In this webinar, 451 Research Director, Wendy Nather and NT OBJECTives co-CEO and CTO, Dan Kuykendall discuss Wendy and Dan discuss how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls.
More info and recording: http://www.ntobjectives.com/go/scaling-web-application-security-scanning
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Passwords weakness has been in the news again lately. But we have known for some time that passwords alone are not a good authentication or access control mechanism. Strong and practical authentication is very challenging. There are “strong” schemes, but they often don’t work well for users. Security practitioners are familiar with the 3 factors of authentication: something you know; something you have, and; something you are. Each of these have fundamental flaws. I like to think of them as: something you forgot; something you lost, and; something you were!
We will take a look at the current state of authentication, examine weaknesses in authentication factors, introduce the fourth factor of authentication and consider some solutions.
This document outlines the methodology for penetration testing, which involves footprinting, scanning, enumeration, gaining access, escalating privileges, covering tracks, and creating backdoors. It describes the various techniques and tools used at each stage of a penetration test, from initial information gathering to gaining full control of a system. The goal of penetration testing is to evaluate system security by simulating an attack from an unauthorized hacker, with approval from senior management, in order to identify vulnerabilities and increase security awareness.
The document discusses security as an ongoing process rather than a feature or checklist. It emphasizes that security requires thinking like a paranoid person and acknowledging that systems will eventually be hacked. The document provides steps to take such as knowing your data, users, and laws; making good security decisions; documenting everything; and practicing security processes. It also gives best practices for different security layers like input validation, authentication, authorization, and more. The overall message is that security requires constant attention and effort from all parties.
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
This document summarizes a CISSP mentor program session from May 13, 2019. It discusses assessing access control and software testing methods. The session covers penetration testing methodology and tools, vulnerability testing, and security assessments. Penetration testing involves planning, reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Vulnerability scanning checks for issues like missing patches and configuration errors. Security assessments take a holistic approach to evaluating multiple controls across domains.
How to adapt the SDLC to the era of DevSecOpsZane Lackey
This document discusses how to adapt application security practices to a DevSecOps environment where development happens much faster. It argues that security can no longer act as a gatekeeper and must instead focus on providing resources to make teams self-sufficient. Specifically, it recommends adapting controls like static analysis, dynamic scanning, security visibility and feedback to be more lightweight and continuous to keep up with the faster development cycles. The goal is to shift from exclusively preventing bugs to also obtaining continuous visibility into applications and refining security processes through real-time feedback.
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Topics covered include:
- Injection Flaws
- XSS
- SQL Injection
- Broken Authentication
- Privilege Escalation
- Information Disclosure
- Parameter Tampering
- Configuration Errors
This webinar is ideal for anyone who wants to understand core Application Security concepts so they can apply risk mitigation strategies with better context.
Passwords weakness has been in the news again lately. But we have known for some time that passwords alone are not a good authentication or access control mechanism. Strong and practical authentication is very challenging. There are “strong” schemes, but they often don’t work well for users. Security practitioners are familiar with the 3 factors of authentication: something you know; something you have, and; something you are. Each of these have fundamental flaws. I like to think of them as: something you forgot; something you lost, and; something you were!
We will take a look at the current state of authentication, examine weaknesses in authentication factors, introduce the fourth factor of authentication and consider some solutions.
This document outlines the methodology for penetration testing, which involves footprinting, scanning, enumeration, gaining access, escalating privileges, covering tracks, and creating backdoors. It describes the various techniques and tools used at each stage of a penetration test, from initial information gathering to gaining full control of a system. The goal of penetration testing is to evaluate system security by simulating an attack from an unauthorized hacker, with approval from senior management, in order to identify vulnerabilities and increase security awareness.
The document discusses security as an ongoing process rather than a feature or checklist. It emphasizes that security requires thinking like a paranoid person and acknowledging that systems will eventually be hacked. The document provides steps to take such as knowing your data, users, and laws; making good security decisions; documenting everything; and practicing security processes. It also gives best practices for different security layers like input validation, authentication, authorization, and more. The overall message is that security requires constant attention and effort from all parties.
