This document summarizes a presentation on securing web projects. It discusses how vulnerabilities commonly occur during design, implementation, and deployment phases due to issues like incomplete specifications, lack of security requirements analysis, coding mistakes, and insecure default configurations. The presentation covers common web attacks, secure development principles, and steps organizations can take to move from a reactive to proactive security posture.
Slides from the first module of the OWASP Ottawa Training Day 2012, "Integrating security and privacy in a web application project" training.
Module 1: before coding (security during inception and design phases)
The training was designed and produced by:
Antonio Fontes (OWASP Geneva) - http://www.slideshare.net/starbuck3000
Philippe Gamache (OWASP Montreal) - http://www.slideshare.net/PhilippeGamache
Sebastien Gioria (OWASP France) - http://www.slideshare.net/SebastienGioria
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
With more and more services becoming internet-facing, web application security is now a problem for most of us. In response to this, the OWASP security community have been working for years to catalogue, understand and prioritise common web application vulnerabilities, published as the “OWASP Top 10 List”.
In this session, Eoin will review the OWASP Top 10 list to understand the vulnerabilities and dig into the implementation details of some of the more important of them to identify practical mitigations for them in our own applications.
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Slides from the first module of the OWASP Ottawa Training Day 2012, "Integrating security and privacy in a web application project" training.
Module 1: before coding (security during inception and design phases)
The training was designed and produced by:
Antonio Fontes (OWASP Geneva) - http://www.slideshare.net/starbuck3000
Philippe Gamache (OWASP Montreal) - http://www.slideshare.net/PhilippeGamache
Sebastien Gioria (OWASP France) - http://www.slideshare.net/SebastienGioria
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
With more and more services becoming internet-facing, web application security is now a problem for most of us. In response to this, the OWASP security community have been working for years to catalogue, understand and prioritise common web application vulnerabilities, published as the “OWASP Top 10 List”.
In this session, Eoin will review the OWASP Top 10 list to understand the vulnerabilities and dig into the implementation details of some of the more important of them to identify practical mitigations for them in our own applications.
The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever want to be in.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
http://www.securedocs.com -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small.
This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.
As more Department of Defense (DoD) weapon and mission support systems become software dependent and networked, government agencies are being increasingly exposed to severe cybersecurity vulnerabilities. For DoD agencies and systems integrators, who support them, understand how pentesting can help secure next generation weapons and mission support systems.
Pentesting has been around for decades, but with the technology evolution we’ve seen radical changes in today’s networks, including ubiquitous encryption, the death of the traditional network perimeter, and the advent of new end point devices, including a myriad of IoT devices.
CompTIA’s chief technology evangelist Dr James Stanger on how pentesting has morphed, and you’ll learn the relevant skills that a pen tester should have today, how organizations use a pen tester, and how to usefully “digest” information gained from a pen test.
Other topics covered include how the IT environment has changed radically in the last five years, pentesting challenges DoD agencies face today, responsible pen testing and the hacker lifecycle as well understanding the “hacker’s dilemma”. There's also a demo of responsible pentesting.
For more information on CompTIA training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/comptia/
On today's increasingly militarized Internet, companies, non-profits, activists, and individual hackers are forced to melee with nation-state class adversaries. Just as one should never bring a knife to a gunfight, a network defender should not rely on tired maxims such as “perimeter defense” and “defense in depth”. Today’s adversaries are well past that. This webinar provides:
- Key insights into what we call the Library of Sparta - the collective written expertise codified into military doctrine. Hidden in plain sight, vast free libraries contain the time-tested wisdom of combat at the tactical, operational, and strategic levels.
- Better understanding on how adversaries will target your organization, and it will help you to employ military processes and strategies in your defensive operations.
- Provide you with new approaches and examples about how to translate and employ doctrinal concepts in your current operations.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
In this webinar, you will learn about trends in application security, threat modeling and risk rating your applications, and optimizing your Software Development Lifecycle. Highlights include:
- Research from the Ponemon Institute: Where have companies improved and where do they continue to struggle when it comes to application security?
