This document outlines how to run an application security (AppSec) program using various open source tools from the Open Web Application Security Project (OWASP). It discusses tools for requirements gathering, threat modeling, source code review, vulnerability testing, defect tracking, defensive controls, training and awareness, and knowledge management. Many of the tools are linked, including the OWASP Security Knowledge Framework, Dependency Check, ModSecurity Core Rule Set, Juice Shop, DevSlop, the OWASP Top 10, and the OWASP Testing guides. The document provides an open source framework for implementing an AppSec program.
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
Watch this talk on YouTube: https://youtu.be/-3K74I7t7CQ
Securing the Software Supply Chain has become a focus of cybersecurity efforts the world over. One aspect of this is with the generation and verification of a Software Bill of Materials (SBOM). But what is an SBOM and how would you go about setting this up for your cloud native container/applications/pipeline?
The Flux team recently published a blog on this very topic and how they’ve gone about implementing these measures. During this session, Dan Luhring, OSS Engineering Manager at Anchore, will dive into SBOMs - what they are, why you need them, some common use cases and how to get your pipeline ready for SBOM generation and verification using the Flux SBOM as an example.
Resources
Anchore: A comprehensive, continuous security and compliance platform to protect your cloud-native applications.
Anchore’s OSS tools featured during this session:
- Syft: A CLI tool for generating a Software Bill of Materials (SBOM) from container images and file systems
- Grype: An easy-to-integrate open source vulnerability scanning tool for container images and file systems.
Speaker Bios:
Dan Luhring heads up OSS at Anchore, where he leads the software engineering team that develops Syft and Grype. Dan is drawn deeply into the cloud native security space, where he focuses on container workflows and developer experience. Dan believes in making software more secure by making life better for software engineers and security practitioners. Dan is a maintainer of Sigstore’s Cosign project, and he loves partnering with other people to find solutions to daunting challenges.
Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.
Its an open source vulnerability scanner based on Nessus. Very useful in home and small scale companies to implement and check the system, network and devices vulnerabilities.
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
A presentation about using Open Source Intelligence for proactive defense delivered at Rootconf 2019 Bangalore, India.
RedHunt Labs
https://redhuntlabs.com/
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
Any optimization outside the critical constraint is an illusion. In DevSecOps , the size of the security team is always the most scarce resource. The best way to optimize the security team is automation. This talk provides an overview of key DevSecOps automation principles and provide real world experiences of creating DevSecOps Pipeline’s augmented with automation in multiple enterprises. Getting started can feel overwhelming but this talk provides coverage of the fundamental building blocks of adding automation to an DevSecOps program including API integration, webhooks, Docker, ChatOps and a vulnerability repository to manage all the issues discovered. The talk covers how DevSecOps automation has provided significant increases in productivity at several different companies in different verticals. Multiple potential architectures for DevSecOps automation will be covered with the goal of inspiring the audience to adopt one of these for their program. By taking an example, customizing it to fit their situation, attendees will have a roadmap to start their security automation journey.
Watch this talk on YouTube: https://youtu.be/-3K74I7t7CQ
Securing the Software Supply Chain has become a focus of cybersecurity efforts the world over. One aspect of this is with the generation and verification of a Software Bill of Materials (SBOM). But what is an SBOM and how would you go about setting this up for your cloud native container/applications/pipeline?
The Flux team recently published a blog on this very topic and how they’ve gone about implementing these measures. During this session, Dan Luhring, OSS Engineering Manager at Anchore, will dive into SBOMs - what they are, why you need them, some common use cases and how to get your pipeline ready for SBOM generation and verification using the Flux SBOM as an example.
Resources
Anchore: A comprehensive, continuous security and compliance platform to protect your cloud-native applications.
Anchore’s OSS tools featured during this session:
- Syft: A CLI tool for generating a Software Bill of Materials (SBOM) from container images and file systems
- Grype: An easy-to-integrate open source vulnerability scanning tool for container images and file systems.
