This document summarizes Gregory Pickett's presentation on SDN security at SACON International 2020. It discusses current SDN trends like SDN, SD-WAN and SDDC. It then covers vulnerabilities in SDN components like switches, controllers and applications. Examples of vulnerabilities in vendors like Cisco APIC, Floodlight and Big Cloud Fabric are provided. Finally, it discusses general approaches to securing SDN through techniques like encryption, authentication, hardening, architecture and operations. A case study of Cisco's approach to SDN security is also summarized.
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
Open Source technologies are being widely adopted to help SOC / DevSecOps teams in day to day operations. We'll be showcasing how we've built our SIEM using Apache Metron with a custom SOAR layer - Blitz over it to alert and respond to threats in real time. We'll deep dive into the architecture of both platforms and demonstrate various use cases covering cloud infra, endpoint devices, outbound traffic and perimeter security threats. We'll also present how to automate remediation to alerts and scale the setup for orchestration and threat hunting.
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...Priyanka Aash
A comprehensive application threat model demands specialized skills and expertise which might be difficult to avail considering the increasing resource gap in software security market. Making a scalable threat model framework is difficult even for big enterprises. Even the tools that help to manage the threat modeling process have limitations. In this talk, we will present control-based threat modeling to explore the possibilities of moving from a traditional threat-library based threat model to a more developer-centric threat model and how this paradigm change may add value towards developing secure software.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
Software-defined networking has come onto the scene and changed the way we think about moving packets throughout a network. But it has also morphed into multiple definitions and approaches, driven by both vendors and enterprise customers. But how does security fit into this picture? This talk will discuss the convergence of SDN and security and will try to make sense of them both.
Learning Objectives:
1: Understand all types of SDN.
2: Understand SDN and security.
3: Understand how a secure SDN makes a network safer.
(Source: RSA Conference USA 2018)
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
The Internet of Things presents both a challenge and opportunity for identity management - a challenge because existing mechanisms for authentication & authorization must be extended and adapted for the particular constraints of devices (both legacy and new) and an opportunity because the devices that users more and more carry with them offer new abilities to enable a more seamless authentication experience for those users. Both of these aspects demand a consistent, cohesive and interoperable identity layer across IoT verticals, platforms, and protocols. Critically, we need an identity layer that acknowledges the full continuum of risk (and so appropriate security measures) that the IoT presents. Good security means knowing who entities (both device & user) are and what they should or should not be allowed to do. Good privacy requires that users will be able to control how their devices collect, store and share data. This talk will examine how existing & new tools (like OAuth, UMA, FIDO, and DLTs) may help meet these fundamental requirements for securing the IoT.
(Source: RSA Conference USA 2018)
(SACON) Pradyumn Nand & Mrinal Pande - Metron & Blitz, Building and scaling y...Priyanka Aash
Open Source technologies are being widely adopted to help SOC / DevSecOps teams in day to day operations. We'll be showcasing how we've built our SIEM using Apache Metron with a custom SOAR layer - Blitz over it to alert and respond to threats in real time. We'll deep dive into the architecture of both platforms and demonstrate various use cases covering cloud infra, endpoint devices, outbound traffic and perimeter security threats. We'll also present how to automate remediation to alerts and scale the setup for orchestration and threat hunting.
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...Priyanka Aash
A comprehensive application threat model demands specialized skills and expertise which might be difficult to avail considering the increasing resource gap in software security market. Making a scalable threat model framework is difficult even for big enterprises. Even the tools that help to manage the threat modeling process have limitations. In this talk, we will present control-based threat modeling to explore the possibilities of moving from a traditional threat-library based threat model to a more developer-centric threat model and how this paradigm change may add value towards developing secure software.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
Software-defined networking has come onto the scene and changed the way we think about moving packets throughout a network. But it has also morphed into multiple definitions and approaches, driven by both vendors and enterprise customers. But how does security fit into this picture? This talk will discuss the convergence of SDN and security and will try to make sense of them both.
Learning Objectives:
1: Understand all types of SDN.
2: Understand SDN and security.
3: Understand how a secure SDN makes a network safer.