Keeping Secrets on the Internet of Things - Mobile Web Application SecurityKelly Robertson
This document summarizes an information security presentation about keeping secrets in the Internet of Things era. It discusses increasing vulnerabilities and dependencies, limitations of current security approaches, and motivations for lack of trust. It then covers secure software development best practices including threat modeling techniques. Lastly, it discusses solutions for organizations and end users, including encryption, authentication, firewalls, intrusion detection and more. Specific examples of security breaches like Heartbleed, Snapchat, and PlaceRaider are also summarized.
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
This document summarizes a CISSP mentor program session from May 13, 2019. It discusses assessing access control and software testing methods. The session covers penetration testing methodology and tools, vulnerability testing, and security assessments. Penetration testing involves planning, reconnaissance, scanning, vulnerability assessment, exploitation, and reporting. Vulnerability scanning checks for issues like missing patches and configuration errors. Security assessments take a holistic approach to evaluating multiple controls across domains.
How to adapt the SDLC to the era of DevSecOpsZane Lackey
This document discusses how to adapt application security practices to a DevSecOps environment where development happens much faster. It argues that security can no longer act as a gatekeeper and must instead focus on providing resources to make teams self-sufficient. Specifically, it recommends adapting controls like static analysis, dynamic scanning, security visibility and feedback to be more lightweight and continuous to keep up with the faster development cycles. The goal is to shift from exclusively preventing bugs to also obtaining continuous visibility into applications and refining security processes through real-time feedback.
2018 FRSecure CISSP Mentor Program Session 8FRSecure
This document summarizes key points from session #8 of a CISSP mentor program. It includes a quiz with multiple choice questions on firewalls, WAN protocols, wireless security protocols, and Bluetooth security. The session also covered access control models and authentication methods, focusing on passwords as a type 1 authentication method involving something you know. Password hashing, dictionary attacks, and brute force attacks were discussed as methods for cracking passwords.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
This document summarizes a talk about lessons learned embracing DevOps and security. It discusses how security practices need to change in a DevOps world where changes happen much faster. Specifically, it argues that security must bake into the development process and provide visibility and feedback. It provides examples of using bug bounty programs and penetration testing to obtain better and more real-time feedback on security issues. The goal is to surface security data for everyone and help catch attacks more quickly through modern feedback loops that combine different testing approaches.
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
The document summarizes the notes from session 11 of a 2019 CISSP mentor program. It includes quizzes on topics like incident response backups, disaster recovery planning goals, and backup types. It also covers lectures on executive succession planning, disaster recovery plan approval, backups and availability options, software escrow, disaster recovery plan testing, and different types of disaster recovery plan tests.
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
This document summarizes key points from a CISSP mentor program session. It discusses responding to signs of compromise during a penetration test, types of tests that can be done without source code access, and the most efficient penetration test approach. It also covers incident response methodology steps, operational preventative and detective controls like IDS/IPS and SIEM, asset management techniques like configuration hardening and vulnerability management.
Malware is software created to disrupt systems or steal information. This document discusses the malware lifecycle including development, deployment, detection, correction, and protection. It notes that malware creators range from organized crime to hackers and state actors. Their motivations include financial gain, espionage, and hacktivism. While advanced malware requires programming skills, malware kits allow less skilled users to cause damage. The document emphasizes that detecting and responding to malware is challenging for security teams due to the increasing sophistication and volume of malware.
This talk by Chris Grayson contains lots of information about how to enter the so-called "hackerspace." From mental approaches to books, movies, and other media to online courses and knowledge repositories, this presentation is intended to be the one-stop-shop for anyone trying to become a penetration tester.
