POTASSIUM is a penetration testing as a service (PTaaS) that uses live migration techniques to clone virtual machines from a production system, capturing their full disk, memory, and network state. This cloned system is isolated to allow thorough testing without risk of damage. POTASSIUM aims to provide valid, safe, and scalable penetration testing through automated and isolated testing modes while minimizing performance impacts on the production system. An evaluation showed POTASSIUM could detect vulnerabilities with up to 100 VMs and had minimal performance overhead during consistent checkpointing compared to non-consistent checkpointing.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
The document discusses application threat modeling for a college library website. It describes decomposing the application into external dependencies, entry points, assets, and trust levels. It then covers determining and ranking threats using STRIDE and ASF categorizations. The document outlines identifying security controls and countermeasures to address vulnerabilities. It provides steps for threat analysis and defining mitigation strategies.
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
SIEM is a technological solution that collects and aggregates logs from various data sources, discovers trends, and alerts when it spots anomalous activity, like a possible security threat.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
The document discusses application threat modeling for a college library website. It describes decomposing the application into external dependencies, entry points, assets, and trust levels. It then covers determining and ranking threats using STRIDE and ASF categorizations. The document outlines identifying security controls and countermeasures to address vulnerabilities. It provides steps for threat analysis and defining mitigation strategies.
DevSecOps (short for development, security, and operations) is a development practice that integrates security initiatives at every stage of the software development lifecycle to deliver robust and secure applications.
DevSecOps is a very loaded term and it includes many topics. Despite what some will lead you to believe, DevSecOps is not just an integration of security testing tools. Nor is it merely a focus on achieving security quality attributes on CI and CD. DevSecOps is beyond the automatizing security testing and there are common misconceptions and roadblocks on how you can establish it successfully.
Learning Objectives:
1: Identify key principles of DevSecOps and see how it relates to DevOps principles.
2: Analyze common pitfalls and see where integration security takes part in DevSecOps.
3: Demonstrate how to do “Continuous Security” by using a lifecycle approach.
(Source: RSA Conference USA 2018)
EDR(End Point Detection And Response).pptxSMIT PAREKH
This document describes an EDR (Endpoint Detection and Response) system implementation project for Invinsense. The system was developed using technologies like React JS, C language, Python REST API, Docker, Kubernetes, and deployed on both Windows and Linux agents. It provides features like agent monitoring, antivirus scanning, log collection and analysis. Screenshots show interfaces for login, agent details, scanning, dashboards, reports. Future enhancements proposed include SSO, AI/ML, Mac OS agent, Ansible deployment.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
The document discusses a CISO workshop agenda to modernize a security strategy and program. It includes:
- An overview of who should attend, such as the CISO, CIO, security directors, and business leaders.
- The agenda covers key context and fundamentals, business alignment, and security disciplines.
- Exercises are included to assess maturity, discuss recommendations, and assign next steps.
- Modules will provide guidance on initiatives like secure identities and access, security operations, and data security.
The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.
Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task.
While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator.
This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions.
This was presented as a we45 Webinar on April 12, 2018
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Yohanes Syailendra discusses DevSecOps implementation at DKATALIS, an Indonesian company. Some key points:
1. DevSecOps shifts security left to earlier stages of development to find and fix vulnerabilities sooner. This allows for faster development times and more secure applications.
2. At DKATALIS, DevSecOps includes threat modeling, static application security testing (SAST), dynamic application security testing (DAST), infrastructure as code scanning, and container security throughout the development pipeline.
3. A successful DevSecOps implementation requires changing culture, processes, and architecture to establish security as a shared responsibility across development and security teams. Automation is also important to scale practices
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
This document outlines 5 key practices for modern security success in DevSecOps: 1) Cloud & DevSecOps practices, 2) Pre-Commit controls like the "paved road" of secure templates, 3) Commit controls through CI/CD pipelines, 4) Acceptance controls for supply chain security, and 5) Operations controls for continuous security compliance. The presentation provides examples for implementing controls at each stage to integrate security practices into the DevSecOps workflow.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
This document discusses operationalizing cyber threat intelligence by emulating adversary behaviors. It explains how to take cyber threat intelligence and map behaviors to the MITRE ATT&CK framework. Specific focus is given to the "Process Doppelgänging" technique, including understanding the behavior, potential detections, and emulating the behavior. The importance of fully emulating operations and expanding emulations through tools like Caldera is also covered.
