This document discusses best practices for increasing app security, including using internal storage for sensitive data, encrypting any stored data, using HTTPS for network requests, pinning certificates to prevent man-in-the-middle attacks, and notifying users to update apps when security configurations change. It emphasizes that Android itself is not fully secure, but following guidelines like these can help make apps less vulnerable to abuse or tampering. The key recommendations are to prioritize data privacy, use encrypted network connections, pin certificates for authentication, and maintain the security of the app over time with updates.
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while others do so entirely unnecessarily.
Taking a perspective useful to both developers and testers, this presentation highlights the threats that pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several flaws found in real applications and describes changes introduced in recent Android versions.
Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of
pinning that may in fact decrease security or impose undue complexity.
Techorama 2019 - Azure Security Center UnleashedTom Janetscheck
In cloud environments, management is increasingly distributed, attackers continue to innovate, and thus, cloud security management looks like mission impossible.
Join this session for a deep-dive into Azure Security Center, witness on-stage live attacks against an Azure environment and learn what you need to know in order to secure an Azure environment.
You successfully managed to treat your infrastructure as code. And your application config is kept in version control as well. Wait! What did you do with your DB passwords and API tokens? Secrets need special treatment to fully automate your deployment pipeline. In this talk, I will show you how.
Slide deck from my Jazoon TechDays presentation from 7 Sep 2019, recorded here: https://www.youtube.com/watch?v=Ip8eTPj3Jsk
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
Certificate pinning trends perennially, coming to the fore with each new SSL hack. Security urges developers to implement pinning and many mobile apps do — some applying pinning to problems it doesn't solve while others do so entirely unnecessarily.
Taking a perspective useful to both developers and testers, this presentation highlights the threats that pinning can tackle and covers the tradeoffs inherent in pinning decisions. The presentation explores several flaws found in real applications and describes changes introduced in recent Android versions.
Expect to leave understanding common implementations mistakes, common misconceptions and key subtleties of
pinning that may in fact decrease security or impose undue complexity.
Techorama 2019 - Azure Security Center UnleashedTom Janetscheck
In cloud environments, management is increasingly distributed, attackers continue to innovate, and thus, cloud security management looks like mission impossible.
Join this session for a deep-dive into Azure Security Center, witness on-stage live attacks against an Azure environment and learn what you need to know in order to secure an Azure environment.
You successfully managed to treat your infrastructure as code. And your application config is kept in version control as well. Wait! What did you do with your DB passwords and API tokens? Secrets need special treatment to fully automate your deployment pipeline. In this talk, I will show you how.
Slide deck from my Jazoon TechDays presentation from 7 Sep 2019, recorded here: https://www.youtube.com/watch?v=Ip8eTPj3Jsk
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
Secret-based protocols are the most popular methods for establishing trust in authentication. Unfortunately, they are also one of the first attack surfaces to be probed when system compromise is attempted. Today’s digital services often focus on scalability, high-availability, and fault tolerance, leading to a shift towards microservices on cluster-based architectures. Secret management has evolved as well, leading to the development of cluster-compatible, open-source SM tools such as HashiCorp’s Vault. This talk is designed to help SecOps professionals leverage security concepts such as spatial and temporal attack surfaces, trust, and risk acceptance to secure their cluster credential management.
Automation Patterns for Scalable Secret ManagementMary Racter
So you’ve scaled your app up to 1000 instances. Do they all share the same credentials for access to stateful resources? Then the attack surface for your stateful resources just got scaled up too. Automated secret management lets you focus on scaling up your app, not your risk of data compromise.
This talk aims to introduce some important considerations in attack surface management at scale, and provide some patterns and tips on integrating secret management workflows into Continuous Deployment infrastructure.
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
Oded Harevern, CEO & co-founder of Akeyless discusses how Kubernetes secrets management is done today and how to do secrets management better.