(Source: RSA Conference USA 2018)
Identity-Based Security and Privacy for the Internet of ThingsPriyanka Aash
The Internet of Things presents both a challenge and opportunity for identity management - a challenge because existing mechanisms for authentication & authorization must be extended and adapted for the particular constraints of devices (both legacy and new) and an opportunity because the devices that users more and more carry with them offer new abilities to enable a more seamless authentication experience for those users. Both of these aspects demand a consistent, cohesive and interoperable identity layer across IoT verticals, platforms, and protocols. Critically, we need an identity layer that acknowledges the full continuum of risk (and so appropriate security measures) that the IoT presents. Good security means knowing who entities (both device & user) are and what they should or should not be allowed to do. Good privacy requires that users will be able to control how their devices collect, store and share data. This talk will examine how existing & new tools (like OAuth, UMA, FIDO, and DLTs) may help meet these fundamental requirements for securing the IoT.
(Source: RSA Conference USA 2018)
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies.
(Source: RSA Conference USA 2018)
Humans and Data Don’t Mix: Best Practices to Secure Your CloudPriyanka Aash
While the causes of outages are varied, human error far outpaces all hardware failures. The risk of humans touching sensitive data is clear, but the tools, techniques and risk-mitigation strategies lag behind current realities. Stephen Schmidt, AWS CISO, will share hard-earned lessons around potential gaps in your security plan, along with steps to lessen potential angles of attack.
(Source: RSA Conference USA 2018)
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskPriyanka Aash
Time is of the essence when protecting your organization from complex cyberthreats. The clock doesn’t start when you have been breached—it’s always ticking. The board must articulate risk tolerances, management must set the strategy and IT must execute. The NIST CSF provides a common language for internal and external stakeholders, and helps the organization to stop translating and start defending.
Learning Objectives:
1: Learn how the NIST CSF can be used for more than just IT security.
2: Learn to use the CSF as a common language with the board, employees and customers.
3: Learn to adapt the CSF to the changing threat environment.
(Source: RSA Conference USA 2018)
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
Machine learning algorithms are key to modern at-scale cyberdefense. Transfer learning is a state of the art ML paradigm that enables applying knowledge and algorithms developed from one field to another, resulting in innovative solutions. This talk presents transfer learning in action wherein techniques created from other areas are successfully re-purposed and applied to cybersecurity.
(Source: RSA Conference USA 2018)
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
Cloud is a new frontier that requires new architectures, higher velocity processes and crisper business-level metrics—all of which smacks security programs square in the face. This session will leverage the nearly 20 years of the speakers’ combined cloud experience to lay out a complete strategy for building out a cloud-first security program that covers infrastructure and application development.
(Source: RSA Conference USA 2018)
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondPriyanka Aash
Based on investigations of real-world attacks, Microsoft Office 365 cybersecurity experts provide a prescriptive approach to identifying and implementing the most critical security controls to protect your Office 365 tenant. You will learn threats and defenses change from on-premises attacks and what Microsoft recommends for quickly protecting against the most likely and impactful risks.
(Source: RSA Conference USA 2018)
Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well.
(Source : RSA Conference USA 2017)
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
Cloud workloads running on Serverless Infrastructure provide near zero visibility to security teams. Can security professionals inventory, scan, and monitor an environment running thousands of functions for only 100 milliseconds? This technical session examines real world attacks and teaches you how to enable security controls to defend your Serverless Infrastructure.
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymorePriyanka Aash
COBIT, ISO/IEC 27001, NIST 800.53, PCI, oh my. The path to compliance is not a yellow brick road. IT professionals face a variety of security standards that they must meet simultaneously. This talk will present the NIST Open Security Controls Assessment Language (OSCAL) project as a way to standardize control, implementation and assessment information using an open, machine-readable format.
Learning Objectives:
1: Understand how to leverage automation to secure systems against multiple standards.
2: Learn how OSCAL is designed and how it can be used.
3: Discover how you can be a part of developing this new standard of standards.
(Source: RSA Conference USA 2018)
Mediante el pentest de aplicaciones móviles, es posible identificar los diferentes tipos de errores que comenten en el desarrollo y pueden poner en riesgo datos del usuario final. Se explica cómo aplicando técnicas de ingeniería inversa y hooking se puede manipular las funcionalidades de la aplicación y probar los niveles de seguridad.
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
Living BeyondCorp comes with its own challenges. This talk will dive into how Duo gets our hands around difficult problems regarding the security and management of cloud services and endpoints internally. This session will cover technical details of our security orchestration and automation approach, cloud service monitoring, and chatops-driven endpoint application whitelisting strategies.