The document discusses Netflix's approach to proactive security. It defines proactive security as anticipating and addressing security issues before they become problems through automation, intelligence, and continuous monitoring and improvement. Some key aspects of Netflix's proactive security program include using tools like Monterey to automatically discover and scan assets, the Simian Army to test resiliency, Dirty Laundry to find exposed assets, Security Monkey to monitor AWS changes, and sharing security knowledge and tools through open source projects. The document advocates for simplifying security to encourage developer adoption and continuously reevaluating approaches as environments change.
The document discusses evolving cybersecurity threats and how signature-based detection methods are limited against new threats. It introduces the concept of a next generation sandbox using CPU-level detection and emulation to identify exploits and unknown malware before evasion techniques can deploy. This sandbox analyzes files in isolation and reconstructs a safe copy if no infection is found, preventing zero-day attacks while maintaining visibility into attempted attacks.
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
This document summarizes a CISSP mentor program session covering various topics:
1. The session reviewed chapters 1-3 of the curriculum and asked participants how many had read them and if they had any questions.
2. The presentation covered security models, incident response methodology, operational preventive and detective controls like IDS, honeypots, and asset/configuration management.
3. A quiz was given covering topics like appropriate responses during a penetration test and types of security tests. The session concluded with a discussion of vulnerability management and asset management principles.
Here are 3 ways to prevent SQL injection:
1. Use prepared statements with parameter binding instead of concatenating strings.
2. Validate all input and sanitize special characters.
3. White-list allowed characters instead of blacklisting dangerous ones.
The root cause is putting untrusted data directly into a SQL query. Always separate data and code to prevent injection attacks.
This document discusses building security controls around attack models to enable continuous validation of defenses. It recommends modeling real attack techniques to automatically test each security control as assets are deployed. An example attack on Target is described across stages of initial breach, privilege escalation, access to data stores, and exfiltration. Metrics like detection time and prevention effectiveness are suggested to measure security control performance. Implementing controls informed by relevant attack models is advocated to minimize organizational risk through a data-driven, continuous validation approach.
ELAN is a free, open-source multimedia annotation tool that allows users to annotate audio, video, and text files with synchronized tiers. It supports multiple tiers, participants, and languages. ELAN is currently working on new modes like interlinearization mode and Simple-ELAN for basic transcription. ELAN also integrates with some automatic annotation tools and web services to help with tasks like segmentation and labeling, while still primarily being a tool for manual annotation.
2018 FRSecure CISSP Mentor Program Session 8FRSecure
This document summarizes key points from session #8 of a CISSP mentor program. It includes a quiz with multiple choice questions on firewalls, WAN protocols, wireless security protocols, and Bluetooth security. The session also covered access control models and authentication methods, focusing on passwords as a type 1 authentication method involving something you know. Password hashing, dictionary attacks, and brute force attacks were discussed as methods for cracking passwords.
Talk on threats to database security. The title is, of course, deadly serious. Wile E. Coyote & other experts on correctness & security are enlisted to help make key points.
This document summarizes a talk about lessons learned embracing DevOps and security. It discusses how security practices need to change in a DevOps world where changes happen much faster. Specifically, it argues that security must bake into the development process and provide visibility and feedback. It provides examples of using bug bounty programs and penetration testing to obtain better and more real-time feedback on security issues. The goal is to surface security data for everyone and help catch attacks more quickly through modern feedback loops that combine different testing approaches.
2019 FRSecure CISSP Mentor Program: Class ElevenFRSecure
The document summarizes the notes from session 11 of a 2019 CISSP mentor program. It includes quizzes on topics like incident response backups, disaster recovery planning goals, and backup types. It also covers lectures on executive succession planning, disaster recovery plan approval, backups and availability options, software escrow, disaster recovery plan testing, and different types of disaster recovery plan tests.
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
This document summarizes key points from a CISSP mentor program session. It discusses responding to signs of compromise during a penetration test, types of tests that can be done without source code access, and the most efficient penetration test approach. It also covers incident response methodology steps, operational preventative and detective controls like IDS/IPS and SIEM, asset management techniques like configuration hardening and vulnerability management.