Learn more about Akeyless Vault Platform for secrets management: https://www.akeyless.io/product-secrets-management/
Watch the video here: https://www.youtube.com/watch?v=hvUuYWXGSJM
Secrets management has come a long way - from simple credentials kept in code to KMS tools to privileged access management and then secrets vaults. Digital transformation is still a thing in 2021, and since we’re all using multiple clouds, Kubernetes, and moving towards microservices and serverless architectures, the right tool for the right job is that much more important, especially when it comes to securing your infrastructure and applications.
This talk will discuss some of the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. Finally, how secrets management became a MUST for DevOps and security teams of all enterprises, and why the right tool needs to be cloud agnostic, cloud-native, integrable with any DevOps pipelines and infinitely scalable.
Containers deployments in Kubernetes clusters create both familiar and new security challenges. Given the ephemeral nature of containers, the speed and agility goals of microservices architecture, a preliminary detection of potential risks, and early discovery of viable threats yield the best security outcomes.
Successfully addressing the Kubernetes security challenges requires integrating security into each phase of the container lifecycle: build, deploy, and run.
This webinar will throw light on how to:
* Stay on top of ongoing Kubernetes hygiene by hardening your nodes, employing best practices
* Implement role-based access control of users
* Manage Kubernetes Secrets
* Thwart an attack, with a live demo
An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...Mary Racter
Secret-based protocols are the most popular methods for establishing trust in authentication. Unfortunately, they are also one of the first attack surfaces to be probed when system compromise is attempted. Today’s digital services often focus on scalability, high-availability, and fault tolerance, leading to a shift towards microservices on cluster-based architectures. Secret management has evolved as well, leading to the development of cluster-compatible, open-source SM tools such as HashiCorp’s Vault. This talk is designed to help SecOps professionals leverage security concepts such as spatial and temporal attack surfaces, trust, and risk acceptance to secure their cluster credential management.
Automation Patterns for Scalable Secret ManagementMary Racter
So you’ve scaled your app up to 1000 instances. Do they all share the same credentials for access to stateful resources? Then the attack surface for your stateful resources just got scaled up too. Automated secret management lets you focus on scaling up your app, not your risk of data compromise.
This talk aims to introduce some important considerations in attack surface management at scale, and provide some patterns and tips on integrating secret management workflows into Continuous Deployment infrastructure.
Kubernetes Secrets - The Good, The Bad, and The Ugly - AkeylessAkeyless
Oded Harevern, CEO & co-founder of Akeyless discusses how Kubernetes secrets management is done today and how to do secrets management better.
Learn more about Akeyless Vault Platform for secrets management: https://www.akeyless.io/product-secrets-management/
Watch the video here: https://www.youtube.com/watch?v=hvUuYWXGSJM
Secrets management has come a long way - from simple credentials kept in code to KMS tools to privileged access management and then secrets vaults. Digital transformation is still a thing in 2021, and since we’re all using multiple clouds, Kubernetes, and moving towards microservices and serverless architectures, the right tool for the right job is that much more important, especially when it comes to securing your infrastructure and applications.
This talk will discuss some of the history of the movement toward best practices in password, token, key, and credential management, including HSMs, KMSs, PAMs, and PKI management. Finally, how secrets management became a MUST for DevOps and security teams of all enterprises, and why the right tool needs to be cloud agnostic, cloud-native, integrable with any DevOps pipelines and infinitely scalable.
Containers deployments in Kubernetes clusters create both familiar and new security challenges. Given the ephemeral nature of containers, the speed and agility goals of microservices architecture, a preliminary detection of potential risks, and early discovery of viable threats yield the best security outcomes.
Successfully addressing the Kubernetes security challenges requires integrating security into each phase of the container lifecycle: build, deploy, and run.
This webinar will throw light on how to:
* Stay on top of ongoing Kubernetes hygiene by hardening your nodes, employing best practices
* Implement role-based access control of users
* Manage Kubernetes Secrets
* Thwart an attack, with a live demo
An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
Only year ago we launched AWS IoT, and at re:Invent we showed how AWS IoT makes it easy to secure millions of connected devices. However, we have learned from our customers that a number of unique security challenges for the Internet of Things (IoT) exist.
