Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs
This document provides an introduction to secure coding for Java applications presented by Sebastien Gioria to the Java User Group in Poitou-Charentes, France. The presentation covers the importance of application security, current state and goals, using OWASP materials to secure code, and secure coding principles. It highlights statistics on application vulnerabilities from Verizon and WhiteHat Security reports and addresses common misconceptions about application security.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs.
Ce talk est une introduction au Secure Coding pour Java. Il s'efforcera de présenter via différents exemples les bonnes pratiques permettant de développer de manière pragmatique une application java sécurisée. Nous aborderons aussi bien des pratiques fonctionnelles que des morceaux de codes java à erreurs et leur correctifs
This document provides an introduction to secure coding for Java applications presented by Sebastien Gioria to the Java User Group in Poitou-Charentes, France. The presentation covers the importance of application security, current state and goals, using OWASP materials to secure code, and secure coding principles. It highlights statistics on application vulnerabilities from Verizon and WhiteHat Security reports and addresses common misconceptions about application security.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler.
This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence.
From DeliveryConf 2020
Null singapore - Mobile Security EssentialsSven Schleier
This document summarizes a presentation on mobile security testing given by Sven Schleier and Ryan Teoh. It discusses the OWASP Mobile Security Project, including the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG). The MASVS defines security best practices for mobile apps, while the MSTG provides a manual for testing mobile app security. The presentation demonstrates techniques for bypassing SSL pinning and extracting Android keys using Frida during dynamic analysis. It highlights challenges around assessing anti-reversing defenses and the need for practical reverse engineering skills in mobile security testing.
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
AEM as a Cloud Service is using the same battle-tested core of Sling, Felix and Jackrabbit Oak that you are used to. Many of the large-scale architectural changes, such as container-based deployments, separation of code and content, horizontal and vertical scaling, etc, are made possible by a host of reimplementations of APIs exposed by the open-source projects that serve as the foundation of AEM.
In this talk we will explore a number of such extensions and their implications, such as Oak's principal-based authorization, getting up and running with the composite node store, or indexing in a separation of content and apps scenario.
After this talk participants will have a better understanding of various under-the-hood changes present in AEM as a Cloud Service and their practical implications for AEM development. They will also be able to set up their own tweaked Sling instance so they can experiment with such a setup.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
The document discusses advanced deployment strategies including canary releases, deployment rings, and dark launching. It defines canary releases as deploying a new version to a subset of infrastructure initially without routing live traffic to it. Benefits include reducing risk and allowing capacity testing in production. The document reviews how to implement canary releases by routing a percentage of users to the new version while monitoring for issues before routing all users. It also discusses using deployment rings to gradually rollout changes and limit impact, as well as dark launching where new code is executed silently before a full launch.
These slides help the reader understand how docker works and what benefits this brings to people how are either working in the devops field or making a transition here. We look at here how to containerize angular app using docker and how monolithic approach differ from micro services and see the pros and cons of it.
How to build observability into Serverless (O'Reilly Velocity 2018)Yan Cui
The document discusses challenges with observability in serverless applications and proposes solutions. Some key challenges include not having access to the underlying OS, nowhere to install agents/daemons, no background processing, higher concurrency to telemetry systems, and high chance of data loss if batching logs and metrics. The document covers solutions for logging, monitoring, and distributed tracing in serverless environments using services like CloudWatch Logs, API Gateway, and X-Ray.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
This document summarizes a presentation about advanced deployment strategies including canary releases, deployment rings, and dark launches. The presentation covers:
- How canary releases work by deploying a new version to a subset of infrastructure initially before gradually routing more users to it while monitoring for issues
- Key considerations for canary releases like ensuring a consistent user experience and having a rollback path
- How deployment rings limit impact on users by gradually deploying and validating changes in production rings
- Dark launches where new code is executed silently before a full launch to test infrastructure changes before high traffic
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
The presentation will discuss some architectural patterns in continuous integration, deployment and optimization and I will share some of the lessons learned from Amazon.com.