Malware is software created to disrupt systems or steal information. This document discusses the malware lifecycle including development, deployment, detection, correction, and protection. It notes that malware creators range from organized crime to hackers and state actors. Their motivations include financial gain, espionage, and hacktivism. While advanced malware requires programming skills, malware kits allow less skilled users to cause damage. The document emphasizes that detecting and responding to malware is challenging for security teams due to the increasing sophistication and volume of malware.
This talk by Chris Grayson contains lots of information about how to enter the so-called "hackerspace." From mental approaches to books, movies, and other media to online courses and knowledge repositories, this presentation is intended to be the one-stop-shop for anyone trying to become a penetration tester.
The document discusses Netflix's approach to proactive security. It defines proactive security as anticipating and addressing security issues before they become problems through automation, intelligence, and continuous monitoring and improvement. Some key aspects of Netflix's proactive security program include using tools like Monterey to automatically discover and scan assets, the Simian Army to test resiliency, Dirty Laundry to find exposed assets, Security Monkey to monitor AWS changes, and sharing security knowledge and tools through open source projects. The document advocates for simplifying security to encourage developer adoption and continuously reevaluating approaches as environments change.
The document discusses evolving cybersecurity threats and how signature-based detection methods are limited against new threats. It introduces the concept of a next generation sandbox using CPU-level detection and emulation to identify exploits and unknown malware before evasion techniques can deploy. This sandbox analyzes files in isolation and reconstructs a safe copy if no infection is found, preventing zero-day attacks while maintaining visibility into attempted attacks.
2020 FRSecure CISSP Mentor Program - Class 10FRSecure
This document summarizes a CISSP mentor program session covering various topics:
1. The session reviewed chapters 1-3 of the curriculum and asked participants how many had read them and if they had any questions.
2. The presentation covered security models, incident response methodology, operational preventive and detective controls like IDS, honeypots, and asset/configuration management.
3. A quiz was given covering topics like appropriate responses during a penetration test and types of security tests. The session concluded with a discussion of vulnerability management and asset management principles.
Here are 3 ways to prevent SQL injection:
1. Use prepared statements with parameter binding instead of concatenating strings.
2. Validate all input and sanitize special characters.
3. White-list allowed characters instead of blacklisting dangerous ones.
The root cause is putting untrusted data directly into a SQL query. Always separate data and code to prevent injection attacks.
This document discusses building security controls around attack models to enable continuous validation of defenses. It recommends modeling real attack techniques to automatically test each security control as assets are deployed. An example attack on Target is described across stages of initial breach, privilege escalation, access to data stores, and exfiltration. Metrics like detection time and prevention effectiveness are suggested to measure security control performance. Implementing controls informed by relevant attack models is advocated to minimize organizational risk through a data-driven, continuous validation approach.
ELAN is a free, open-source multimedia annotation tool that allows users to annotate audio, video, and text files with synchronized tiers. It supports multiple tiers, participants, and languages. ELAN is currently working on new modes like interlinearization mode and Simple-ELAN for basic transcription. ELAN also integrates with some automatic annotation tools and web services to help with tasks like segmentation and labeling, while still primarily being a tool for manual annotation.
O documento descreve cinco profissões que estão em baixa no mercado de trabalho e as razões para isso. São elas: 1) Vendedor técnico, devido à falta de investimentos e oportunidades; 2) Especialista em desenvolvimento de pessoas, por gerar custos que as empresas querem evitar; 3) Profissional de desenvolvimento organizacional, já que exige ampliação das atividades; 4) Gerente de projetos, com o congelamento de novos projetos; e 5) Engenheiro de projetos, ligado a investimentos e novos projetos em menor dem
This study examines the interactions between runners and the urban physical environment of Groningen, the Netherlands and how these interactions influence runners' perception, behavior, and route choices. A mixed methods approach was used, including a survey of 157 runners, GPS tracking of routes from 35 runners, and 3 run-along interviews. The GPS data showed varied routes throughout the city and landscape, with home location and intended distance determining the scope of routes. Runners reported both positive and negative experiences, with women and those in central neighborhoods reporting less positive experiences due to feelings of insecurity and more nuisances. Running routes were determined by criteria like presence of greenery, path quality, lighting, and safety, with insufficient lighting and safety concerns limiting
This curriculum vitae summarizes the academic and professional qualifications of Sandip Mahadev Dhavale. He is currently pursuing his PhD in electronic science from Fergusson College, Pune University. He has over 8 years of teaching experience and his areas of research interest include energy harvesting, wearable electronics, biomedical science, and renewable energy. He has published 16 papers in national and international journals and conferences on topics related to energy harvesting systems, wireless sensor networks, and wearable electronics.