Speaker Bios:
Dan Luhring heads up OSS at Anchore, where he leads the software engineering team that develops Syft and Grype. Dan is drawn deeply into the cloud native security space, where he focuses on container workflows and developer experience. Dan believes in making software more secure by making life better for software engineers and security practitioners. Dan is a maintainer of Sigstore’s Cosign project, and he loves partnering with other people to find solutions to daunting challenges.
Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.
Its an open source vulnerability scanner based on Nessus. Very useful in home and small scale companies to implement and check the system, network and devices vulnerabilities.
OSINT for Proactive Defense - RootConf 2019RedHunt Labs
A presentation about using Open Source Intelligence for proactive defense delivered at Rootconf 2019 Bangalore, India.
RedHunt Labs
https://redhuntlabs.com/
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
Hands On Introduction To Ansible Configuration Management With Ansible Comple...SlideTeam
Hands On Introduction To Ansible Configuration Management With Ansible Complete Deck is designed for the upper and mid-level management. Take advantage of the informative visuals of this PPT slideshow to elucidate the application deployment tool. With the help of our intuitive PowerPoint template deck, explain the advantages of the Ansible automation tool. This viewer-friendly PPT theme is perfect to elaborate on the architecture of Ansible software. This is because of the state-of-the-art diagrams that simplify the explanation. Consolidate the characteristics and capabilities of Ansible applications such as configuration management and cloud provisioning. This PowerPoint presentation features an Ansible installation flowchart for an organization. Employ the neat tabular format to compile the differences between Ansible and Puppet. This will assist your organization to implement Ansible and its configuration in an effective manner. Hit the download icon and begin instant personalization. https://bit.ly/3mLQJtJ
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Amazon Web Services
Classic Load Balancer and Application Load Balancer automatically distributes incoming application traffic across multiple Amazon EC2 instances for fault tolerance and load distribution. In this session, we go into detail about the load balancers configuration and day-to-day management, as well as its use in conjunction with Auto Scaling ad ECS. We explain how to make decisions about the service and share best practices and useful tips for success.
Software Bills of Materials (SBOMs) seem to have come out of now where. One day, no one has ever heard of them, and the next day many people ask why you don’t have one. SBOMs are a new and soon-to-be-necessary need for communicating your software composition to 3rd parties. Let’s dispel some myths and lay out a clear path for when and why you may need an SBOM, and how you’ll need to engage with one.
Given at DevOpsDays Tampa Bay, 2022: https://devopsdays.org/events/2022-tampa/program/bill-bensing-t1
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
This webinar will cover why SBOMs should be required to improve software supply chain security, what to look for in a SBOM and how to evaluate open source and third-party components as well as how to use a SBOM to identify software risk and eliminate vulnerabilities throughout the software supply chain.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
Fuzzapi is an API Fuzzer that will help Developers/Pen Testers to fuzz APIs and find few commonly found vulnerabilities. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.
Empowering red and blue teams with osint c0c0n 2017reconvillage
This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Hands On Introduction To Ansible Configuration Management With Ansible Comple...SlideTeam
Hands On Introduction To Ansible Configuration Management With Ansible Complete Deck is designed for the upper and mid-level management. Take advantage of the informative visuals of this PPT slideshow to elucidate the application deployment tool. With the help of our intuitive PowerPoint template deck, explain the advantages of the Ansible automation tool. This viewer-friendly PPT theme is perfect to elaborate on the architecture of Ansible software. This is because of the state-of-the-art diagrams that simplify the explanation. Consolidate the characteristics and capabilities of Ansible applications such as configuration management and cloud provisioning. This PowerPoint presentation features an Ansible installation flowchart for an organization. Employ the neat tabular format to compile the differences between Ansible and Puppet. This will assist your organization to implement Ansible and its configuration in an effective manner. Hit the download icon and begin instant personalization. https://bit.ly/3mLQJtJ
Application Load Balancer and the integration with AutoScaling and ECS - Pop-...Amazon Web Services
Classic Load Balancer and Application Load Balancer automatically distributes incoming application traffic across multiple Amazon EC2 instances for fault tolerance and load distribution. In this session, we go into detail about the load balancers configuration and day-to-day management, as well as its use in conjunction with Auto Scaling ad ECS. We explain how to make decisions about the service and share best practices and useful tips for success.