The goal of the presentation is to convince you that if you invest your time where you get the maximum learning from your customers, automate everything else in the cloud (CI + CD + CO), you get fast feedback and will be able to release early, release often and recover quickly from your mistakes. Dynamism of the cloud allows you to increase the speed of your iteration and reduce the cost of mistakes so you can continuously innovate while keeping your cost down.
Learn all the tricks of the trade that penetration testers use to practice their skills, test out new attacks, and prepare for upcoming penetration tests. Joe will be covering things like:
Pentester Tips
- How to keep up with the latest vulnerabilities and exploits
- Deciding what types of vulnerabilities to put in the network
- Deciding how to design the network
- Deciding what defensive measures to put into the network
Hardware Tips
- Should you use an old machine/old laptop
- Should you build a whitebox for this
-What types of hardware should you buy
Software Tips
- Where do you get all of the operating systems from
- Where do you get all of the vulnerable applications from
VMWare Tips
- Creating linked clones in ESXI
- Deploying Snort or Surricata in ESXI
- vSwitch features that you may want to use in your environment
VirtualBox Tips
- Building and running VirtualBox Headless with PHPVirtualbox
- Creating Backups and clones of running VMs in VirtualBox
- Using raw devices to create a Virtualbox VM
- Setting up a serial port between VirtualBox VMs
- Taking screenshots of VirtualBox VMs
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
Devoxx France 2013 Cloud Best PracticesEric Bottard
- Cloud best practices include automating database migrations, avoiding vendor lock-in, treating all environments identically, and using frequent deployments to upgrade applications with zero downtime.
- Other best practices are to limit HTTP traffic, have no file system, strive for statelessness, automate scaling in a targeted and custom way, and achieve loose coupling between components.
- Blue/green deployments allow rolling out new application versions without downtime by routing traffic between two identical environments running different versions. Automated testing of new versions on a subset of users is also recommended.
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling.
Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment.
One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including:
Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints.
Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs.
Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure.
Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible.
Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is?
Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
This document provides an overview of Backstage, an open source developer portal created by Spotify, and Tanzu Application Platform (TAP), VMware's implementation of a developer portal based on Backstage. It discusses VMware's commitment to open source, the motivation for developer portals, key features of Backstage like documentation, APIs and plugins, and how TAP extends Backstage with additional capabilities for supply chain management, security analysis and application accelerators.
Presented at All Things Open RTP Meetup
Presented by Jarred Overson, CTO at Candle
Title: WebAssembly & Zero Trust for Code
Abstract: Zero Trust eliminated the notion that users, devices, or service could be inherently trusted within your company's network. Yet for some reason we default to trusting the dozens to even thousands of dependencies we import into our applications. These dependencies adopt the same privileges and access as the parent application and are prime targets for attackers. Malicious actors repeatedly seek and take over popular dependencies to gain a foothold into companies. This is not fear mongering, this is happening today. Millions of people – including our speaker – have unknowingly downloaded and run malicious code as part of their normal developer activities.
This is a difficult problem without obvious solutions. WebAssembly gives us a new way of thinking about it. In this talk, Jarrod Overson illustrates how WebAssembly changes the game and can make our applications more secure while improving performance, reusability, and maintainability both on and off the browser.
This document discusses continuous delivery, which aims to build, test, and release software faster through frequent integration and deployment. The goals are quality, speed, and reducing the time it takes to deploy changes from development to production through practices like test-driven development, continuous integration, automated testing, and deployment pipelines. It provides an overview of tools to support continuous delivery processes.
App sec in the time of docker containersAkash Mahajan
A look at how application security needs to evolve to keep up with applications that are containerised. Delivered first at c0c0n 2016, the audience got a ready checklist to go with the talk.