The rarest ducklings in the world, the Madagascan Pochard, were hatched in captivity in 2009 after being rescued from their habitat. Keepers at the Wildfowl & Wetlands Trust incubated the eggs and cared for the ducklings, with one keeper noticing a star shape that indicated hatching was imminent. The newly hatched ducklings represent 1/3 of the total wild population of Madagascan Pochards. They will be kept in captivity for now and the organization hopes to eventually release them back into the wild to increase the endangered species' population.
In this webinar, 451 Research Director, Wendy Nather and NT OBJECTives co-CEO and CTO, Dan Kuykendall discuss Wendy and Dan discuss how to scale your application security program to address hundreds or thousands of applications and how to avoid the common technology and process pitfalls:
Recorded version: http://www.ntobjectives.com/go/scaling-web-application-security-scanning
Effective approaches to web application security Zane Lackey
The document discusses effective approaches to web application security. It emphasizes techniques that are simple yet effective, such as making things safe by default through early encoding of dangerous HTML characters. It also stresses focusing security efforts by automatically detecting changes to sensitive code and functionality through hashing and alerts, in order to quickly review any newly introduced risks from continuous deployment.
This document summarizes a talk on using hackers versus security tools in the software development lifecycle (SDLC). It discusses how hackers can provide a unique perspective in requirements, design, development, testing, and production by thinking creatively about edge cases and security implications, though they do not scale as well as tools. Tools are better for automation, high-volume testing, and preventing known issues, but may miss more complex vulnerabilities. An informed approach uses both hackers and tools throughout the SDLC.
Geoffrey Vaughan, Security Engineer at Security Innovation, discusses the pro's and con's of using a hacker vs. a scanning tool for testing applications.
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
1. SAST tools do not find all vulnerabilities on their own due to lack of code context and unknown user code. The human touch is needed to filter findings and identify the vulnerabilities that matter.
2. Not all applications have the same security needs, and "secure applications do not exist." How much effort is put into security depends on acceptable risk levels and the number of applications.
3. SAST is best for finding issues in your own code where you have context, while SCA is better for analyzing third party libraries with known vulnerabilities.
Discussion on how to deliver vulnerability management at scale.
Why Fullstack vulnerability management is important and silos of security are an issue. The pitfalls when delivering 1000's of assessments on a continuous basis. How edgescan delivers vulnerability intelligence.
This document provides an overview of becoming a penetration tester or pentester. It discusses Phillip Wylie's background and experience in information security. It defines pentesting and explains why organizations use pentesting for security assessments and regulatory compliance. It outlines the skills, knowledge, and mindset needed to become a pentester including technological knowledge, hacking skills, and developing a "hacker mindset". It provides recommendations for building a home lab, recommended reading, learning resources, certifications, and tips for getting pentester jobs.
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Security testing tools are only as good as the humans who use them. Learn how to turn an automated security effort into an effective security assessment.
Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
This example laden talk will show how common tools available in today's enterprise environments can be harnessed to enhance and transform an appsec program. This talk will have example attacks and simple config changes that could make all the difference. Devs, infrastructure sec, ciso, come one come all.