- Understanding application security threats to different platforms and how to prioritize vulnerabilities.
- Optimizing your Software Development Lifecycle by using best practices, identifying skill gaps, and building a roadmap.
The Emergency Operations Center (EOC) is the nerve center for a community's response to a disaster. This paper discusses the technology infrastructure that we recommend for EOCs to support rapidly emerging crisis situations and respond to communities in a more effective, agile way.
This presentation articulates a key trend I'm seeing in technology delivery. Namely, the need to "right-size the rigor" applied using risk-based methods.
Our researcher Aryeh Goretsky took a look at some of the more interesting pieces of malware and threats that have occurred over the first six months of the year 2014. And what a year it has been, with some serious new developments as well as persistence of numerous older threats.
Cybersecurity: Malware & Protecting Your Business From CyberthreatsSecureDocs
http://www.securedocs.com -The recent increase in high-profile cyberattacks has made online security a hot topic, and rightfully so. Companies from The New York Times to Facebook have fallen victim to attacks by cybercriminals, highlighting just how vulnerable any business is. In the past few years, malware has evolved dramatically and is a serious threat to all organizations, both big and small.
This presentation covers what advanced malware is and the impact it can have on an organization. Learn how to protect your business from this type of threat.
As more Department of Defense (DoD) weapon and mission support systems become software dependent and networked, government agencies are being increasingly exposed to severe cybersecurity vulnerabilities. For DoD agencies and systems integrators, who support them, understand how pentesting can help secure next generation weapons and mission support systems.
Pentesting has been around for decades, but with the technology evolution we’ve seen radical changes in today’s networks, including ubiquitous encryption, the death of the traditional network perimeter, and the advent of new end point devices, including a myriad of IoT devices.
CompTIA’s chief technology evangelist Dr James Stanger on how pentesting has morphed, and you’ll learn the relevant skills that a pen tester should have today, how organizations use a pen tester, and how to usefully “digest” information gained from a pen test.
Other topics covered include how the IT environment has changed radically in the last five years, pentesting challenges DoD agencies face today, responsible pen testing and the hacker lifecycle as well understanding the “hacker’s dilemma”. There's also a demo of responsible pentesting.
For more information on CompTIA training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/comptia/
On today's increasingly militarized Internet, companies, non-profits, activists, and individual hackers are forced to melee with nation-state class adversaries. Just as one should never bring a knife to a gunfight, a network defender should not rely on tired maxims such as “perimeter defense” and “defense in depth”. Today’s adversaries are well past that. This webinar provides:
- Key insights into what we call the Library of Sparta - the collective written expertise codified into military doctrine. Hidden in plain sight, vast free libraries contain the time-tested wisdom of combat at the tactical, operational, and strategic levels.
- Better understanding on how adversaries will target your organization, and it will help you to employ military processes and strategies in your defensive operations.
- Provide you with new approaches and examples about how to translate and employ doctrinal concepts in your current operations.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Talk that Prof. Mustaque Ahamad from GaTech gave at Global Cybersecurity Leaders Program http://www.cisoacademy.com/gclp2-prof-mustaque-ahamad-april-2015/
This presentation will take a high level look at the malware life cycle and the role that both hackers and IT professionals play in it. It should be interesting to IT professionals as well as individuals interested in learning more about the general approach used by hackers to gain unauthorized access to systems, applications, and sensitive data.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Best Practices for a Mature Application Security Program Webinar - February 2016Security Innovation
In this webinar, you will learn about trends in application security, threat modeling and risk rating your applications, and optimizing your Software Development Lifecycle. Highlights include:
- Research from the Ponemon Institute: Where have companies improved and where do they continue to struggle when it comes to application security?
- Understanding application security threats to different platforms and how to prioritize vulnerabilities.