Nashik's top web development company, Upturn India Technologies, crafts innovative digital solutions for your success. Partner with us and achieve your goals
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
More Related Content
Similar to Secure Software Ecosystem Teqnation 2024
Null singapore - Mobile Security EssentialsSven Schleier
This document summarizes a presentation on mobile security testing given by Sven Schleier and Ryan Teoh. It discusses the OWASP Mobile Security Project, including the Mobile Application Security Verification Standard (MASVS) and Mobile Security Testing Guide (MSTG). The MASVS defines security best practices for mobile apps, while the MSTG provides a manual for testing mobile app security. The presentation demonstrates techniques for bypassing SSL pinning and extracting Android keys using Frida during dynamic analysis. It highlights challenges around assessing anti-reversing defenses and the need for practical reverse engineering skills in mobile security testing.
Escape the defaults - Configure Sling like AEM as a Cloud ServiceRobert Munteanu
AEM as a Cloud Service is using the same battle-tested core of Sling, Felix and Jackrabbit Oak that you are used to. Many of the large-scale architectural changes, such as container-based deployments, separation of code and content, horizontal and vertical scaling, etc, are made possible by a host of reimplementations of APIs exposed by the open-source projects that serve as the foundation of AEM.
In this talk we will explore a number of such extensions and their implications, such as Oak's principal-based authorization, getting up and running with the composite node store, or indexing in a separation of content and apps scenario.
After this talk participants will have a better understanding of various under-the-hood changes present in AEM as a Cloud Service and their practical implications for AEM development. They will also be able to set up their own tweaked Sling instance so they can experiment with such a setup.
Akash Mahajan, Appsecco
Ansible offers a flexible approach to building a SecOps pipeline. System hardening can become just another software project. Using it we can do secure application deployment, configuration management and continuous monitoring. Security can be codified & attack surfaces reduced by using Ansible.
Who is this talk for?
This talks and demo is relevant and useful for any practitioner of DevSecOps.
It introduces the concepts of declarative security
Showcases one of the tools (Ansible) to embrace DevSecOps in a friction free no expense required manner
Implements security architecture principles using a structured language (YAML) as part of the framework (playbooks) which is ‘Infrastructure As Code’
Gives a clear roadmap on how to find the best practices for security hardening
Covers how continuous monitoring can be applied for security
Technical Requirements
While 30 minutes short for letting attendees do hands-on, the following will be required
- A modern Linux distribution with Python and Ansible installed
- Basic idea of running commands on the Linux command line
The document discusses advanced deployment strategies including canary releases, deployment rings, and dark launching. It defines canary releases as deploying a new version to a subset of infrastructure initially without routing live traffic to it. Benefits include reducing risk and allowing capacity testing in production. The document reviews how to implement canary releases by routing a percentage of users to the new version while monitoring for issues before routing all users. It also discusses using deployment rings to gradually rollout changes and limit impact, as well as dark launching where new code is executed silently before a full launch.
These slides help the reader understand how docker works and what benefits this brings to people how are either working in the devops field or making a transition here. We look at here how to containerize angular app using docker and how monolithic approach differ from micro services and see the pros and cons of it.
How to build observability into Serverless (O'Reilly Velocity 2018)Yan Cui
The document discusses challenges with observability in serverless applications and proposes solutions. Some key challenges include not having access to the underlying OS, nowhere to install agents/daemons, no background processing, higher concurrency to telemetry systems, and high chance of data loss if batching logs and metrics. The document covers solutions for logging, monitoring, and distributed tracing in serverless environments using services like CloudWatch Logs, API Gateway, and X-Ray.
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
This document summarizes a presentation about advanced deployment strategies including canary releases, deployment rings, and dark launches. The presentation covers:
- How canary releases work by deploying a new version to a subset of infrastructure initially before gradually routing more users to it while monitoring for issues
- Key considerations for canary releases like ensuring a consistent user experience and having a rollback path
- How deployment rings limit impact on users by gradually deploying and validating changes in production rings
- Dark launches where new code is executed silently before a full launch to test infrastructure changes before high traffic
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
The presentation will discuss some architectural patterns in continuous integration, deployment and optimization and I will share some of the lessons learned from Amazon.com.