This document provides an overview of malware analysis, including both static and dynamic analysis techniques. Static analysis involves examining a file's code and components without executing it, such as identifying file types, checking hashes, and viewing strings. Dynamic analysis involves executing the malware in a controlled environment and monitoring its behavior and any system changes. Dynamic analysis tools discussed include Process Explorer, Process Monitor, and Autoruns to track malware processes, files accessed, and persistence mechanisms. Both static and dynamic analysis are needed to fully understand malware behavior.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
The document presents a security reference architecture with use cases. It includes sections on user/device security, application security, network security, SASE integration, common identity, converged multi-cloud policy, and securing IoT/OT environments. Diagrams show how different security tools and services fit together across networks, users, applications, and clouds to provide a zero trust architecture.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
EDR(End Point Detection And Response).pptxSMIT PAREKH
This document describes an EDR (Endpoint Detection and Response) system implementation project for Invinsense. The system was developed using technologies like React JS, C language, Python REST API, Docker, Kubernetes, and deployed on both Windows and Linux agents. It provides features like agent monitoring, antivirus scanning, log collection and analysis. Screenshots show interfaces for login, agent details, scanning, dashboards, reports. Future enhancements proposed include SSO, AI/ML, Mac OS agent, Ansible deployment.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
40 DevSecOps Reference Architectures for you. See what tools your peers are using to scale DevSecOps and how enterprises are automating security into their DevOps pipeline. Learn what DevSecOps tools and integrations others are deploying in 2019 and where your choices stack up as you consider shifting security left.
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
A vulnerability assessment identifies vulnerabilities in systems and networks to understand threats and risks. Penetration testing simulates cyber attacks to detect exploitable vulnerabilities. There are three types of penetration testing: black box with no system info; white box with full system info; and grey box with some system info. Common vulnerabilities include SQL injection, XSS, weak authentication, insecure storage, and unvalidated redirects. Tools like Nexpose, QualysGuard, and OpenVAS can automate vulnerability assessments.
The document discusses source code analysis techniques for detecting vulnerabilities. It describes several methodologies used in source code analysis tools, including style checking, semantic analysis, and deep flow analysis. Semantic analysis builds an abstract syntax tree to simulate code execution and check for faults. Deep flow analysis extends semantic analysis to generate control and data flow graphs to find issues like race conditions. The document also provides examples of source code vulnerabilities that can be detected, such as a buffer overflow, and discusses how tools can analyze source code, bytecode, and detect entry points vulnerable to attacks.
The document discusses a CISO workshop agenda to modernize a security strategy and program. It includes:
- An overview of who should attend, such as the CISO, CIO, security directors, and business leaders.
- The agenda covers key context and fundamentals, business alignment, and security disciplines.
- Exercises are included to assess maturity, discuss recommendations, and assign next steps.
- Modules will provide guidance on initiatives like secure identities and access, security operations, and data security.
The document announces events from DevSecOps Singapore to bring together developers, operations, and security professionals. It describes monthly meetups for talks and networking, workshops over 4 months on integrating security testing into the SDLC, and an annual conference in 2017. It provides announcements for the workshops and conference and calls for speakers, office space, and volunteers to help build the community.
Product Engineering teams have started to realize the importance of software security. This has resulted in the trend where teams are taking efforts to include it as part of their software development life cycle; as opposed to treating it as another item in their checklist prior to release. However, the real challenge is in trying to find the balance between agility and quality which is where many team find this an uphill task.
While there is no golden standard when it comes to implementing software security, product teams should focus on bringing about systematic and cultural practices within their teams. This should help them to bring about the required efficiency to enable software security as a market differentiator.
This slide-deck on Software Security Initiative focuses on translating a plan of action into sustainable activities as part of the secure software development life cycle that can be adopted by engineering teams. The slides will delve deep into aspects like identifying and designing security checkpoints in the SDLC alongside concepts such as Threat Modelling in Agile, AppSec Toolchain and Security Regressions.