- Optimizing your Software Development Lifecycle by using best practices, identifying skill gaps, and building a roadmap.
The Emergency Operations Center (EOC) is the nerve center for a community's response to a disaster. This paper discusses the technology infrastructure that we recommend for EOCs to support rapidly emerging crisis situations and respond to communities in a more effective, agile way.
This presentation articulates a key trend I'm seeing in technology delivery. Namely, the need to "right-size the rigor" applied using risk-based methods.
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
Abstract: The Building Security In Maturity Model (or BSIMM)
BSIMM observes and measures what firms' software security initiatives are actually doing. John, who has helped several firms build or improve their security initiatives, will share sometimes surprising data about security initiatives big and small. His presentation will focus on what
activities organizations use to "boot" security initiatives and which they presently focus on.
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
This is my MBA project paper of the External Audit course. The project paper was tapped to the hottest topics of the U.S. economic crisis in 2008, three months after the collapse of the biggest U.S. bank institution.
The author incorporated the audit principles in analyzing the root causes of the U.S. economic crisis and how this disaster can be avoided.
Ensure Software Security already during developmentIT Weekend
"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that."
Lucas v. Stockhausen
Software Security Consultant
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
This presentation presents how Quality Risk management can be applied in Commissioning & Qualification of Facility , System and Equipments in Pharmaceutical Facilities.
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
Cloud computing started a technology revolution; now DevOps is driving that revolution forward. By enabling new approaches to service delivery, cloud and DevOps together are delivering even greater speed, agility and efficiency. No wonder leading innovators are adopting DevOps and cloud together! This presentation explores the synergies in these two approaches, with practical tips, techniques, research data, war stories, case studies and recommendations.
17ª edição da Security BSides São Paulo, uma conferência gratuita sobre segurança da informação e cultura hacker, também conhecida como BSidesSP.
Desta vez, estivemos duplamente representados pelo nosso Head de Produto, Leonardo Pinheiro e pelo nosso Head of Threat and Detection Research, Rodrigo Montoro. Imperdível! ;)
Ambos apresentaram a palestra "Exploit Prediction Scoring System (EPSS) – Aperfeiçoando a priorização de vulnerabilidades de forma efetiva". Confira!
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The Emergent Cloud Security Toolchain for CI/CDJames Wickett
Security is in crisis and it needs a new way to move forward. This talk from Nov 2018, Houston ISSA meeting discusses the tooling needed to rise to the demands of devops and devsecops.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
Pragmatic presentation on Penetration testing for Data-Driven Platforms.
Agenda:
- Motivation
- Information Security - Ethics.
- Encryption
- Authentication
- Information Security & Potential threats with Open Source World.
- Find vulnerabilities.
- Checklist before using any Open Source library.
- Vulnerabilities report.
- Penetration Testing for Data-Driven Developments.
Security in the age of open source - Myths and misperceptionsTim Mackey
As delivered at Interop ITX 2017.
The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client.
In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
Vulnerability Management In An Application Security World: AppSecDCDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
Join us virtually for our upcoming meetup to learn:
- Why adopt a fresh approach and redefine how you view critical risks within your software supply chain?
- How can we deal with the paradox of enhancing protection for expanding attack surfaces and the dynamic nature of threat actors, especially in the world of the Generative Code AI amidst budget constraints?
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Keeping security top of mind while creating standards for engineering teams following the DevOps culture. This talk was designed to show off how easily it is to automate security scanning and to be the developer advocate by showing the quality of development work. We will cover some high-level topics of DevSecOps and demo some examples DevOps team can implement for free.
Similar to Securing your web apps before they hurt the organization (20)
Source code security review challenge at Confoo 2012 - Montreal (confoo.ca)
The audience was challenged in attempting to spot security vulnerabilities in a series of source code examples.