The goal of the presentation is to convince you that if you invest your time where you get the maximum learning from your customers, automate everything else in the cloud (CI + CD + CO), you get fast feedback and will be able to release early, release often and recover quickly from your mistakes. Dynamism of the cloud allows you to increase the speed of your iteration and reduce the cost of mistakes so you can continuously innovate while keeping your cost down.
Learn all the tricks of the trade that penetration testers use to practice their skills, test out new attacks, and prepare for upcoming penetration tests. Joe will be covering things like:
Pentester Tips
- How to keep up with the latest vulnerabilities and exploits
- Deciding what types of vulnerabilities to put in the network
- Deciding how to design the network
- Deciding what defensive measures to put into the network
Hardware Tips
- Should you use an old machine/old laptop
- Should you build a whitebox for this
-What types of hardware should you buy
Software Tips
- Where do you get all of the operating systems from
- Where do you get all of the vulnerable applications from
VMWare Tips
- Creating linked clones in ESXI
- Deploying Snort or Surricata in ESXI
- vSwitch features that you may want to use in your environment
VirtualBox Tips
- Building and running VirtualBox Headless with PHPVirtualbox
- Creating Backups and clones of running VMs in VirtualBox
- Using raw devices to create a Virtualbox VM
- Setting up a serial port between VirtualBox VMs
- Taking screenshots of VirtualBox VMs
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Learning Objectives:
1: Learn the emerging patterns for security in CI/CD pipelines.
2: Receive a pragmatic security toolchain for CI/CD to use in your organization.
3: Understand the real meaning of DevSecOps is without all the hype.
Devoxx France 2013 Cloud Best PracticesEric Bottard
- Cloud best practices include automating database migrations, avoiding vendor lock-in, treating all environments identically, and using frequent deployments to upgrade applications with zero downtime.
- Other best practices are to limit HTTP traffic, have no file system, strive for statelessness, automate scaling in a targeted and custom way, and achieve loose coupling between components.
- Blue/green deployments allow rolling out new application versions without downtime by routing traffic between two identical environments running different versions. Automated testing of new versions on a subset of users is also recommended.
Java Insecurity: How to Deal with the Constant VulnerabilitiesLumension
Just over a decade ago, the outcry over Microsoft’s security problems reached such a deafening level that it finally got the attention of Bill Gates, who wrote the famous Trustworthy Computing memo. Today, many would say that Microsoft leads the industry in security and vulnerability handling.
Now, it’s Java that’s causing the uproar. But has Oracle learned anything from Microsoft in handling these seemingly ceaseless problems? I’ll start by reviewing the wide-ranging Java security changes Oracle is promising to make. They sound so much like the improvements Microsoft made back with Trustworthy Computing that I’m amazed it hasn’t been done before! We’ll move on to discuss what you can do now to address Java security in your environment.
One of the banes of security with Java is the presence of multiple versions of Java, often on the same computer. Sometimes you really need multiple versions of Java to support applications with version dependencies (crazy, I know). But other times, multiple copies of Java are there “just because.” In this webinar, we’ll talk about the current Java mess and how you can get out of it, including:
Assessment. We’ll discuss ways and tools for cataloging what versions of Java are actually out there on your endpoints.
Identification. We’ll look at methods for identifying which versions are actually required by your users; for instance, I’ll show you how you might use Process Tracking and File Access events in the Windows Security Log to see which Java files are being accessed, by whom, and by which programs.
Disabling. Can you just disable Java? Maybe not for everyone, but what if you could disable it for certain roles within your company that make up 25% – or even 75% – of your workforce? That would be worth it. We’ll explore how you might go about such a measure.
Hardening. We’ll dive into the technical details of hardening Java and reducing your Java attack surface, where possible.
Filtering. Another way to reduce your Java risk is by filtering Java content at your gateway. Again not full coverage control – but what is?