This was presented as a we45 Webinar on April 12, 2018
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
Yohanes Syailendra discusses DevSecOps implementation at DKATALIS, an Indonesian company. Some key points:
1. DevSecOps shifts security left to earlier stages of development to find and fix vulnerabilities sooner. This allows for faster development times and more secure applications.
2. At DKATALIS, DevSecOps includes threat modeling, static application security testing (SAST), dynamic application security testing (DAST), infrastructure as code scanning, and container security throughout the development pipeline.
3. A successful DevSecOps implementation requires changing culture, processes, and architecture to establish security as a shared responsibility across development and security teams. Automation is also important to scale practices
The document provides an overview of the Open Web Application Security Project (OWASP). It discusses what OWASP is, the free resources it provides like publications, tools, and local chapters. It outlines some of OWASP's major publications like the OWASP Top 10 and Testing Guide. It also demonstrates the WebScarab and WebGoat tools. Finally, it describes the goals and offerings of the OWASP Cincinnati local chapter.
This document outlines 5 key practices for modern security success in DevSecOps: 1) Cloud & DevSecOps practices, 2) Pre-Commit controls like the "paved road" of secure templates, 3) Commit controls through CI/CD pipelines, 4) Acceptance controls for supply chain security, and 5) Operations controls for continuous security compliance. The presentation provides examples for implementing controls at each stage to integrate security practices into the DevSecOps workflow.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
Today’s cutting edge companies have release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This type of automation will help you catch bugs sooner and accelerate developer productivity. In this session we will share our AWS engineers embed security practices in DevOps, and discuss how you can use AWS services to securely enable DevOps agility in your organization.
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
This document discusses operationalizing cyber threat intelligence by emulating adversary behaviors. It explains how to take cyber threat intelligence and map behaviors to the MITRE ATT&CK framework. Specific focus is given to the "Process Doppelgänging" technique, including understanding the behavior, potential detections, and emulating the behavior. The importance of fully emulating operations and expanding emulations through tools like Caldera is also covered.
This document provides an overview of malware analysis, including both static and dynamic analysis techniques. Static analysis involves examining a file's code and components without executing it, such as identifying file types, checking hashes, and viewing strings. Dynamic analysis involves executing the malware in a controlled environment and monitoring its behavior and any system changes. Dynamic analysis tools discussed include Process Explorer, Process Monitor, and Autoruns to track malware processes, files accessed, and persistence mechanisms. Both static and dynamic analysis are needed to fully understand malware behavior.
Patch management is critical to reducing your attack surface and keeping your endpoints and business running smoothly. Unfortunately, it's also a process that must be repeated weekly, monthly, quarterly, and whenever critical fixes have been identified for your environment. The good news is: with the right tools and some advance planning, this process can run smoothly and leave your IT team with more time to support core business goals.
Join us to learn about trends in patch management, including the latest ways Ivanti is helping Security and IT teams work together like a well-oiled machine.
The document presents a security reference architecture with use cases. It includes sections on user/device security, application security, network security, SASE integration, common identity, converged multi-cloud policy, and securing IoT/OT environments. Diagrams show how different security tools and services fit together across networks, users, applications, and clouds to provide a zero trust architecture.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Secure Application Development in the Age of Continuous DeliveryTim Mackey
As delivered at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
The document summarizes the five stages of grief experienced by organizations when they realize their critical infrastructure systems are connected to the internet and vulnerable to cyber attacks: denial, anger, bargaining, depression, and acceptance. It provides examples to illustrate why each stage occurs, such as discoveries of thousands of exposed SCADA and ICS devices online using tools like SHODAN, high-profile attacks like Stuxnet targeting critical infrastructure systems, and challenges of keeping outdated systems patched against emerging threats. The document argues organizations must ultimately accept the interconnected nature of systems and find new ways to design and manage critical infrastructure that are more secure and resilient to cyber attacks.