Sécurité dans les contrats d'externalisation de services de développement et ...Antonio Fontes
Préparer la sécurité dès la phase contractuelle lors de projets d'externalisation liés aux applications web: développement, hébergement cloud et location (SaaS)
Symposium GRI/CLUSIS sur le rôle de l'état dans la cybsécurité des entreprises suisses / 27 mai 2011
Web security track - opening talk:
OWASP & OWASP Switzerland
Swiss Cyber Storm 3 (Rapperswil, May 2011)
Original powerpoint slides can be downloaded and re-used under following conditions:
- you're free to copy, distribute and transmit the work
- you're free to adapt the work
- if you alter, transform, or build upon this work, you may distribute the resulting work under the same or similar rights to this one
Threat modeling web application: a case studyAntonio Fontes
TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet. It helps identify major threats to your web application and their appropriate countermeasures.
This session focuses on an introduction to the threat modeling technique through a case study on an online newspaper platform.
Event: Confoo 2011 Montreal
The top 10 web application intrusion techniquesAntonio Fontes
The OWASP foundation published the 2010 version of its reference document describing the top 10 web application security risks.
During this talk, these ten intrusion techniques will be described to the audience.
Event: Confoo 2011 - Montreal
Mise au point sur le contexte et les motivations autour des cyberattaques dont il est fait référence dans la presse.
Audience: juridique (avocats, juristes, etc.)
Niveau technique: faible
Lieu: 2 décembre 2010, faculté de Droit à l'Université de Genève
Infos:
http://lexgva.ch/index.php?subaction=showfull&id=1290112460
You want to start integrating security in your web application project but you don't know where to start and don't have access to software security professionals. What are the "cheapest" while very efficient activities that you can already do by yourself?
Agenda:
-Understanding the need for information security and privacy
-Secure design: key principles
-Threat modeling and analysis: building your first threat model and identifying the major risks in your web application
- Testing the security of your web application
- Understanding the big picture: what is a secure SDLC
- Cheap and efficient security activities that might be started immediatly in your SDLC
Within end of March, the OWASP foundation will release the 2010 version of its major documentation project, the "Top 10 security risks in web applications."
Agenda:
- The 10 most common web application attacks
- Discovering the OWASP Top 10 document
- Integrating the Top 10 within an existing SDLC, as a software vendor, or a software buyer.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
17. antonio.fontes@owasp.org / SDLC Security
Threat context
Which of the following technologies
should we protect against "___
Injection" attacks?
A.LDAP
B.HTML
C.Xpath
D.SQL (in the source code)
E.SQL (in a stored procedure)
17
18. antonio.fontes@owasp.org / SDLC Security
Threat context
You own an online dating website for VIPs.
You enforce SSL in all connections as you
value your customers privacy. A user
connects from the corporate network,
where SSL deep-packet analysis was
enabled. What happens in the browser?
A.The browser displays a "red" warning
B.The browser displays a "yellow" warning
C.Nothing, all lights green as usual.
18
19. antonio.fontes@owasp.org / SDLC Security
Threat context
Which of the following technologies
should we protect against "___
Injection" attacks?
A.LDAP --> yes
B.HTML --> yes
C.Xpath --> yes
D.SQL (in the source code) --> yes
E.SQL (in a stored procedure) --> yes
19
20. antonio.fontes@owasp.org / SDLC Security
Threat context
You own an online dating website for VIPs.
You enforce SSL in all connections as you
value your customers privacy. A user
connects from the corporate network,
where SSL deep-packet analysis was
enabled. What happens in the browser?
A.The browser shows a "red" warning --> no.