(Source: RSA Conference USA 2018)
Humans and Data Don’t Mix: Best Practices to Secure Your CloudPriyanka Aash
While the causes of outages are varied, human error far outpaces all hardware failures. The risk of humans touching sensitive data is clear, but the tools, techniques and risk-mitigation strategies lag behind current realities. Stephen Schmidt, AWS CISO, will share hard-earned lessons around potential gaps in your security plan, along with steps to lessen potential angles of attack.
(Source: RSA Conference USA 2018)
Stop Translating, Start Defending: Common Language for Managing Cyber-RiskPriyanka Aash
Time is of the essence when protecting your organization from complex cyberthreats. The clock doesn’t start when you have been breached—it’s always ticking. The board must articulate risk tolerances, management must set the strategy and IT must execute. The NIST CSF provides a common language for internal and external stakeholders, and helps the organization to stop translating and start defending.
Learning Objectives:
1: Learn how the NIST CSF can be used for more than just IT security.
2: Learn to use the CSF as a common language with the board, employees and customers.
3: Learn to adapt the CSF to the changing threat environment.
(Source: RSA Conference USA 2018)
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Priyanka Aash
Machine learning algorithms are key to modern at-scale cyberdefense. Transfer learning is a state of the art ML paradigm that enables applying knowledge and algorithms developed from one field to another, resulting in innovative solutions. This talk presents transfer learning in action wherein techniques created from other areas are successfully re-purposed and applied to cybersecurity.
(Source: RSA Conference USA 2018)
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
Cloud is a new frontier that requires new architectures, higher velocity processes and crisper business-level metrics—all of which smacks security programs square in the face. This session will leverage the nearly 20 years of the speakers’ combined cloud experience to lay out a complete strategy for building out a cloud-first security program that covers infrastructure and application development.
(Source: RSA Conference USA 2018)
Office 365 Security: Top Priorities for 30 Days, 90 Days and BeyondPriyanka Aash
Based on investigations of real-world attacks, Microsoft Office 365 cybersecurity experts provide a prescriptive approach to identifying and implementing the most critical security controls to protect your Office 365 tenant. You will learn threats and defenses change from on-premises attacks and what Microsoft recommends for quickly protecting against the most likely and impactful risks.
(Source: RSA Conference USA 2018)
Much has been said about DevOps and SecDevOps for security automation and integration. However, to many in the security community, this is still a buzzword. There are many practical applications of automation in cloud security controls, however, across all security-related disciplines. This talk will delve into concrete examples of security automation in the cloud, with metrics examples, as well.
(Source : RSA Conference USA 2017)
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
Cloud workloads running on Serverless Infrastructure provide near zero visibility to security teams. Can security professionals inventory, scan, and monitor an environment running thousands of functions for only 100 milliseconds? This technical session examines real world attacks and teaches you how to enable security controls to defend your Serverless Infrastructure.
Security Automation Simplified via NIST OSCAL: We’re Not in Kansas AnymorePriyanka Aash
COBIT, ISO/IEC 27001, NIST 800.53, PCI, oh my. The path to compliance is not a yellow brick road. IT professionals face a variety of security standards that they must meet simultaneously. This talk will present the NIST Open Security Controls Assessment Language (OSCAL) project as a way to standardize control, implementation and assessment information using an open, machine-readable format.
Learning Objectives:
1: Understand how to leverage automation to secure systems against multiple standards.
2: Learn how OSCAL is designed and how it can be used.
3: Discover how you can be a part of developing this new standard of standards.
(Source: RSA Conference USA 2018)
Mediante el pentest de aplicaciones móviles, es posible identificar los diferentes tipos de errores que comenten en el desarrollo y pueden poner en riesgo datos del usuario final. Se explica cómo aplicando técnicas de ingeniería inversa y hooking se puede manipular las funcionalidades de la aplicación y probar los niveles de seguridad.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
RSA 2015 Realities of Private Cloud SecurityScott Carlson
My 2015 Talk at the RSA US Conference on Private Cloud Security and ways that companies need to think about their cloud as they built it within their private data center
Application security is often an afterthought for developers, as we concentrate on the next shiny new feature for our projects. In this talk, we’ll highlight the importance of application security and explore some simple and practical ways that we as developers can defend our services from intrusion.
We’ll look at how my team at the BBC approached security concerns when creating the new BBC ID applications, and dive into some code examples to explore the best practices for Node.js server security.