Integration Testing as Validation and MonitoringMelissa Benua
In the world of software-as-a-service, just about anyone with a laptop and an Internet connection can spin up their very own cloud-based web service. Software startups, in particular, are often big on ideas but small on staff. This makes streamlining the traditional develop-test-integrate-deploy-monitor pipeline critically important. Melissa Benua says that an effective way to accomplish this is to reduce the number of different test suites that verify many of the same things for each stage. Melissa explains how teams can avoid this by authoring the right set of tests and using the right frameworks. Drawing on lessons learned in companies both large and small, Melissa shows how teams can drastically slash time spent developing automation, verifying builds for release, and monitoring code in production—without sacrificing availability or reliability.
CyberCrime in the Cloud and How to defend Yourself Alert Logic
The document discusses cybercrime threats in the cloud and how to defend against them. It notes that traditional on-premises threats are moving to the cloud, with web application attacks and brute force attacks being most common. Honeypots are used to gather intelligence on attacks by simulating vulnerable systems. Analysis of honeypot data found increases in brute force attacks and vulnerability scans in cloud environments. The document recommends best practices like secure coding, access management, patch management, log review, and tools like firewalls and intrusion detection to help secure cloud environments.
A Distributed Malware Analysis System Cuckoo SandboxAndy Lee
This document describes a distributed malware analysis system using Cuckoo Sandbox. It discusses:
1) Cuckoo Sandbox is an open source automated malware analysis system that runs binary files in virtual machines to record behaviors like API calls, files created, registry access, and network traffic.
2) The motivation for a distributed system is that the computing power of a single machine is limited, causing performance bottlenecks for analyzing large numbers of samples.
3) The distributed Cuckoo system uses a master-worker architecture to assign analysis tasks to multiple worker nodes in parallel, reducing total analysis time and allowing the system to scale to more samples as hardware resources increase.
Proactive ops for container orchestration environmentsDocker, Inc.
This document discusses different approaches to monitoring systems from manual and reactive to proactive monitoring using container orchestration tools. It provides examples of metrics to monitor at the host/hardware, networking, application, and orchestration layers. The document emphasizes applying the principles of observability including structured logging, events and tracing with metadata, and monitoring the monitoring systems themselves. Speakers provide best practices around failure prediction, understanding failure modes, and using chaos engineering to build system resilience.
The document discusses using Meterpreter for post exploitation activities after gaining access to a target system. Meterpreter provides an advanced multi-function payload that injects itself into running processes to provide core and advanced command functionality through extensions in a more stealthy way than normal payloads. The document outlines how Meterpreter works and can be used for activities like enumeration, privilege escalation, information harvesting, and pivoting across a network during post exploitation.
Prometheus for Monitoring Metrics (Fermilab 2018)Brian Brazil
From its humble beginnings in 2012, the Prometheus monitoring system has grown a substantial community with a comprehensive set of integrations. This talk will give an overview of the core ideas behind Prometheus, its feature set and how it has grown to met the challenges of modern cloud-based systems.
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
Michael Wardrop, Netflix
Usage of containers has undergone rapid growth at Netflix and it is still accelerating. Our container story started organically with developers downloading Docker and using it to improve their developer experience. The first production workloads were simple batch jobs, pioneering micro-services followed, then status as a first class platform running critical workloads.
As the types of workloads changed and their importance increased, the security of our container ecosystem needed to evolve and adapt. This session will cover some security theory, architecture, along with practical considerations, and lessons we learnt along the way.
This document provides information about an expert in Agile software development practices named Stephen Ritchie. It summarizes his experience, certifications, and areas of focus including Agile coaching. The document recommends practices for implementing Agile such as version control, continuous integration, automated testing, and deployment automation. It lists tools that can be used for each practice and recommends an order for implementation. The document also discusses benefits of practices like reduced defect rates and faster deployments.
Michal Waleszczuk defines fault tolerance as a system's ability to continue operating properly despite failures in components. The document discusses fault tolerance techniques including checkpointing/rollback recovery. Checkpointing saves application states that can be used for recovery after failures. DMTCP is a library that provides transparent checkpointing of Linux applications. Waleszczuk's study tests DMTCP checkpointing on a matrix multiplication application, finding that multiple checkpoints increase restoration time but decrease runtime overhead compared to no checkpoints.
