets cannot be made public
And I want detective controls in place to find public buckets
114. Feature: Unprotected access keys
In order to gain additional access to resources in an account
As an attacker
I want to find unprotected API access keys
Scenario Outline: Finding exposed access keys
Given a principal with existing API access keys
And a <storage-system>
When the user stores their access keys in the <storage-system>
And the attacker scans the <storage-system> for access keys
Then the attacker finds the access keys
And the attacker can use the access keys to access resources in the target account
Examples: Non-exhaustive list of possible storage systems
| storage-system |
| S3 bucket |
| Git repository |
| Filesystem with weak protection |
| Wiki or documentation system |
| Email or other communication platform |
115.
116. In order to prevent exposure of privileged IAM access keys
As an engineer
I want to use instance profiles and locked down IAM policies
117. What about SQS? Also, this service
could possibly be built using Lambda,
should we threat model that too?
We’re running out of time for today. You
could start scheduling regular threat
modeling sessions, for example after
every sprint planning. If you need me to
join or facilitate, I’d be more than happy
to.
118. Thanks for offering to help. I’ll speak to
Rajesh who is our product owner about
scheduling time to threat model.
That would be fantastic. Your product
owner should be involved in every
aspect of threat modeling as ultimately
own the risks and are key to prioritising
any mitigation efforts.
119. If we found interesting threats for SQS
and Lambda, could we contribute them
back to the project?
Yes! It’s a community-driven project.
The more contributions it gets, the more
value it can provide to everyone.
Great! I’m looking forward to our next
threat modeling session. It has been
great working so closely with the
security team. Thank you!