Security First - Adam Baldwin

•

2 likes•972 views

The document discusses security and building a security-first culture. It notes that security is difficult because software has many opinions and constraints. While no software is completely secure, individuals are responsible for security and should educate themselves on vulnerabilities, validate and sanitize inputs, use cryptography, and audit code. The document encourages teaching others about security and having conversations to improve security awareness.

Technology News & Politics

Hi, I’m Adam
@adam_baldwin
@liftsecurity
@nodesecurity

Mobile First
Content First
Offline First

Mobile First
Content First
Offline First
SECURITY

Who’s responsible for
security?
You are.

NSA Spent $25 million
on ‘software
vulnerabilities’ in 2013

- Ignorance
- Procrastination
- Not Exciting work
- Not Rewarded

Validation / Sanitization
Cryptohttp://www.matasano.com/articles/crypto-challenges/
http://owasp.org

Community
Bridge all the worlds
http://blog.andyet.com/2013/09/11/shame-and-security

Homework.
- Learn about 1 vuln
- Audit some code
- Teach a Friend

confwork?
Talk to each other about
security...

</PRESENTATION>
@adam_baldwin | @LiftSecurity

La labor de gestionar la seguridad de una empresa suele ser como bailar sobre el alambre. Hay que permitir que el negocio siga funcionando, estar a la última, proteger lo ya implantado e innovar en cosas nuevas. Eso sí, de forma más eficiente cada año y con menos presupuesto. Todo ello, con el objetivo de no que no pase nada. La conclusión de esto es que al final siempre queda Long Hanging Fruit para que cualquiera se aproveche.

Cyber security Guide

Ila Group

Amy mania - Put Words In My Mouth - DC2711 2019

DC2711 - DEF CON GROUP - Johannesburg

Money has been withdrawn from your account. You don't remember making, or authorising that transaction. When you follow up with the bank, they say you called earlier and requested the transfer - it was, after-all, you speaking - right? Unbeknownst to you, your voice was stolen, and so was your money. With the rise of voice authentication biometrics, so will the opportunities to spoof it. Text-to-Speech API's are constantly improving, with Google's technology now being indistinguishable from the real human speaker. Threat actors have access to a target's YouTube videos, social media posts. Even more invasive channels are certain vulnerable IoT devices, littered throughout homes and offices. Social media posts and IoT's allow threat actors to listen to your voice, capture and then manipulate it (all using free online tools). So what exactly can be done with a 'stolen' voice? This research explores the possibilities of banking fraud, by using voice-spoofing to bypass authentication and withdraw funds.

Privacy on the Series of Tubes of Things

EFF-Austin

Cybersecurity Standards: The Open Group Explores Security and Ways to Assure ...

Dana Gardner

WANTED – People Committed to Solving our Information Security Language Problem

Evan Francen

Some of the very things that make JavaScript awesome can also leave it exposed. Guy Podjarny and Danny Grander walk through some sample security flaws unique to Node’s async nature and surrounding ecosystem (or especially relevant to it)—e.g., memory leaks via the buffer object, ReDoS and other algorithmic DoS attacks (which impact Node due to its single-threaded nature), and timing attacks leveraging the EventLoop—and show how these could occur in your own code or in npm dependencies.

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Adam Baldwin

Continuous Security - Thunderplains 2016

Adam Baldwin

Node Day - Node.js Security in the Enterprise

Adam Baldwin

portfolio.docx

DasolGaming

The Difference Between Being Secure And Being Compliant

John Bedrick

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security

Sounil Yu

We are rapidly approaching the next era of security where we need to be focused on the ability to recover from irrecoverable attacks. This can also be defined as resiliency. The traditional view of resiliency attempts to quickly restore assets that support services that we care about. This new approach/paradigm looks at resilience in ways that promote design patterns (distributed, immutable, ephemeral) where we do not care about a given asset at all while still keeping the overall service functioning. This new approach allows us to avoid having to deal with security at all.

10 Components of Business Cyber Security

Comodo SSL Store

How to Secure America

SecurityStudio

Information Security Awareness Session -2020

Ismail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS

Giant bags of mostly water

roensel

Evolving threat landscape

Motiv

Cyber Security

Ncell

Lkw Security Part 1_MVPs Azra & SanjayQuek Lilian

Lodi Emmanuel Palle Cybersecurity and Technology Innovation.pptx

Lode Emmanuel Palle

Lodi Palle is a junior software developer, and his main forte is in line with cybersecurity. He has honed and found passion in technology after doing various jobs to finally landed in software development. His work mainly focuses on Ruby on Rails, Ruby, SQL, Javascript, HTML, CSS, Bootstrap, React.js, node.js, Typescript, Android Studio, Flutter, Dart, Kotlin, ERP Systems, SAP, Tableau, Microsoft Power BI. Palle, confident enough to say that he can do the job, as he had finally found the career that he is most passionate about.