This document discusses advanced threat hunting and identifying zero-day attacks infiltrating organizations. It begins with background on the speaker and an overview of the evolving threat landscape, including nation-states, criminal enterprises, and hacktivists. It then discusses how advanced threats may not be as sophisticated as assumed and how threats often "live off the land" by using existing tools to blend in. The document emphasizes that advanced threat hunting requires knowing what to look for, as threats can enter opportunistically but cause damage over time. It provides examples of living off the land techniques like using PowerShell and internal sites for command and control. The conclusion stresses the importance of understanding one's environment and capabilities when conducting threat hunting.
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
The document discusses operational security issues faced by penetration testers and recommendations to address them. It analyzes vulnerabilities in commonly used penetration testing tools when used without proper configuration or in insecure network environments. Specific tools like BeEF and cymotha are classified as "dangerous" due to default settings exposing communications. The document recommends penetration testers take steps to encrypt communications and data, securely configure tools, and gain better understanding of network environments between themselves and test targets to reduce risks of an attacker intercepting or modifying testing activities.
Hogy néz ki egy pentest meló a gyakorlatban?hackersuli
This document provides an overview of how to conduct a penetration test of a web application. It discusses the importance of project management and scope definition. Key steps include gathering intelligence on the target system, understanding the application functionality, using both automated scanning tools and manual testing of business logic flaws. Guidelines are provided around legal and ethical aspects, as well as communications with the client.
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays
Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Identifying a Compromised WordPress SiteChris Burgess
This talk was originally delivered at the Melbourne WordPress Developer Meetup in July 2016. Rather than the common talks on hardening and prevention, this presentation covered how you can identify a WordPress website is compromised, and some of the early warning signs.
HouSecCon 2019: Offensive Security - Starting from ScratchSpencer Koch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
Effective approaches to web application security at scale involve making things safe by default through universal output encoding, detecting risky functionality changes through automated alerts, automating tests to find simple issues, and monitoring metrics to identify attacks and problems off-hours through automated alerts on thresholds.
Similar to Application security in a hurry webinar (20)
5th LF Energy Power Grid Model Meet-up SlidesDanBrown980551
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
4. Ready, set … scan! (or) The fire drill begins!
• You’re already under attack and you
need to know how many other holes
you have that could be exploited
• You forgot about that part of PCI-DSS
and the QSA arrives in a week
• You need to perform due diligence for a
merger or acquisition
• Your CEO switched from Talls to Ventis
5. What do you need to know first?
• Where the applications live – all of them
‒ Very few have a good/comprehensive list
• Which ones you’ll be allowed to scan
• Who to contact when something goes wrong
• Are QA/Staging environments available
‒ Better to test against non-production when possible
• What you’ll do once you find things
‒ How much can you fix?
‒ What can you block with a WAF?
6. Who are you outrunning?
Script kiddies
‒ Lots of them with much more free time than you
+ Limited mostly to cheap/free tools and scripts
Limited business logic, mostly SQL/XSS type issues
Smart hackers with targeted attacks
‒ More skilled and with more tools and manual know how
‒ Focus on business logic flaws
+ Time (if you’re lucky), requires more time to find issues
Internal threats
‒ Have inside knowledge and access to resources
‒ More opportunity to accidentally find weaknesses
+ Can be punished when caught
+ Not usually the most skilled hackers
7. How sure do you need to be?
• Automated vs. manual pen-testing
‒ Technology considerations
‒ Either or Both?
• Checking for logic flaws in most
critical applications
‒ Hint: this is going to take a lot longer
• Decide how far down the rabbit hole
you’re going to go
‒ How important is it to know the worst case
for each vulnerability being exploited
• False positives...
Oh yes, there will be some
8. How sure do you need to be?
• Automated vs. manual pen-testing
‒ Technology considerations
‒ Either or Both?
• Checking for logic flaws in most critical applications
‒ Hint: this is going to take a lot longer
• Decide how far down the rabbit hole you’re going to go
‒ How important is it to know the worst case for each vulnerability being
exploited
• False positives...