Talk originally given at JavaScript North West meetup. https://www.meetup.com/JavaScript-North-West/events/239152184/
Securing Network Access with Open Source solutionsNick Owen
My presentation from Atlanta Linux Fest on how to allow users secure access to your network using open source technologies. Examples include how to add two-factor authentication to Apache, OpenVPN, Astaro, NX etc.
Secret Sprawl and Electric Vehicle Charging StationsRoger Qiu
For this third meetup (the first of 2023), we will look at the problem of secret sprawl and cyber risks in Electric Vehicle infrastructure.
We'll be discussing the importance of properly securing secret tokens, such as passwords and API keys, in a development environment. Scattering these tokens throughout your environment can create security vulnerabilities, as they may potentially be accessed by unauthorized parties. We'll cover best practices for protecting secret tokens, such as using a password manager or secrets management tool, to help ensure that your sensitive information stays safe. Join us to learn more about this important topic and get tips on how to protect your secrets.
Furthermore as a continuation of December 2022's meetup, we will go into the Cybersecurity Risks in Electric Vehicle Charging Stations Infrastructure.
There are several risks to cybersecurity in electric vehicle (EV) charging infrastructure that can potentially compromise the safety and reliability of the charging process. Some of these risks include:
Unauthorized access to charging systems: Hackers may attempt to gain access to EV charging systems in order to steal power or disrupt the charging process.
Data breaches: EV charging systems often collect and store sensitive data, such as payment information, which could be compromised if the systems are not properly secured.
Physical damage to charging infrastructure: Cyberattacks on EV charging systems could potentially cause physical damage to the infrastructure, leading to costly repairs and downtime.
Disruption of power grids: Large-scale attacks on EV charging systems could potentially disrupt the power grid, leading to widespread power outages.
To mitigate these risks, it is important for EV charging infrastructure to be designed with cybersecurity in mind and to implement measures such as encryption and secure authentication protocols to protect against potential attacks.
https://www.meetup.com/cybersecurity-digital-trust/events/290782715/
This presentation provides an overview of web security, web security with Cisco Ironport, web security with Cisco Scansafe, and the road to hybrid security.
With nearly every embedded device and enterprise management solution serving up a web console for management, we are faced with the question (does that web service properly filter incoming data?). Unfortunately, the answer to that question is No. My research has shown that simple name data is often overlooked. This includes, SSIDs, SNMP sysDesc and Hostnames, just to name a few, which are consumed by the applications and embedded devices without proper filtering. Over the last 4 years I have researched this issue, and discovered that nearly 50% of products tested were vulnerable to injection attacks via this vector. During this presentation I will be discussing these various injection vectors, and the attacks that I have successfully developed against targeted systems using these exploits.
This reference design helps organizations design and configure a small to midsize data center (be¬tween 2 and 60 server racks) at headquarters or a server room at a remote site. You will learn how to configure the data center core, aggregation and access switches for connectivity to the servers and the campus network.
The Avaya Fabric Connect data center design supports high-speed 10 Gbps Ethernet connect-ed servers. The design can easily scale server bandwidth with link aggregation and servers can be connected to one or more switches in order to provide the level of availability required for the services delivered by the host. The design also supports legacy and low traffic servers that need 1 Gbps Ethernet connectivity,
The reference design presented in this guide is based on common network requirements and pro¬vides a tested starting point for network engineers to design and deploy an Avaya data center net¬work. This guide does not document every possible option and feature used to design and deploy networks but instead presents the tested and recommended options that will meet the majority of customer needs.
This design uses Avaya Fabric Connect in order to provide benefits over traditional data center design.
IT departments face several challenges in today’s data center:
· Data center traffic flow is not the same as campus traffic flow. Over 80% of the traffic is east-west, server-to-server, vs. north-south, client-to-server, like in a campus.
· Server virtualization allows a virtual machine or workload to be located anywhere in the physi¬cal data center. Data center networks can make it difficult to extend virtual local area networks (VLANs) and subnets anywhere in the data center.
· Server virtualization means that new services can be brought online in minutes or migrated in real time. Reconfiguring the network to support this is difficult because it can interrupt other services.
· Server virtualization means that the load on a physical box is much higher. Physical servers regularly host 10-50 workloads, driving network utilization well past 1 Gbps.