Strata London 2018: Multi-everything with Apache PulsarStreamlio
Ivan Kelly offers an overview of Apache Pulsar, a durable, distributed messaging system, underpinned by Apache BookKeeper, that provides the enterprise features necessary to guarantee that your data is where is should be and only accessible by those who should have access. Ivan explores the features built into Pulsar that will help your organization stay in compliance with key requirements and regulations, for multi-data center replication, multi-tenancy, role-based access control, and end-to-end encryption. Ivan concludes by explaining why Pulsar’s multi-data center story will alleviate headaches for the operations teams ensuring compliance with GDPR.
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
In this talk we’ll see how Authentication and Secrets delivery work in distributed containerized applications from the inside. We’ll start from the theory of security and will go through the topics like Container Auth Role, Static & Dynamic secrets, Env vars/volumes for secret delivery, Vault & K8S secrets. After this talk you’ll get an understanding how to securely deploy your containerized workloads.
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages.
It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations.
In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
This slide deck covers:
- How security will be integrated into the overall processes of development and deployment.
- How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
- How to be successful with API-enabled, continuous security tools in the cloud.
- How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
In the presentation, we plan to announce the full version of a new open source tool called "Cloudefigo" and explain how it enables accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo, we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server's communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
Recent hacks to IaaS platforms revealed that we need to master the attack vectors used: Automation and API attack vector, insecure instances and management dashboard with wide capabilities. Those attack vectors are not unique to Cloud Computing but there are magnified due to the cloud characteristics. The fact is that IaaS instance lifecycle is accelerating, nowadays we can find servers that are installed, launched, process data and terminate – all within a range of minutes. This new accelerated lifecycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening, and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate vulnerability, so the security infrastructure must adapt to new methods. In this new thinking, we require automation of instance security configuration, hardening, monitoring, and termination. Because there are no maintenance windows, servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation and vulnerability scanning and mitigation processes should be automatic.
In the presentation, Nir plans to introduce the open source tool called “Cloudefigo” and explain how it enables accelerated security lifecycle. Nir will demonstrate how to launch a pre-configured, already patched instance into an encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the demo, Cloudefigo will leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption key repositories for secure server’s communication. The result of those techniques is cloud servers that are resilient, automatically configured, with the reduced attack surface.
You automated your deployment, elasticized your workloads, and dynamically provisioned your fleet. What do you do next?
Tackle automating your security needs using the latest capabilities in the cloud! There’s no single path to building an automated and continuous security architecture that works for every organization, but certain key principles and techniques are used by the early adopter cloud elite that give them distinct advantages. It's time to re-think your organization’s processes and behaviors to demonstrate the latest efficiencies in your security operations. In this webinar, learn how Intuit implements cloud security automation with Evident.io and other innovative cloud technologies.
Join us to learn:
• How security will be integrated into the overall processes of development and deployment.
• How to tie security acceptance tests, a subset of your key security controls, right into the end of your functional testing process to promote builds with confidence at greater speed.
• How to be successful with API-enabled, continuous security tools in the cloud.
• How to operationalize security alarms, enabling world-class incident response and remediation capabilities.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
13. public abstract class e {
private int a = -1;
private String b = null;
protected boolean k = false;
public abstract void a(Intent var1);
public void run() {
this.a((Intent)null);
}
protected final void a(String var1) {
this.b = var1;
}
public final void c() {
this.a = -1;
this.b = null;
}
public final boolean d() {
return this.k;
}
}
16. TAMPERING DETECTION
Verify signing certificate at runtime
Verify the installer
context.getPackageManager()
.getInstallerPackageName(context.getPackageName())
.startsWith("com.android.vending")
Check if app is debuggable (or run on emulator)