This presentation talk about some of the challenges in detecting advanced malware which uses evasion techniques such as inline assembly or previously unknown approaches. The presentation also focuses on leveraging the static code analysis as an opportunity to detect these evasive malware in the sandbox
Service Virtualization: Delivering Complex Test Environments on DemandErika Barron
This presentation explores the latest service virtualization research and shares firsthand best practices and benefits of service virtualization from Comcast’s Director of Performance Test. Discover how to: enable more complete testing earlier in each iteration, streamline lean processes with more reliable test environments, and manage complex tests in a dynamic development environment.
Build cloud native solution using open source Nitesh Jadhav
Build cloud native solution using open source. I have tried to give a high level overview on How to build Cloud Native using CNCF graduated software's which are tested, proven and having many reference case studies and partner support for deployment
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
How to detect side channel attacks in cloud infrastructuresPasquale Puzio
http://www.secludit.com
We integrated Elastic Detector, which is SecludIT's product, with OSSIM in order to detect side-channel attacks occurring in cloud infrastructures.
Elastic Detector takes care of solving the cloud elasticity issue, collecting security-relevant logs and forwarding (rsyslog) them to OSSIM where the correlation takes place (thanks to our plugin).
DEMO showed at the RaSIEM workshop (ARES conference) in Regensburg, Germany.
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
Whether you’re working exclusively on Azure or with multiple cloud environments, there are certain things you should consider when moving assets to the public cloud. As with any cloud deployment, security is a top priority, and moving your workloads to the Azure cloud doesn’t mean you’re not responsible for the security of your operating system, applications, and data.
Building on the security of the Azure infrastructure, this shared security responsibility starts with making sure your environment is secure. In this session, we will discuss step-by-step what you need to do to secure access at the administrative, application and network layers.
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
More organisations are embracing DevOps and automation to realise compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery.
Similar to POTASSIUM: Penetration Testing as a Service (20)
• For a full set of 530+ questions. Go to
https://skillcertpro.com/product/servicenow-cis-itsm-exam-questions/
• SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
• It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
• SkillCertPro updates exam questions every 2 weeks.
• You will get life time access and life time free updates
• SkillCertPro assures 100% pass guarantee in first attempt.
This presentation by Tim Capel, Director of the UK Information Commissioner’s Office Legal Service, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
Gamify it until you make it Improving Agile Development and Operations with ...Ben Linders
So many challenges, so little time. While we’re busy developing software and keeping it operational, we also need to sharpen the saw, but how? Gamification can be a way to look at how you’re doing and find out where to improve. It’s a great way to have everyone involved and get the best out of people.
In this presentation, Ben Linders will show how playing games with the DevOps coaching cards can help to explore your current development and deployment (DevOps) practices and decide as a team what to improve or experiment with.
The games that we play are based on an engagement model. Instead of imposing change, the games enable people to pull in ideas for change and apply those in a way that best suits their collective needs.
By playing games, you can learn from each other. Teams can use games, exercises, and coaching cards to discuss values, principles, and practices, and share their experiences and learnings.
Different game formats can be used to share experiences on DevOps principles and practices and explore how they can be applied effectively. This presentation provides an overview of playing formats and will inspire you to come up with your own formats.
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
This presentation by Professor Giuseppe Colangelo, Jean Monnet Professor of European Innovation Policy, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
11June 2024. An online pre-engagement session was organized on Tuesday June 11 to introduce the Science Policy Lab approach and the main components of the conceptual framework.
About 40 experts from around the globe gathered online for a pre-engagement session, paving the way for the first SASi-SPi Science Policy Lab event scheduled for June 18-19, 2024 in Malmö. The session presented the objectives for the upcoming Science Policy Lab (S-PoL), which featured a role-playing game designed to simulate stakeholder interactions and policy interventions for food systems transitions. Participants called for the sharing of meeting materials and continued collaboration, reflecting a strong commitment to advancing towards sustainable agrifood systems.
