Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Fuzzing and You: Automating Whitebox TestingNetSPI
Fuzzing is easy, but getting useful information from fuzzing isn’t. ‘Spray and pray’ might get some results, but a set of well-designed tests will get much better results faster. Unfortunately, the job doesn’t end there. Fuzzing doesn’t find vulnerabilities; fuzzing finds unexpected behavior. Interpreting that unexpected behavior relies on understanding the application you’re fuzzing and the tests you’ve designed. This presentation will discuss techniques for creating tests targeted towards uncovering specific behavior, including authorization bypasses, directory traversals, and buffer overflows.
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
App Security? There’s a metric for that! (Part 1 of 2)
Over the past year, NetSPI has been working on a new approach to manage and measure application security. By combining OWASP’s Software Assurance Maturity Model, traditional risk assessment methodologies, and experience developing security metrics, NetSPI developed a methodology that may be used to help organizations improve the way they manage and prioritize their application security initiatives. Once fully developed, this approach will be donated to OWASP either as an add-on to the existing SAMM project or as a new project intended to improve application security management.
In this presentation, NetSPI provides a detailed walk-through of the overall methodology as well as OWASP’s SAMM project. We provide examples of the types of metrics and executive dashboards that can be generated by using this approach to managing application security and help highlight various ways this information can be used to further improve the overall maturity of application security programs.
Be sure to check out Part 2 of this presentation for a more "Hands On" approach.
http://www.slideshare.net/NetSPI/application-risk-prioritizationhandsonsecure360part2of2
This presentation will provide a high level overview of the current role that desktop applications play in enterprise environments, and the general risks associated with different deployment models. It will also cover common methodologies, techniques, and tools used to identify vulnerabilities in typical desktop application implementations. Although there will be some technical content. The discussion should be interesting and accessible to both operational and management levels.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Alpha and Omega: Program Outcomes to the CapstoneERAUWebinars
This is from a webinar presented by Embry-Riddle Aeronautical University-Worldwide called “Alpha and Omega: Program Outcomes to the Capstone.” The presenter is Scott Burgess.
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
ClickOnce is a deployment solution that enables fast, easy delivery of packaged software. It is commonly used by organizations to deploy both internal and production-grade software packages, along with their respective updates. By allowing end-users to accept the requested permissions of the software package without the intervention of an administrator, ClickOnce simplifies the deployment and use of robust software solutions.
It also provides an excellent opportunity for malicious actors to establish a foothold in your network.
In this presentation, we discuss how we combined ClickOnce technology and existing phishing techniques into a new methodology for establishing an initial presence in an environment. By minimizing user interaction, we only require that the user is fooled for “one click” – after that, we already have a foothold in their environment and are ready to pivot and escalate further.
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
This is the version modified for the OWASP meeting in June of 2014.
Integration and automation are cornerstones of DevOps. Black Duck Hub provides integrations to CI/CD solutions like Jenkins and TeamCity, but what if you are using a different solution or maybe even your own custom tools? Never fear! Black Duck Hub API's allow you to leverage Black Duck open source scanning and policies into your environment. In this session we'll roll up our sleeves and dig into some coding examples to show you how to do it.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. Vulnerabilities related to the application, network, and server layers will be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks. Karl Fosaaen and I put this together for Secure 360 in Minneapolis. We hope you enjoy it.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Proactive sell side due diligence to identify, inventory, assess, and, when necessary, remediate open source risks helps ensure the target company receives the best value for its products in an M&A event (and avoid lawsuits). Discovering these problems late in the game can dramatically affect the final purchase price, trigger the need for additional/longer/enhanced escrows, delay closing or even cause an acquisition to be called off altogether.
As delivered by Tim Mackey, Senior Technical Evangelist - Black Duck Software, at LinuxCon and ContainerCon in Berlin 2016.
Traditionally, when datacenter operators talk about application security, they've tended to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques.
The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment of micro-services, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
• How known vulnerabilities can make their way into production deployments
• How deployment of vulnerable code can be minimized
• How to determine the vulnerability status of a container
• How to determine the risk associated with a specific package
Alpha and Omega: Program Outcomes to the CapstoneERAUWebinars
This is from a webinar presented by Embry-Riddle Aeronautical University-Worldwide called “Alpha and Omega: Program Outcomes to the Capstone.” The presenter is Scott Burgess.
Hoe gaan je om met social media door medewerkers op de winkelvloer? Alles wat medewerkers over je winkel(s) melden via social media, heeft invloed op het imago van je bedrijf. Wat wil je wel of niet toestaan? En in hoeverre heb je hierin een keuze?
Passion, Persistence, and Patience: The Search for Amelia EarhartERAUWebinars
This is from a webinar presented by Embry-Riddle Aeronautical University-Worldwide called “Passion, Persistence, and Patience: The Search for Amelia Earhart.” The presenter is noted Amelia Earhart expert Jon Thompson.
Webinar Slides-Three Knows to Great Writing Nov 4 2014ERAUWebinars
Webinar presentation by Embry-Riddle Aeronautical University--Worldwide. Dr. Terri Maue shows how to be a better writer by understanding the "Three Knows."
ERAU Webinar Slides: Global Business Environment--China TripERAUWebinars
Embry-Riddle Aeronautical University-Worldwide Webinar presented on Nov. 18, 2014 by Dr. Aman Gupta and Dr. Edward Knab. The title of the presentation is "“Understanding the Global Business Environment: A First
Hand Opportunity to Visit China”
This is a webinar presented April 14, 2015 by Embry-Riddle Aeronautical University and featuring noted safety expert Dr. Mark Friend. Dr. Friend looks at the topic, "How to make safety work in your company."