Software Bills of Materials (SBOMs) seem to have come out of now where. One day, no one has ever heard of them, and the next day many people ask why you don’t have one. SBOMs are a new and soon-to-be-necessary need for communicating your software composition to 3rd parties. Let’s dispel some myths and lay out a clear path for when and why you may need an SBOM, and how you’ll need to engage with one.
Given at DevOpsDays Tampa Bay, 2022: https://devopsdays.org/events/2022-tampa/program/bill-bensing-t1
View on-demand: https://wso2.com/library/webinars/api-security-best-practices-and-guidelines/
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
At the same time, security itself is a broad area and vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing.
There is much to learn about API security, regardless of whether you are a novice or expert and it’s extremely important that you do because security is an integral part of any development project, including API ecosystems.
This webinar will deep-dive into the importance of API security, API security patterns, and how identity and access management (IAM) fit in the ecosystem.
DURING THE WEBINAR, WE WILL COVER:
Managed APIs
OAuth 2.0 and API security patterns
Introduction to WSO2 Identity Server
How we align with OWASP API security guidelines
Software Bill of Materials - Accelerating Your Secure Embedded Development.pdfICS
This webinar will cover why SBOMs should be required to improve software supply chain security, what to look for in a SBOM and how to evaluate open source and third-party components as well as how to use a SBOM to identify software risk and eliminate vulnerabilities throughout the software supply chain.
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
Fuzzapi is an API Fuzzer that will help Developers/Pen Testers to fuzz APIs and find few commonly found vulnerabilities. The tool can be integrated into the build pipeline to allow developers to identify vulnerabilities prior to Pen Testing. Also, Pen testers can also use this tool against various APIs during their testing which will allow them to automate few tasks.
Empowering red and blue teams with osint c0c0n 2017reconvillage
This talk will discuss Open Source Intelligence (OSINT) gathering tools and techniques that are highly useful and effective for both Blue teams and Red teams.
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG)
AppSec Night & OWASP Top 10 2017 Review
By Matt Scheurer (@c3rkah)
From: 02/15/2018
AppSec & OWASP Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 09/17/2019
Cincinnati Tri-State (ISC)2 Chapter
September Meeting
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG), an Ambassador for Bugcrowd, and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
OWASP CSRF Protector has been implemented as a php library and an Apache 2.2.x module which helps web developer/ system administrator to mitigate CSRF vulnerability in their web application with ease.
Presentation of my talk at FOSSASIA 2015
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
2. ❖ OWASP Global Board of Director
❖ President - InfosecGirls
❖ Award-winning Cybersecurity Professional
❖ Keynote Speaker, Inclusion Advocate
Personal interests
Reading Books, Teaching, Cooking and Travelling
About Me
Vandana Verma Sehgal
5. OWASP Security Rat
OWASP Security RAT (Requirement Automation
Tool) is a tool to assist with the problem of
addressing security requirements during
application development. Simplify security
requirement management during development
using automation approaches.
https://owasp.org/www-project-securityrat/
6. OWASP Security Knowledge Framework
SKF is an open source security knowledge-base including
manageable projects with checklists and best practice
code examples in multiple programming languages
showing you how to prevent hackers gaining access and
running exploits on your application.
https://owasp.org/www-project-security-knowledge-framework/
8. OWASP Threat Dragon
It is a tool used to create threat model
diagrams and to record possible threats
and decide on their mitigations
https://owasp.org/www-project-threat-dragon/
9. OWASP pytm
OWASP pytm: A Pythonic framework for threat
modeling
Define your system in Python using the elements
and properties described in the pytm framework.