1.) Introduction
Our Movement is not new; it is the same as it was for Freedom, Justice, and Equality since we were labeled as slaves. However, this movement at its core must entail economics.
2.) Historical Context
This is the same movement because none of the previous movements, such as boycotts, were ever completed. For some, maybe, but for the most part, it’s just a place to keep your stable until you’re ready to assimilate them into your system. The rest of the crabs are left in the world’s worst parts, begging for scraps.
3.) Economic Empowerment
Our Movement aims to show that it is indeed possible for the less fortunate to establish their economic system. Everyone else – Caucasian, Asian, Mexican, Israeli, Jews, etc. – has their systems, and they all set up and usurp money from the less fortunate. So, the less fortunate buy from every one of them, yet none of them buy from the less fortunate. Moreover, the less fortunate really don’t have anything to sell.
4.) Collaboration with Organizations
Our Movement will demonstrate how organizations such as the National Association for the Advancement of Colored People, National Urban League, Black Lives Matter, and others can assist in creating a much more indestructible Black Wall Street.
5.) Vision for the Future
Our Movement will not settle for less than those who came before us and stopped before the rights were equal. The economy, jobs, healthcare, education, housing, incarceration – everything is unfair, and what isn’t is rigged for the less fortunate to fail, as evidenced in society.
6.) Call to Action
Our movement has started and implemented everything needed for the advancement of the economic system. There are positions for only those who understand the importance of this movement, as failure to address it will continue the degradation of the people deemed less fortunate.
No, this isn’t Noah’s Ark, nor am I a Prophet. I’m just a man who wrote a couple of books, created a magnificent website: http://www.thearkproject.llc, and who truly hopes to try and initiate a truly sustainable economic system for deprived people. We may not all have the same beliefs, but if our methods are tried, tested, and proven, we can come together and help others. My website: http://www.thearkproject.llc is very informative and considerably controversial. Please check it out, and if you are afraid, leave immediately; it’s no place for cowards. The last Prophet said: “Whoever among you sees an evil action, then let him change it with his hand [by taking action]; if he cannot, then with his tongue [by speaking out]; and if he cannot, then, with his heart – and that is the weakest of faith.” [Sahih Muslim] If we all, or even some of us, did this, there would be significant change. We are able to witness it on small and grand scales, for example, from climate control to business partnerships. I encourage, invite, and challenge you all to support me by visiting my website.
Bridging the visual gap between cultural heritage and digital scholarship
POTASSIUM: Penetration Testing as a Service
1. POTASSIUM:
Penetration Testing
as a Service
Richard Li |Hyun-wook Baek | Dallin Abendroth
Xing Lin |Robert Ricci | Yuankai Guo | Jacobus Van der Merwe
Presented by
A. Farár
2. Motivation
• What’s the Problem?
Pentesting on a production system is great, because the exact dynamic state of system
is captured. But there is high risk of damage: data loss, crash. System unavailable or
malware infection…
Testing against a separate system that has been designed to model the live one is also
not ideal. As the production system is not captured, thus reducing the value of the
test.
3. POTASSIUM PTaaS
• Pentesting Service in the Cloud.
POTASSIUM uses techniques developed for live migration of virtual machines to clone them,
capturing their full disk, memory, and network state. The cloned system is then isolated
from the rest of the cloud, so that effects from the penetration test will not damage other
tenants. Because the penetration tester owns the cloned system, testing is more thorough
and efficient.
7. Live Consistent Checkpointing
State Captured at
Single Instance
Snapshots
Transparent
Live ConsistentIterative
P2 must be delivered after time t4 VM state machine for consistent CP
8. Pentesting Process
Pentest Manager AttackersCoordinator
Mirror Subproject data
VM IP addresses,
attackers assignment
sheet
Relays commands to
attackers
Collects session info.
From attackers
Vulnerability report
generated at end of test
Metasploit auto pentest
• Simple, automated.
9. Pentesting Modes
Isolated Automated Scalable
Separate Availability Zones Metasploit Manage Multiple Pentests at Once
Emulate Internal /External Attacks
10. Evaluation
• Measurement: end-to-end time to perform pentesting as a
function of the number of VMs in the production project.