Network Fundamentals: Ch3 - Application Layer Functionality and ProtocolsAbdelkhalik Mosa
OSI: is a layered, abstract representation created as a guideline for network protocol design. Application Layer, provides human interface to the network.
Differnces between the function of OSI application, presentation and session layers.
The two forms of software programs that provide access to the network which are network-aware applications and application layer services.
The difference between applications, services and protocols.
Client Server Model.
Peer-to-Peer (P2P) Networking and Applications.
Application layer Protocols and Port numbers, ex. DNS - TCP/UDP Port 53, FTP - TCP Ports 20 and 21 and SMTP - TCP Port 25.
Root DNS Servers and TLD Servers.
Different Application layer protocols such as HTTP, HTTPS, FTP, Telnet, SSH, DHCP, DNS, SMTP, POP3, SMB and Gnutella Protocol
Geek Sync | Designing Data Intensive Cloud Native ApplicationsIDERA Software
You can watch the replay for this Geek Sync webcast, Designing Data Intensive Cloud Native Applications, in the AquaFold Resource Center in the next week: http://ow.ly/gZ0g50A4rvR.
Cloud is rapidly changing the way modern-day applications are being designed. Data is at the center of multiple challenges while architecting solutions in the cloud.
With technology changing rapidly, there are new possibilities for processing data efficiently. Cloud Native is a combination of various patterns like DevOps, CI/CD, Containers, Orchestration, Microservices, and Cloud Infrastructure. In this session, you will learn more about the tools and technologies that will help you to design data-intensive systems. We will take a structured approach towards architecting data-centric solutions, covering technologies like message queues, data partitioning, search index, data cache, event sourcing, NoSQL solutions, microservices, and cloud migration strategies.
Join Samir Behara as he discusses the high-level design principles that will help you build scalable, resilient, and maintainable systems in the cloud.
Speaker: Samir Behara is a Solution Architect with EBSCO Industries and builds cloud native solutions using cutting edge technologies. He is a Microsoft Data Platform MVP with over 12 years of IT experience working on large-scaled applications involving complex business functionalities, web integration and data management. Samir is a frequent speaker at technical conferences and is the Co-Chapter Lead of the Steel City SQL Server User Group. He is the author of www.dotnetvibes.com.
(A talk given at Wix R&D in Dnipro, Ukraine on March 2017. Video available at https://www.youtube.com/watch?v=eIX33mQdkAI&feature=youtu.be)
While microservices are conceptually simple, it's a deep rabbit hole to go down. Deceptively simple questions can have far-reaching implications: Which communication protocol should I choose? Is event-driven the way to go? What monitoring tools should I put in place?
In this talk we'll cover some of the fundamental questions, outline the solutions adopted or developed by Wix, and share our hindsight on what worked well for us, what didn't and thoughts on future directions for our stack.
How to you manage Performance in the Cloud, in particular in "Platform as a Service (PaaS) environments like Window's Azure or Heroku where you don't have a "virtual machine" to manage?
Even in "Infrastructure as a Service (IaaS)" environments like Amazon EC2 there are limitations on the tools you can deploy into that environment to assist in performance management, troubleshooting etc (e.g. you can't deploy promiscuous mode network sniffing tools in EC2).
James Smith from Adactus will give us an overview of Cloud Services as a whole, and then drill down into some of the issues they have experienced in deployed their "Pulse" Claims Management Solution into the Azure cloud (http://www.pulseclaims.com/home).
Beyond just looking at page speed performance he'll talk about the challenges involved in managing SLA's, Cloud "support" (or lack of it!), performance troubleshooting and the whole "performance lifecycle".
How to be Successful with Responsive Sites (Koombea & NGINX) - EnglishKoombea
Can't decide if your organization should build a mobile app or responsive website? Do you interact with consumer-facing products or large scale developments?
This guide gives you an idea of what Responsive is, why you should use it, and then DIGS deep into the technical aspect and how to optimize for performance.
By: David Bohorquez & Rick Nelson
This tutorial gives out an brief and interesting introduction to modern stream computing technologies. The participants can learn the essential concepts and methodologies for designing and building a advanced stream processing system. The tutorial unveils the key fundamentals behind various kinds of design choices. Some forecast of technology developments in this domain is also introduced at the last section of this tutorial.
Are you jumping on the microservices bandwagon? When and when not to adopt micro services architecture? If you must, what are the considerations? This slidedeck will help answer a few of those questions...
3. Reverse Engineering Thick-clients
• Thick-client Overview
– “Old School”
• Local Software & Occasional Local Storage
– Local Software Connecting to Server Software
• Traditionally Installed Local Software via TCP/IP Sockets
• Web Delivered Local Software via TCP/IP Sockets
• Web Delivered Local Software via HTTP/S
– Alternative to Web/Thin Clients
• Occasionally More Efficient
• Allows for Interaction with Local Office Automation Software
• Allows for Syncing/Batch Uploads for Offline Use
4. Reverse Engineering Thick-clients
• Thick-client Attack Surface
– Local Software & Local Storage = Local Exposures
• Rootkits
• Cache & Registry Corruption
• Information Disclosure
– One-off Exposures
• Access to Office Automation Software Exposures
– Ignorance is Bliss
• Assumed Lack of Attack Surface
– Can Still Proxy Requests
– Sniffers Can Be Goldmines
• Overreliance on Data in Transit Crypto Protections
• Overreliance on Segregation of Duties & Access Controls