B.The browser shows a "yellow" warning --> maybe
C.Nothing, all lights green as usual --> probably
20
27. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• 8 core secure development principles:
– Data input validation
– Data output encoding
– Error handling
– Authentication / Authorization
– Session management
– Secure communications
– Secure storage
– Secure resource access
http://www.slideshare.net/BSides/the-principles-of-secure-
development-david-rook
27
28. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• Software vulnerabilities appear at 3
major stages of the SDLC:
– DESIGN time
– IMPLEMENTATION time
– DEPLOYMENT time
Whether from within your organization…or from
your software vendor…
28
29. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• Design time vulnerabilities:
– Appear in the specifications/requirements
documents (security features vs. secure features)
• Causes:
– Lack of security requirements analysis
– Misunderstanding of the requirements
– Insufficient or ambiguous specification
– Specifications not being reviewed
• Remediation cost: high 29
30. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• Coding time vulnerabilities:
– Appear during the coding phase.
• Causes:
– Misunderstanding of the technology
– Lack of good practices
– Secure code not being reused
– Code not being reviewed
– Mistakes, distractions, errors, …
• Remediation cost: average 30
31. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• Deploy time vulnerabilities:
– Appear during/after the deployment.
• Causes:
– Insecure default configuration
– Insecure installation procedure
– Installed on insecure systems/networks
– Configurations not being reviewed
• Remediation cost: low
31
32. antonio.fontes@owasp.org / SDLC Security
What do we know today?
• What about outsoucring?
– How do you make sure the code is clean?
– How do you know they can fix it?
• Causes:
– Incomplete vendor agreements / contracts
– Lack of requirements / specifications
– Lack of governance / controls
• Remediation cost: high
32
33. antonio.fontes@owasp.org / SDLC Security
What do we know today?
Organizations have a tolerance level (risk
appetite):
• "I want to be compliant!"
– Get your webapp audited (checklist).
• "I want to keep my database inside!"
– Get a documented solution to the Top10 problem.
• "I want 'secure' written on marketing material!"
– Get/hire/rent an appsec professional
What's yours?
33
34. antonio.fontes@owasp.org / SDLC Security
Challenge(s)
• The threat landscape is highly mobile,
proactive, evolving and..smart.
– and moreover: it is increasing!
• Weaknesses, on the other side, are highly
static, reproducible and...detectable.
• Organizations are still limited by time and
money constraints.
• Challenge: Identifying opportunities to
maintain risk to its lowest level, at the lowest
cost.
34
35. antonio.fontes@owasp.org / SDLC Security
Agenda
What's happening right now?
From reactive to proactive
What others do?
What can I do?
35
36. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
36
37. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- nah.
Detection:
- nah.
37
38. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- "Our software architect has ten years experience in…". Nah.
Detection:
- nah.
38
39. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Nah.
- Sometimes: "hey, let's send all our developers to a security
trainnig!"
Detection:
- If it passes build+compile, then it's gold baby!!
- …nah.
39
40. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Nah.
Detection:
- Right password should work.
- Wrong password should not work.
- Logoff should work.
-…
- nah…
40
41. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- "our integrators have ten years experience in…" .. Nah.
Detection:
- "We will conduct a penetration test. Soon!!"
41
42. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Nah.
Detection:
- PENTEST TIME!!! (aka: asking 'ethical hackers' to simulate an
intrusion attempt)
42
43. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Risk level
43
44. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Fixing
costs
Risk level
44
45. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Fixing
costs
Risk level
Tolerated risk level
45
46. antonio.fontes@owasp.org / SDLC Security
Reactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Fixing
costs
Risk level
Penetration
test
Tolerated risk level
46
47. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Fixing
costs
Risk level
Tolerated risk level
Good practices: early
prevention
47
48. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Fixing
costs
Risk level
Tolerated risk level
Good practices: early Checkpoints: early
prevention detection
48
49. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Residual risk
Tolerated risk level
Risk level
Fixing
costs
Good practice: early prevention Checkpoint: early
detection
49
50. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Analysis of security & privacy requirements
Detection:
-Review
- Vendor selection criteria
50
51. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Secure design and architecture guidance
- Secure software requirements definition guidance
- Awareness of web induced risks
- Threat modeling
- Service Level Agreement
- Vendor contract: security quality & service agreement
Detection:
- Requirements/specification analysis
- Design security review
- Vendor offer: how is the vendor solving major problems?