Patching. Then, we’ll delve into the Java patching nightmare. Depending on self-updaters on each endpoint, is could be a recipe for disaster, and I’ll explain why. Basically the only way out of the Java mess is a 3rd party solution that can perform centralized patch management and remediation and that’s where our sponsor, Lumension, will come in.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
This document provides an overview of Backstage, an open source developer portal created by Spotify, and Tanzu Application Platform (TAP), VMware's implementation of a developer portal based on Backstage. It discusses VMware's commitment to open source, the motivation for developer portals, key features of Backstage like documentation, APIs and plugins, and how TAP extends Backstage with additional capabilities for supply chain management, security analysis and application accelerators.
Presented at All Things Open RTP Meetup
Presented by Jarred Overson, CTO at Candle
Title: WebAssembly & Zero Trust for Code
Abstract: Zero Trust eliminated the notion that users, devices, or service could be inherently trusted within your company's network. Yet for some reason we default to trusting the dozens to even thousands of dependencies we import into our applications. These dependencies adopt the same privileges and access as the parent application and are prime targets for attackers. Malicious actors repeatedly seek and take over popular dependencies to gain a foothold into companies. This is not fear mongering, this is happening today. Millions of people – including our speaker – have unknowingly downloaded and run malicious code as part of their normal developer activities.
This is a difficult problem without obvious solutions. WebAssembly gives us a new way of thinking about it. In this talk, Jarrod Overson illustrates how WebAssembly changes the game and can make our applications more secure while improving performance, reusability, and maintainability both on and off the browser.
This document discusses continuous delivery, which aims to build, test, and release software faster through frequent integration and deployment. The goals are quality, speed, and reducing the time it takes to deploy changes from development to production through practices like test-driven development, continuous integration, automated testing, and deployment pipelines. It provides an overview of tools to support continuous delivery processes.
App sec in the time of docker containersAkash Mahajan
A look at how application security needs to evolve to keep up with applications that are containerised. Delivered first at c0c0n 2016, the audience got a ready checklist to go with the talk.
Similar to Secure Software Ecosystem Teqnation 2024 (20)
Nashik's top web development company, Upturn India Technologies, crafts innovative digital solutions for your success. Partner with us and achieve your goals
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...Luigi Fugaro
Vector databases are transforming how we handle data, allowing us to search through text, images, and audio by converting them into vectors. Today, we'll dive into the basics of this exciting technology and discuss its potential to revolutionize our next-generation AI applications. We'll examine typical uses for these databases and the essential tools
developers need. Plus, we'll zoom in on the advanced capabilities of vector search and semantic caching in Java, showcasing these through a live demo with Redis libraries. Get ready to see how these powerful tools can change the game!
Odoo releases a new update every year. The latest version, Odoo 17, came out in October 2023. It brought many improvements to the user interface and user experience, along with new features in modules like accounting, marketing, manufacturing, websites, and more.
The Odoo 17 update has been a hot topic among startups, mid-sized businesses, large enterprises, and Odoo developers aiming to grow their businesses. Since it is now already the first quarter of 2024, you must have a clear idea of what Odoo 17 entails and what it can offer your business if you are still not aware of it.
This blog covers the features and functionalities. Explore the entire blog and get in touch with expert Odoo ERP consultants to leverage Odoo 17 and its features for your business too.
An Overview of Odoo ERP
Odoo ERP was first released as OpenERP software in February 2005. It is a suite of business applications used for ERP, CRM, eCommerce, websites, and project management. Ten years ago, the Odoo Enterprise edition was launched to help fund the Odoo Community version.
When you compare Odoo Community and Enterprise, the Enterprise edition offers exclusive features like mobile app access, Odoo Studio customisation, Odoo hosting, and unlimited functional support.
Today, Odoo is a well-known name used by companies of all sizes across various industries, including manufacturing, retail, accounting, marketing, healthcare, IT consulting, and R&D.
The latest version, Odoo 17, has been available since October 2023. Key highlights of this update include:
Enhanced user experience with improvements to the command bar, faster backend page loading, and multiple dashboard views.
Instant report generation, credit limit alerts for sales and invoices, separate OCR settings for invoice creation, and an auto-complete feature for forms in the accounting module.
Improved image handling and global attribute changes for mailing lists in email marketing.
A default auto-signature option and a refuse-to-sign option in HR modules.