Performance Impact
of Snapshot
Checkpointing
Minimal
Consistent 68.5
Non-consistent 69.6
Pentest
Effectiveness
(2 test cases)
WordPress
Vulnerability
detected
Scalability Up to 100 VMs
11. Evaluation
• Measurement: end-to-end time to perform pentesting as a
function of the number of VMs in the production project.
HTTP Response Times
(ms)
Baseline 67.4
Non-consistent 69.6
Consistent 68.5
Consistency
Packet loss in VM1>VM0
steam
Automated Pentesting
Mirror Creation 227.59
Attacker Creation 77.56
Pentesting 35.99
Miscellaneous 0.87
12. Analysis
Strengths
• Automated pentest
• Economies of Scale
• No performance impact
on production systems
• Availability & Integrity
Weaknesses
• Automated Pentest
• Difficult to bring external
resources into the closed
system (i.e. cloud-wide
storage or DB services.
• Possible Confidentiality
concerns
14. References
Richard Li, et al. (2015), POTASSIUM: Penetration Testing as a Service
Proceedings of the Sixth ACM Symposium on Cloud Computing (SoCC '15)
Editor's Notes
Pentesting on a production system is great, because the exact dynamic state of system is captured. But there is high risk of damage: data loss, crash. System unavailable or malware infection…
Testing against a separate system that has been designed to model the live one is also not ideal. As the production system is not captured, thus reducing the value of the test.
Penetration testing is the process where you probe network systems for vulnerabilities. POTASSIUM uses techniques developed for live migration of virtual machines to clone them, capturing their full disk, memory, and network state. The cloned system is then isolated from the rest of the cloud, so that effects from the penetration test will not damage other tenants. Because the penetration tester owns the cloned system, testing is more thorough and efficient.
POTASSIUM PTaaS has five design principles:
Validity – results are the same on mirror system as on the production system
Availability & Integrity – the pentest must have low impact on the performance and availability of the production system
Safety – pentesting activity must not affect production projects or other systems on the Internet
Scalability – ability to manage multiple pentest projects at once and deploy different strategies for allocating and positioning attacker VMs
Extensibility – the design can support many pentesting tools
Step A – is the Production system in the cloud. Tenant has a allocated a collection of resources including several VMs and a network.
Step B - A new project or copy of the production system is created using standard APIs of the cloud management system. It contains metadata, and has the same structure as the production project, but not the same internal state. This copy is referred to as the pentest project.
Step C - A consistent snapshot of the production project is created, including all VM memory contents, disk contents, and network packets in flight. That state is inserted into the pentest project.
Step D - Attacking resources are allocated and added to the pentest project; then the pentest is performed. The pentest project consists of two parts: the mirror subproject, which is the set of resources that mirror the production project, and the attack subproject, which is the set of resources introduced for pentesting. The pentest project is isolated so that the effects of the penetration test cannot harm other tenants.
Potassium is based on OpenStack, an open source software for creating private and public clouds.
To ensure Availability, the Project Creator places pentest projects on physical resources that are separate from those used by production projects. This is achievable by using standard cloud APIs such as availability zones. Also, the Snapshot Agents perform live consistent checkpointing, allowing the production system to execute while it is being checkpointed. Although performance may be reduced during the time it takes to checkpoint, the project still remains available to clients.
For Validity, Project Creator, Snapshot Manager, and Snapshot Agents work together to replicate the full state of the production project within the mirror subproject of a pentest project.
The mirror is created in two steps: 1) the Project Creator obtains the metadata of the production project and invokes the cloud platform to create a mirror with the same metadata, and 2) the full state of the VMs and network in the production project is recreated via the Snapshot Agents that perform live, consistent checkpointing over the production project. Consistency means that the state of the production project is captured at a single, logical instant of time. Once a VM has completed its snapshot, any packet that it sends will not be delivered until the recipient VM has also completed its snapshot.