Oh yes, there will be some
9. Automated vs. manual pen-testing
Technology Considerations
• Types of scanners
• Comprehensive parameter checking
• Technologies being scanned
‒ JavaScript / AJAX
‒ Mobile
‒ Thicker Client (Flash & Java applets)
‒ Web services
• Reporting & verification
• WAF/IPS Integration
• SaaS vs. software
10. Automated vs. manual pen-testing
Automated
+ Not affected by tedious activity, will check every input
+ Repeatable & scalable
‒ Cannot check for certain types of vulns; business logic flaws
‒ Cannot make decisions based on content
Manual pen-testing
+ Creative, understands content to make leaps of logic
+ Can perform all possible attacks
‒ Will only "spot check"
▪ 10 inputs x 200 payloads = 2000 attacks x 100 pages = 200,000 attacks
‒ Hard/impossible to scale
Combination (Ideal in most cases)
+ Automate mundane and repeatable aspects to get scalability and cost reductions
+ Use humans to test the aspects that require deductive reasoning based on logic
11. How sure do you need to be?
• Automated vs. Manual pen-testing
‒ Technology considerations
‒ Either or Both?
• Checking for logic flaws in most critical applications
‒ Hint: this is going to take a lot longer
• Decide how far down the rabbit hole you’re going to go
‒ How important is it to know the worst case for each vulnerability being
exploited
• False positives...
Oh yes, there will be some
12. How sure do you need to be?
• Automated vs. Manual pen-testing
‒ Technology considerations
‒ Either or Both?
• Checking for logic flaws in most critical applications
‒ Hint: this is going to take a lot longer
• Decide how far down the rabbit hole you’re going to go
‒ How important is it to know the worst case for each vulnerability being
exploited
• False positives...
Oh yes, there will be some
13. How sure do you need to be?
• Automated vs. Manual pen-testing
‒ Technology considerations
‒ Either or Both?
• Checking for logic flaws in most critical applications
‒ Hint: this is going to take a lot longer
• Decide how far down the rabbit hole you’re going to go
‒ How important is it to know the worst case for each vulnerability being
exploited
• False positives...
Oh yes, there will be some
14. Oh yes, there will be false positives
• Is vendor verification available?
• You will waste time trying to convince someone that they’re valid
• You will waste time and lose credibility that you may need for a
real vulnerability later
‒ Cry wolf scenario
• Separating vulnerabilities from acceptable risk or intended behavior
‒ e.g.. content manager that needs to allow JavaScript in content submissions
15. Oh yes, there will be false positives
• Is vendor verification available?
• You will waste time trying to convince someone that they’re valid
• You will waste time and lose credibility that you may need for a
real vulnerability later
‒ Cry wolf scenario
• Separating vulnerabilities from acceptable risk or intended behavior
‒ e.g.. content manager that needs to allow JavaScript in content submissions
16. Oh yes, there will be false positives
• Is vendor verification available?
• You will waste time trying to convince someone that they’re
valid
• You will waste time and lose credibility that you may need for a
real vulnerability later
‒ Cry wolf scenario
• Separating vulnerabilities from acceptable risk or intended behavior
‒ e.g.. content manager that needs to allow JavaScript in content submissions
17. Oh yes, there will be false positives
• Is vendor verification available?
• You will waste time trying to convince someone that they’re valid
• You will waste time and lose credibility that you may need
for a real vulnerability later
‒ Cry wolf scenario
• Separating vulnerabilities from acceptable risk or intended behavior
‒ e.g.. content manager that needs to allow JavaScript in content
submissions
18. Oh yes, there will be false positives
• Is vendor verification available?
• You will waste time trying to convince someone that they’re valid
• You will waste time and lose credibility that you may need for a
real vulnerability later
‒ Cry wolf scenario
• Separating vulnerabilities from acceptable risk or intended behavior
‒ e.g.. content manager that needs to allow JavaScript in content submissions
19. Preparing for battle
• Set up a pipeline for the results
‒ Developers, sysadmins, project managers, QA
• Make sure the scanner can reach all the apps
‒ Set up credentials, roles for widest coverage
• Determine maximum scanning rate
‒ Server connection limits
‒ Problems when vhost'ing websites
‒ Enforcing concurrent scanning limits
• Warn the operations team
‒ It’s about to get noisy in here
‒ You may want to mute the logging alerts
‒ Disable automatic routines that report hacking activity to ISP
• Get emergency contact numbers for both sides
20. Questions you need answered first
• How target rich is your environment?