How to Gain Visibility into Encrypted ThreatsShain Singh
Encrypting data-in-transit with SSL/TLS is standard practice among organisations today. Important security initiatives, such as built-in web browser warnings and stronger legislative GDPR changes, have significantly improved privacy awareness and helped to prevent data breaches. However, cybercriminals commonly hide threats within encrypted payloads and use encrypted channels to propagate malware and exfiltrate data, knowing they can bypass traditional security inspection solutions.
Similar to (SACON 2020) Adventures In SDN Security (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
29. SACON
CASE STUDIES
Many, many case studies
available on the Internet
Most DO NOT mention
security
Most rely on the SD-WAN device
Those that don’t have opted for one of these
Service Chaining
WAN traffic encryption
31. SACON
THE RISKS
Operational
Large Failure Domain
Security
Introduces Attack Surfaces
- Forwarding Elements
- Controllers
Limits detection of and response to threats
39. SACON
FLOODLIGHT
Open Source
No Encryption (Openflow, Console)
Denial of Service (Controller)
No Authentication (Console)
Atlassian
Denial of Service (Forwarding Module)
Cross-Site Scripting (Console)
40. SACON
FLOODLIGHT
Big Cloud Fabric
No Encryption (ZTN, ONIE, Sync)
No Authentication (ZTN, ONIE)
Weak Password (API)
Token Stale, Doesn’t Expire, and Doesn’t Invalidate (API)
52. SACON
BIG CLOUD FABRIC (Stale Token)
Was it based on the password?
No. I changed that on the 27th!
53. SACON
BIG CLOUD FABRIC (Stale Token)
It still works after the
password changed.
Most of these are used
across the loopback.
One is used for controller to
controller communication.
Does it check certificates?
59. SACON
CISCO APIC (Backdoor)
This was a little more difficult
However, everything that you need is
still there!
Offline mount HDD
Add “backdoor.service” to root “snapshot”
Loads netcat listener at boot
79. SACON
SWITCHES
TLS
Between forwarding element
and controllers
Using Updated libraries
Add Mutual Authentication
DevSecOps or SDN to coordinate certificate
and key distribution
80. SACON
SWITCHES
Hardening
Install Environment (Above)
Operating System
- Changeable names
- Forced password changes
- Remove uid 0 from admin
- 2FA for shell?
- Remove unnecessary tools … Etc.
86. SACON
CASE STUDY
Cisco Systems (2018)
Traditional Network
NetFlow
IPS
Firewalling
Software Defined Network
Switches and Controllers are black boxes
Management plane relies on the existing traditional network
87. SACON
CASE STUDY
Software Defined Network
Architecture
- Default behaviors
- Includes partitioning
- Web application firewalls are used
Applications and Operations
- Not Available
- Closed System
88. SACON
SDN IN YOUR ENTERPRISE
Plans for SDN
Concerns Regarding SDN
Addressing Those Concerns
Need
Practical
89. SACON
5G
What will it look like?
How will we use it?
What will the risks be?
90. SACON
WHAT WILL IT LOOK LIKE
Public and private infrastructure
Coupled and Decoupled data/control planes
Managed and Unmanaged nodes
Lots of Different Architecture
Traditional Hub/Spoke
Mesh Networks
Cloud Distributed
Hybrid Deployments
92. SACON
HOW WILL WE USE IT
Autonomous/Connected
Vehicles
Sensor/Actuator Networks
Smart Grid
Robots and Drones
Personal Health
Augmented Reality
93. SACON
THE RISKS
Operational
Different (Incompatible)
Implementations
Managing and Keeping Nodes
Updated
Complying with Legal and
Regulatory Frameworks
108. SACON
WORK WITH PROVIDERS
Additional Physical Layer Security
Radio-Frequency (RF) Fingerprinting
Asymmetric Security Schemes
Dynamic Changing Security
Host Identity Protocol (HIP) for radio interface
key exchange
Backhaul encryption (Native)
Adoption of fiber ring network protection
109. SACON
WORK WITH PROVIDERS
More use of the cloud for C-RAN
operations
Better compartmentalization within
the cloud
Use of the above SDN countermeasures
More comprehensive data classification policies
110. SACON
NEW APPROACHES
SDN
Regulation of Traffic (Flash Network Traffic)
Facilitating NFV
Machine Learning
Within NFV
Both provider and customer use
112. SACON
SOME PREDICTIONS
Lots of Holes
Supply Chain Attacks
Mismatches Everywhere
Privacy Nightmare
Vulnerabilities in individual components will roll in …
Regulations will make it worse
Those building on top of what is offered will
do the best!