Safety is implemented via the Project Creator, which uses the standard APIs of the cloud platform to disconnect the pentest project from any other network, except for an access route that allows POTASSIUM’s Pentest Manager to communicate with the attack Coordinator within the pentest project. Only the Coordinator has permission to send traffic outside of the pentest project, cannot relay traffic between the “inside” and the “outside” of the pentest project.The cloud platform is trusted, so POTASSIUM is not intended for pentests that aim to compromise the underlying cloud platform or hypervisors.
POTASSIUM implemented the Metaspolit Framework as its automated pentesting tool. However, any pentesting tool can be used, satisfying the Extensibility design principle. The Coordinator serves as an adapter between POTASSIUM’s Pentest Manager and the implementations of the Attackers.
POTASSIUM can insert attacking VMs into the mirror subproject’s internal networks, and capture VMs within the mirror subproject, emulating internal attacks.
Scalability is fulfilled as POTASSIUM can manage multiple pentest projects at once (i.e., two separate users running pentests at the same time or concurrent pentests over a single production project). Additionally, it implements multiple strategies for allocating and positioning Attackers against a mirror subproject, for example, to emulate both external and internal attacks. By allocating large numbers of attacker VMs, POTASSIUM is able to swap space for time by performing pentests against multiple hosts in parallel.
POTASSIUM’s Snapshot Manager and Snapshot Agents implement a live, consistent checkpointing algorithm that creates snapshots of a production project.
The prototype implementation uses QEMU’s live-snapshot mechanism to independently take a live snapshot for each individual VM in the production project. It uses packet coloring and buffering to deal with inconsistent packets.
Snapshots = each VM saves its memory state by performing iterative memory copying
Live = snapshot taken transparently
Consistent = state captured at single instance in time
The figure on the bottom left shows an example of a checkpoint timeline. For live, consistent checkpointing, packet P2 must be delivered after time t4.
The figure on the bottom right shows an example of a VM state machine for consistent checkpointing. “Each VM in a production project is associated with an instance of the state machine shown with a VM beginning in a DEFAULT state. When POTASSIUM needs to checkpoint a production project, the Snapshot Manager sends a START_SNAPSHOT command to each VM, via the Snapshot Agents. Then, each VM transitions to the STARTED state and begins to take its snapshot. When a VM completes its snapshot, it transitions to the COMPLETED state. The Snapshot Manager periodically checks the status of each VM, and when all have completed their snapshots, the Snapshot Manager sends an ALL_SNAPSHOTS_COMPLETE command to every VM. Each VM then transitions to the ALL_COMPLETED state.”
The pentesting process in POTASSIUM is simple and automated. The Pentest Manager forwards Mirror Subproject data, VM IP addresses, and the attackers assignment sheet to the Coordinator.
The Coordinator then relays the commands/data to attackers; then subsequently collects session information from Attackers. A vulnerability report is generated at the end of the test.
The Attackers use the Metasploit framework to run an automated pentest.
There are three pentesting modes: Internal, External and Pivot
Internal – creates multiple Attackers and attaches one to each network within the mirror subproject. Penetration testing may be directly performed by Attackers on the VMs in the mirror subproject, irrespective of whether those VMs can be reached from an external network. Overall vulnerabilities exposed in this mode.
External – the attack subproject is attached to the mirror subproject to emulate an external attacker. Can be used to test correctness of security group rules.
Pivot – pentesting is performed in multiple rounds from Attackers that replace VMs in the mirror subproject. This mode imitates the way an intruder is able to attack new targets from the point of view of an already compromised VM. Useful for “what if” analysis.
Connectivity between mirror subproject and External network is disabled to prevent traffic leakage.
OpenStack Security Groups allow attackers to be controlled by the Coordinator and reach VMs.
Availability Zones is a standard cloud API that separates pentest projects on physical resources from those used by production projects.
Performance impact of Snapshot CP was minimal with a negligible difference between consistent and non-consistent.
The Pentest was effective and positively detected the WordPress vulnerabilities.
POTASSIUM scaled well up to 100 VMs.
HTTP response times ranged from 67% to 69.6%.
Consistency tests shoed a packet loss in VM1>VM0 stream.
Automatic pentest performance test showed mirror creation took the longest time (227.59), followed by attacker creation (77.56), and actual pentesting (35.99).