51
52. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Secure development environment configuration
- Secure coding guidance
- Vendor contract: access to code review reports & coding
practices
Detection:
- Code security review
52
53. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- N/A
Detection:
-Security testing
- Vendor contract: access to test plan and test results
- Vendor contract: authorization to perform your own tests
- Vendor contract: security acceptance criteria (Top 10? ASVS?)
53
55. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention:
- Maintain secure environments (networks, systems, services)
- Incident response planing
- Vendor agreement: service level agreement (impact analysis,
cross-client breach notification, etc.)
Detection:
- Vulnerability assessment
- Penetration testing
- Vendor agreement: authorization to attack your own service
55
56. antonio.fontes@owasp.org / SDLC Security
Proactive risk control in the SDLC
Inception Design Implementation Verification Release Operations
Prevention activities:
- Rely on approved methods and tools to produce secure code
- Vendor contract: ensure your software vendor agreed on
security deliverables and activities
Detection activities:
- Deploy small controls all along the line to detect
potential weaknesses.
- Vendor contract: ensure you have full right to test your
system and/or if necessary, its source code, and/or access
to independent testing results.
56
57. antonio.fontes@owasp.org / SDLC Security
Agenda
What's happening right now?
From reactive to proactive
What others do?
What can I do?
57
59. antonio.fontes@owasp.org / SDLC Security
SDLC, SDL?
• SDLC:
– Systems Development Lifecycle
• SDL:
– Security Development Lifecycle
• By Microsoft originaly
• but many companies now have their 'SDL'
59
60. antonio.fontes@owasp.org / SDLC Security
Microsoft SDL
(collaboration with Adobe and Cisco)
http://www.microsoft.com/security/sdl
60
71. antonio.fontes@owasp.org / SDLC Security
Get inspired
• Don't underestimate checklists!
• Preliminary triage check:
1. Is it accessible from Internet?
2. Is it collecting/handling regulated data?
• Privacy, Financial, HIPAA, etc.
3. Is it connected to business process systems?
4. Does it rely on risky technology?
5. How critical is it for the business?
6. Do we have control over the source code?
7. Do we host the application?
8. Etc. 71
72. antonio.fontes@owasp.org / SDLC Security
Get inspired
• Document your solutions to major
problems:
1. How is input data validated?
2. How is output data encoded?
3. How are 3rd party systems interrogated?
4. How are requests authenticated/authorized/audited?
5. How do you store sensitive data?
6. How do you transport sensitive data?
7. Do you use cryptography? How? Where?
8. How do you handle errors and exceptions?
72
73. antonio.fontes@owasp.org / SDLC Security
Get inspired
• Most of these models were built in years
and adopted by large software vendors.
• Read them but don't try copy-pasting
them in your organization!
• Adapt: with your strengths/weaknesses:
– You have $$$? Hire read teams!
– You have talent? Strengthen your APIs!
73
74. antonio.fontes@owasp.org / SDLC Security
If you got lost…
1. Document your API-based solution
to each item of the OWASP Top 10
2. Integrate an automated run of a security testing
software against your application.
3. Integrate an automated run of a source code
security analysis software.
4. Add a questionnaire in your change management
process:
1. Authentication? 6. Access to 3rd. Parties?
2. Authorization? 7. Sensitive data storage?
3. Audit? Log? 8. Sensitive data transport?
4. Input? Validation rule? 9. Use of cryptography?
5. Output? Encoding rule? 74
75. antonio.fontes@owasp.org / SDLC Security
If you got lost…
5. Get a documented threat model and
how you respond to each threat
6. Formalize your incident response team and process
7. Establish coding guidelines (and make them
available on the intranet)
8. Rearrange this list as it suits you best!
75