Based on your definition, pytm can generate, a
Data Flow Diagram (DFD), a Sequence Diagram and
most important of all, threats to your system.
https://owasp.org/www-project-pytm/
11. Source Code Review
Code Review Checklist
Guide for the security issues in the code and recommendations
on how to fix them
https://owasp.org/www-project-code-review-guide/
OWASP Code Pulse
The OWASP Code Pulse Project is a tool that provides insight into
the real-time code coverage of black box testing activities. It is a
cross-platform desktop application that runs on most major
platforms.
https://owasp.org/www-project-code-pulse/
12. Source Code Review
OWASP Cheat Sheet Series
OWASP Cheat Sheet Series was created to provide a set of simple good
practice guides for application developers and defenders to follow
https://owasp.org/www-project-cheat-sheets/
OWASP Go Secure Coding Practices Guide
The main goal of this project is to help developers avoid common mistakes
while at the same time, learning a new programming language through a
“hands-on approach”.
https://owasp.org/www-project-go-secure-coding-practices-guide/
14. Software Component
Analysis (SCA)
OWASP Dependency-Check
Dependency-Check is a Software Composition Analysis (SCA) tool
that attempts to detect publicly disclosed vulnerabilities contained
within a project’s dependencies
https://owasp.org/www-project-dependency-check/
OWASP Dependency Track
Dependency-Track is an intelligent Supply Chain Component
Analysis platform that allows organizations to identify and reduce
risk from the use of third-party and open source components.
https://docs.dependencytrack.org
16. Web Application Testing
OWASP Web Security Testing Guide
The Web Security Testing Guide (WSTG) Project produces the premier
cybersecurity testing resource for web application developers and security
professionals.
https://owasp.org/www-project-web-security-testing-guide/
OWASP API Security Project
This project is designed to address the ever-increasing number of
organizations that are deploying potentially sensitive APIs as part of their
software offerings
https://owasp.org/www-project-api-security/
17. Mobile Apps Testing
Mobile Security Testing Guide
The MSTG is a comprehensive manual for mobile app security
testing and reverse engineering for iOS and Android mobile
security testers
https://owasp.org/www-project-mobile-security-testing-guide/
18. Automated testing
OWASP ZAP
ZAP is an open-source web application security scanner.
It is intended to be used by both those new to application security as
well as professional penetration testers
https://owasp.org/www-project-zap/
OWASP Amass
The OWASP Amass Project performs network mapping of attack
surfaces and external asset discovery using open source information
gathering and active reconnaissance techniques.
https://github.com/OWASP/Amass
20. OWASP Defectdojo
DefectDojo is a security program and vulnerability
management tool. DefectDojo allows you to manage
our application security program, maintain product
and application information, schedule scans, triage
vulnerabilities and push findings into defect trackers.
Consolidate your findings into one source of truth
with DefectDojo.
https://owasp.org/www-project-defectdojo/
Defect Tracking
22. Defensive Controls
OWASP CSRFGuard
It’s a list of security techniques that should be included in every
software development project
https://owasp.org/www-project-csrfguard/
OWASP ModSecurity Core Rule Set
The CRS aims to protect web applications from a wide range of
attacks, including the OWASP Top Ten, with a minimum of false
alerts.
https://owasp.org/www-project-modsecurity-core-rule-set/
25. OWASP Webgoat
OWASP WebGoat is a deliberately insecure application
that allows interested developers just like you to test
vulnerabilities commonly found in Java-based
applications that use common and popular open source
components.
https://owasp.org/www-project-webgoat/
26. OWASP Security Shepherd
OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd
has been designed to foster and improve security awareness among a varied skill-set demographic. The
aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration
testing skillset to security expert status.
https://owasp.org/www-project-security-shepherd/
27. OWASP DevSlop
The OWASP DevSlop project contains several modules, all with the purpose of teaching
participants about DevSecOps.
https://owasp.org/www-project-devslop/
28. OWASP Juice Shop
OWASP Juice Shop is probably the most modern and sophisticated insecure web application! It
can be used in security trainings, awareness demos, CTFs and as a guinea pig for security tools!