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

BruCon 2019 Keynote -=> My name is Rob Fuller, I've been around a bit, not as long as some but longer than others. From the US military to government contracting, consulting, large companies, tiny startups and silicon valley behemoths, from podcasting to television, I've had a storied and humbling career in infosec. Let’s get past complaining about blinky lights and users. Let’s talk about what actually works and what doesn't.

eSafety and online security within schools

Webanywhere Ltd

CYBER AWARENESS.pptx cyber security ppt harika

palaharika13

Cyber Security: A Common Problem 2018

joshquarrie

WANTED – People Committed to Solving our Information Security Language Problem

SecurityStudio

Viewers also liked

Continuous Security

Adam Baldwin

Nodevember 2015

Adam Baldwin

Secure Node Code (workshop, O'Reilly Security)

Guy Podjarny

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Adam Baldwin

Continuous Security - Thunderplains 2016

Adam Baldwin

Node Day - Node.js Security in the Enterprise

Adam Baldwin

Viewers also liked (6)

Continuous Security

Nodevember 2015

Secure Node Code (workshop, O'Reilly Security)

The Art of Identifying Vulnerabilities - CascadiaFest 2015

Continuous Security - Thunderplains 2016

Node Day - Node.js Security in the Enterprise

Similar to Security First - Adam Baldwin

portfolio.docx

DasolGaming

The Difference Between Being Secure And Being Compliant

John Bedrick

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security

Sounil Yu

10 Components of Business Cyber Security

Comodo SSL Store

How to Secure America

SecurityStudio

Information Security Awareness Session -2020

Ismail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS

Giant bags of mostly water

roensel

Evolving threat landscape

Motiv

Cyber Security

Ncell

Lkw Security Part 1_MVPs Azra & SanjayQuek Lilian

Lodi Emmanuel Palle Cybersecurity and Technology Innovation.pptx

Lode Emmanuel Palle

Why isn't infosec working? Did you turn it off and back on again?

Rob Fuller

eSafety and online security within schools

Webanywhere Ltd

CYBER AWARENESS.pptx cyber security ppt harika

palaharika13

Cyber Security: A Common Problem 2018

joshquarrie

WANTED – People Committed to Solving our Information Security Language Problem

SecurityStudio

Human is an amateur; the monkey is an expert. How to stop trying to secure yo...

Vlad Styran

Opsec for security researchers

vicenteDiaz_KL

How to Migrate Your Organization to a More Security-Minded Culture – From Dev...

Dana Gardner

Module1_Intro to Security_Final.ppt

zenotechae

Similar to Security First - Adam Baldwin (20)

portfolio.docx

The Difference Between Being Secure And Being Compliant

Distributed Immutable Ephemeral - New Paradigms for the Next Era of Security

10 Components of Business Cyber Security

How to Secure America

Information Security Awareness Session -2020

Giant bags of mostly water

Evolving threat landscape

Cyber Security

Lkw Security Part 1_MVPs Azra & Sanjay

Lodi Emmanuel Palle Cybersecurity and Technology Innovation.pptx

Why isn't infosec working? Did you turn it off and back on again?

eSafety and online security within schools

CYBER AWARENESS.pptx cyber security ppt harika

Cyber Security: A Common Problem 2018

WANTED – People Committed to Solving our Information Security Language Problem

Human is an amateur; the monkey is an expert. How to stop trying to secure yo...

Opsec for security researchers

How to Migrate Your Organization to a More Security-Minded Culture – From Dev...

Module1_Intro to Security_Final.ppt

More from Adam Baldwin

Attacking open source using abandoned resources

Adam Baldwin

JavaScript Supply Chain Security

Adam Baldwin

Building a Threat Model & How npm Fits Into It

Adam Baldwin

Who might want to attack your application? If they tried, how would they succeed? Answering these questions is an important exercise that helps you understand how to keep your application secure, so you can sleep at night. In this talk, Adam will teach you what threat modeling is and how to build threat models for your organization and applications. Because npm is such a critical part of how your developers build JavaScript applications, Adam will show you how npm fits into your threat model and how to use npm's tools to keep your JavaScript secure.

Hunting for malicious modules in npm - NodeSummit

Adam Baldwin

Ever since the threat of an npm worm became public we've been thinking about how to detect malicious modules in our ecosystem and how to provide security teams auditing modules with tooling and intel to make informed decisions about module risk. We've built a system to analyze modules based on their installation behavior. This talk will discuss the results of this endeavor and share the interesting findings from this new and previously unexplored dataset and try to answer the question if a npm worm is lurking in the shadows.

Node Security Project - LXJS 2013Adam Baldwin

JSConf 2013 Builders vs BreakersAdam Baldwin

EV1LSHA - Misadventures in the land of Lua

Adam Baldwin

Writing an (in)secure webapp in 3 easy steps

Adam Baldwin

Pony Pwning Djangocon 2010

Adam Baldwin

More from Adam Baldwin (9)

Attacking open source using abandoned resources

JavaScript Supply Chain Security

Building a Threat Model & How npm Fits Into It

Hunting for malicious modules in npm - NodeSummit

Node Security Project - LXJS 2013

JSConf 2013 Builders vs Breakers

EV1LSHA - Misadventures in the land of Lua

Writing an (in)secure webapp in 3 easy steps

Pony Pwning Djangocon 2010

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

DevOps and Testing slides at DASA Connect

Kari Kakkonen

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images