Options to divide and merge manufacturing orders, track the status of manufacturing orders, and more in the MRP module.
Dark mode in Odoo 17.
Now that the Odoo 17 announcement is official, let’s look at what’s new in Odoo 17!
What is Odoo ERP 17?
Odoo 17 is the latest version of one of the world’s leading open-source enterprise ERPs. This version has come up with significant improvements explained here in this blog. Also, this new version aims to introduce features that enhance time-saving, efficiency, and productivity for users across various organisations.
Odoo 17, released at the Odoo Experience 2023, brought notable improvements to the user interface and added new functionalities with enhancements in performance, accessibility, data analysis, and management, further expanding its reach in the market.
Superpower Your Apache Kafka Applications Development with Complementary Open...Paul Brebner
Kafka Summit talk (Bangalore, India, May 2, 2024, https://events.bizzabo.com/573863/agenda/session/1300469 )
Many Apache Kafka use cases take advantage of Kafka’s ability to integrate multiple heterogeneous systems for stream processing and real-time machine learning scenarios. But Kafka also exists in a rich ecosystem of related but complementary stream processing technologies and tools, particularly from the open-source community. In this talk, we’ll take you on a tour of a selection of complementary tools that can make Kafka even more powerful. We’ll focus on tools for stream processing and querying, streaming machine learning, stream visibility and observation, stream meta-data, stream visualisation, stream development including testing and the use of Generative AI and LLMs, and stream performance and scalability. By the end you will have a good idea of the types of Kafka “superhero” tools that exist, which are my favourites (and what superpowers they have), and how they combine to save your Kafka applications development universe from swamploads of data stagnation monsters!
Liberarsi dai framework con i Web Component.pptxMassimo Artizzu
In Italian
Presentazione sulle feature e l'utilizzo dei Web Component nell sviluppo di pagine e applicazioni web. Racconto delle ragioni storiche dell'avvento dei Web Component. Evidenziazione dei vantaggi e delle sfide poste, indicazione delle best practices, con particolare accento sulla possibilità di usare web component per facilitare la migrazione delle proprie applicazioni verso nuovi stack tecnologici.
A Comprehensive Guide on Implementing Real-World Mobile Testing Strategies fo...kalichargn70th171
In today's fiercely competitive mobile app market, the role of the QA team is pivotal for continuous improvement and sustained success. Effective testing strategies are essential to navigate the challenges confidently and precisely. Ensuring the perfection of mobile apps before they reach end-users requires thoughtful decisions in the testing plan.
Enhanced Screen Flows UI/UX using SLDS with Tom KittPeter Caitens
Join us for an engaging session led by Flow Champion, Tom Kitt. This session will dive into a technique of enhancing the user interfaces and user experiences within Screen Flows using the Salesforce Lightning Design System (SLDS). This technique uses Native functionality, with No Apex Code, No Custom Components and No Managed Packages required.
The Power of Visual Regression Testing_ Why It Is Critical for Enterprise App...kalichargn70th171
Visual testing plays a vital role in ensuring that software products meet the aesthetic requirements specified by clients in functional and non-functional specifications. In today's highly competitive digital landscape, users expect a seamless and visually appealing online experience. Visual testing, also known as automated UI testing or visual regression testing, verifies the accuracy of the visual elements that users interact with.
The Rising Future of CPaaS in the Middle East 2024Yara Milbes
Explore "The Rising Future of CPaaS in the Middle East in 2024" with this comprehensive PPT presentation. Discover how Communication Platforms as a Service (CPaaS) is transforming communication across various sectors in the Middle East.
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...The Third Creative Media
"Navigating Invideo: A Comprehensive Guide" is an essential resource for anyone looking to master Invideo, an AI-powered video creation tool. This guide provides step-by-step instructions, helpful tips, and comparisons with other AI video creators. Whether you're a beginner or an experienced video editor, you'll find valuable insights to enhance your video projects and bring your creative ideas to life.
Consistent toolbox talks are critical for maintaining workplace safety, as they provide regular opportunities to address specific hazards and reinforce safe practices.