Juice Shop encompasses vulnerabilities from the entire OWASP Top Ten along with many other
security flaws found in real-world applications!
https://owasp.org/www-project-juice-shop/
29. Awareness – Web App
OWASP Top 10
The OWASP Top 10 is the reference standard for the most critical web
application security risks
https://owasp.org/www-project-top-ten/
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical
security controls and also provides developers with a list of
requirements for secure development.
https://owasp.org/www-project-application-security-verification-standard/
30. Awareness
OWASP Mobile Top 10
The Mobile Top 10 is the reference standard for the most
critical mobile application security risks.
https://owasp.org/www-project-mobile-top-10/
Mobile Application Security Verification Standard
Mobile ASVS Project provides a basis for testing mobile
application technical security controls and also provides
developers with a list of requirements for secure development.
https://github.com/OWASP/owasp-masvs
31. Awareness
OWASP Top 10 Privacy Risks
Top 10 list for privacy risks in web applications and related
countermeasures
https://owasp.org/www-project-top-10-privacy-risks/
OWASP Automated Threats to Web Applications
It helps organizations better understand and respond to the notable
worldwide increase of automated threats from bots
https://owasp.org/www-project-automated-threats-to-web-applications/
33. Knowledge Management
OWASP Application Security Verification Standard
ASVS Project provides a basis for testing web application technical security controls
and also provides developers with a list of requirements for secure development.
https://owasp.org/www-project-application-security-verification-standard/
OWASP Security Knowledge Framework
SKF is an open source security knowledgebase including manageable projects with
checklists and best practice code examples in multiple programming languages
showing you how to prevent hackers gaining access and running exploits on your
application.
https://owasp.org/www-project-security-knowledge-framework/
34. Knowledge Management
OWASP Snakes And Ladders
Snakes and Ladders is an educational project. It uses gamification to
promote awareness of application security controls and risks, and in
particular knowledge of other OWASP documents and tools.
https://owasp.org/www-project-snakes-and-ladders/
OWASP Cornucopia
OWASP Cornucopia is a mechanism in the form of a card game to
assist software development teams identify security requirements
in Agile, conventional and formal development processes. It is
language, platform and technology agnostic.
https://owasp.org/www-project-cornucopia/
35. AppSec Framework with Open Source (OWASP) Tools
• Code
Review
Guide
• Risk
Assessment
Framework
• Threat
Dragon
• pytm
• SecurityRat
• SKF
• ASVS
• SKF
• Snakes And
Ladders
• Cornucopia
Training
• Mutilldae
• Webgoat
• Security
Shepherd
• Juice Shop
• DevSlop
Awareness
• Web App Top
10
• Mobile Top
10
• Proactive
Controls
• Automated
Threats to
Web Apps
• Top 10
Privacy Risks
• Web testing
guide
• Mobile
testing
guide
• API Top 10
• ZAP
Defect Dojo
• ModSecurity
Core Rule Set
• CSRFGuard
• Dependency
Track
• Dependency
Check
Source Code Review
Software Component
Analysis (SCA)
Threat
Modeling
Vulnerability
Testing
Defect Tracking
Defensive
controls
Training &
Awareness
Knowledge
Management
Requirement
Gathering
Running an AppSec program with Open Source Projects – Vandana Verma Sehgal
OWASP SAMM
36. Contribute
If you wish to contribute to the projects, or to suggest any
improvements or changes, then please do so via the issue tracker on
the GitHub repository.
1. Code Contribution (add features, kill bugs)
2. Write Test Cases, Help curate bug trackers.
3. Create Documentation, blogs, tutorials, videos, testimonials.
4. Promote or discuss about the tool in public
5. Suggest features / report bugs
6. Last but not least help by donation / money
38. Free places to learn AppSec
OWASP
https://www.owasp.org/
Your nearest local OWASP Chapter
https://owasp.org/chapters/
39. As a Community
If you look like you don’t
belong, then buckle up,
believe in yourself and
engage with the
technical community
Leverage the many
opportunities for
scholarships, travel
grants, meetup groups,
networks and more.