‒ How many applications have vulnerabilities
• Who can exploit the vulnerabilities ?
‒ e.g.. everyone, intranet only, auth required, verified accounts
• How easy to discover?
‒ Easy to find SQL/XSS type issues vs. business logic issues
• How hard to get fixed in code?
• How much residual risk?
‒ Decide with your management what you’ll be comfortable with
21. When you’re in a target-rich environment…
How do you prioritize?
‒ Largest number of vulnerabilities?
‒ "Most important" sites?
‒ “Most common” vulnerabilities?
‒ Most critical applications?
▪ Remember, lots of breaches happen through non-
critical apps
‒ Whatever you can fix first?
‒ Whatever has the most shared code?
‒ Whatever the WAF can’t block?
22. Questions you need answered first
• How target rich is your environment?
‒ How many applications have vulnerabilities
• Who can exploit the vulnerabilities ?
‒ e.g.. intranet only, auth required, verified accounts
• How easy to discover?
‒ Easy to find SQL/XSS type issues vs. business logic issues
• How hard to get fixed in code?
• How much residual risk?
‒ Decide with your management what you’ll be comfortable with
23. Questions you need answered first
• How target rich is your environment?
‒ How many applications have vulnerabilities
• Who can exploit the vulnerabilities ?
‒ e.g.. intranet only, auth required, verified accounts
• How easy to discover?
‒ Easy to find SQL/XSS type issues vs. business logic issues
• How hard to get fixed in code?
• How much residual risk?
‒ Decide with your management what you’ll be comfortable with
24. Questions you need answered first
• How target rich is your environment?
‒ How many applications have vulnerabilities
• Who can exploit the vulnerabilities ?
‒ e.g.. intranet only, auth required, verified accounts
• How easy to discover?
‒ Easy to find SQL/XSS type issues vs. business logic issues
• How hard to get fixed in code?
• How much residual risk?
‒ Decide with your management what you’ll be comfortable with
25. How hard to get fixed in code?
• Are developers still available?
• In-house or outsourced?
• Is application still in active development?
• When is next planned release?
• Amount of time/process for standard/required QA verification?
• Is WAF/IPS filter an option for quick and temporary protection against
exploit?
26. Questions you need answered first
• How target rich is your environment?
‒ How many applications have vulnerabilities
• Who can exploit the vulnerabilities ?
‒ e.g.. intranet only, auth required, verified accounts
• How easy to discover?
‒ Easy to find SQL/XSS type issues vs. business logic issues
• How hard to get fixed in code?
• How much residual risk?
‒ Decide with your management what you’ll be comfortable with
27. Good job, now let’s do this again!
• Was this a one time event?
• Usually once this is
performed, management
wants to see it again
• How frequently will
scanning need to be
performed?
• Re-scanning included in
cost?
28. NT OBJECTives, Inc.
• Dedicated to application security > 10+ years
• Software, Services & SaaS
‒ NTOSpider: Dynamic Application Scanning Technology (DAST)
‒ NTOEnterprise: Enterprise web portal interface to manage scanning
activity, access controls & report storage & access
‒ NTOSpider On-Demand: SaaS based on NTOEnterprise
‒ NTODefend: WAF/IPS integration tool to generate filters from scan results
29. Discussion & contact information
Wendy Nather
Research Director
@451wendy
http://idoneous-security.blogspot.com/
Dan Kuykendall
Co-CEO & CTO
@dan_kuykendall
http://manvswebapp.com
30. Securing in a Hurry
Questions & Discussion
www.NTOBJECTives.com