These brief, focused sessions ensure that safety is a continual conversation rather than a one-time event, which helps keep safety protocols fresh in employees' minds. Studies have shown that shorter, more frequent training sessions are more effective for retention and behavior change compared to longer, infrequent sessions.
Engaging workers regularly, toolbox talks promote a culture of safety, empower employees to voice concerns, and ultimately reduce the likelihood of accidents and injuries on site.
The traditional method of conducting safety talks with paper documents and lengthy meetings is not only time-consuming but also less effective. Manual tracking of attendance and compliance is prone to errors and inconsistencies, leading to gaps in safety communication and potential non-compliance with OSHA regulations. Switching to a digital solution like Safelyio offers significant advantages.
Safelyio automates the delivery and documentation of safety talks, ensuring consistency and accessibility. The microlearning approach breaks down complex safety protocols into manageable, bite-sized pieces, making it easier for employees to absorb and retain information.
This method minimizes disruptions to work schedules, eliminates the hassle of paperwork, and ensures that all safety communications are tracked and recorded accurately. Ultimately, using a digital platform like Safelyio enhances engagement, compliance, and overall safety performance on site. https://safelyio.com/
What to do when you have a perfect model for your software but you are constrained by an imperfect business model?
This talk explores the challenges of bringing modelling rigour to the business and strategy levels, and talking to your non-technical counterparts in the process.
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISTier1 app
Are you ready to unlock the secrets hidden within Java thread dumps? Join us for a hands-on session where we'll delve into effective troubleshooting patterns to swiftly identify the root causes of production problems. Discover the right tools, techniques, and best practices while exploring *real-world case studies of major outages* in Fortune 500 enterprises. Engage in interactive lab exercises where you'll have the opportunity to troubleshoot thread dumps and uncover performance issues firsthand. Join us and become a master of Java thread dump analysis!
Baha Majid WCA4Z IBM Z Customer Council Boston June 2024.pdfBaha Majid
IBM watsonx Code Assistant for Z, our latest Generative AI-assisted mainframe application modernization solution. Mainframe (IBM Z) application modernization is a topic that every mainframe client is addressing to various degrees today, driven largely from digital transformation. With generative AI comes the opportunity to reimagine the mainframe application modernization experience. Infusing generative AI will enable speed and trust, help de-risk, and lower total costs associated with heavy-lifting application modernization initiatives. This document provides an overview of the IBM watsonx Code Assistant for Z which uses the power of generative AI to make it easier for developers to selectively modernize COBOL business services while maintaining mainframe qualities of service.
4. We are living in unsecure world
everything is probable to get
exploited. We could be the next
target, are we ready ?
5. of all downloads of Log4J are still
vulnerable to the Log4Shell
Vulnerability
30% Reported By Sonatype (Maven Central)
Previous Update: https://www.sonatype.com/en/press-releases/critical-log4j-vulnerability-still-being-downloaded-40-of-the-time
2 Years After Release
6. WHY WE ARE HERE
SECURITY ENGINEER
D E V I L
D E V E L O P E R
7. WHO WE ARE
SECURITY ENGINEER
D E V E L O P E R
Ali Yazdani
Soroosh Khodami
+10 Years of Software Development Experience
Researcher in Software Supply Chain Security
Solution Architect at Rabobank via Code Nomads
+10 Years of Security Experience
Principal Security Engineer @ Scoutbee
OWASP DevSecOps Guideline Project Lead
@SorooshKh
linkedin.com/in/sorooshkhodami
ASecurityEngineer.com @asecengineer linkedin.com/in/aliyazdani
11. Dependency Confusion
mycompany-ui-component
version : 6.6.6
mycompany-ui-component
version : 1.2.5
Private Repository
Source Code
?
Read More
• How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
16. Supply Chain Protection Best Practices
Reserve
Namespace / Scope / Prefix
Version Pinning
No Latest or Range
Package Integrity Check
Using SCA Tools
Using Dependency
Firewall
Official Repositories
MUST
GOOD
NICE
Read More
• How it started - https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
• https://xygeni.io/blog/lack-of-version-pinning-and-dependency-confusion/
• https://github.blog/2021-02-12-avoiding-npm-substitution-attacks/
• https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option
Keep Dependencies
Up to Date
Clean Up
Unused Libraries
Immutable Versions
17. When Security is Involved in
Software Development?
Application Development Journey Already Changed!
24. Software Bill of Material (SBOM)
Dependencies Components / Libraries
Licenses
Vulnerabilities
Suppliers
App Meta-Data
App Identifier
Authors
25. Which Application ?
Who to contact ?
How to Fix ?
How to detect ?
██╗░░░░░░█████╗░░██████╗░░░██╗██╗░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
██║░░░░░██╔══██╗██╔════╝░░██╔╝██║██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░██╗░██╔╝░██║╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
██║░░░░░██║░░██║██║░░╚██╗███████║░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
███████╗╚█████╔╝╚██████╔╝╚════██║██████╔╝██║░░██║███████╗███████╗███████╗
╚══════╝░╚════╝░░╚═════╝░░░░░░╚═╝╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
CVE-2021-44228
CVSS Score 10 / 10
h Application ?
Who to contact ?
How to Fix ?
How to detect ?
cation ?
Who to contact ?
How to Fix ?
How to detect ?
Which Application ?
Who to contact ?
How to Fix ?
How to d
Which Application ?
Who to contact ?
How
x ?
How to detect ?
26. SBOM Management
SBOM In Practice
SBOM
App
SBOM
App
SBOM
App
SBOM
App
Continuous
Monitoring
ZERO DAY
ALERT !
Search Apps Based On Dependency or CVE
Which Applications ?
Authors/Committers Information is Available
Who to Contact ?
Continuous Monitoring on New SBOMs
Are we safe now ?(Realtime-overview)
Application Metadata
Prioritization on Fix
31. SBOM Generation – Java Ecosystem
Version +3.3
Read more
• OWASP DevSecOps Guideline https://github.com/OWASP/DevSecOpsGuideline
• Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ
32. SBOM Generation - Docker
Read more
• OWASP DevSecOps Guideline - https://github.com/OWASP/DevSecOpsGuideline
• Securing the Supply Chain for Your Java Applications by THOMAS VITALE - https://www.youtube.com/watch?v=VM7lJ0f_xhQ
• https://earthly.dev/blog/docker-sbom/
46. Regulations
Read more
• NITA - https://www.ntia.gov/page/software-bill-materials
• NIST - https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1+
• EU Cyber Resilience Act (CRA)
§ Executive Order 14028 on Improving the Nation’s Cybersecurity
§ DHS Software Supply Chain Risk Management Act
§ FDA Medical Device Cybersecurity Requirements
§ NIST SP 800-218
• DORA – EU Cyber Resilience Operation (Financial Sector)
• GERMANY – TR - 03183: SBOM Requirements for CRA
47. Regulations –CRA Timeline
NOW
Enter Into Force
2024 – Q2
Deadline 2026
Q1
Read more
• https://medium.com/@bugprove/eu-cyber-resilience-act-cra-all-you-need-to-know-in-a-nutshell-b843d149e18a
48. Regulations – DORA Timeline
NOW
Enter Into Force
Deadline 2025 - Q1
Read more
• https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
• https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en
49. Standards
ISO/IEC 27036
Cybersecurity — Supplier relationships
Frameworks
Supply-chain Levels for Software Artifacts
Read more
• https://www.iso.org/standard/82905.html
• https://cyclonedx.org
• https://spdx.dev/
• https://slsa.dev/
SBOM Format Standard
Software package data exchange (SPDX)
SBOM Format Standard
CycloneDX (CDX)
50. Thanks for your attention
Please Rate This Talk in NLJUG App
If you have any other questions, you can reach out to us via Social Media
@SorooshKh linkedin.com/in/sorooshkhodami
@asecengineer linkedin.com/in/aliyazdani
QR CODE