BSidesLondon 20th April 2011 - Chris John Riley
Chris Sumner, Arron "finux" Finnon and Frank Breedijk
---------------
Why shouting into the security echo chamber does no good! Set to interpretive YMCA dance....
--------------- for more information about the presenters follow them in twitter, @ChrisJohnRiley
TheSuggmeister, @seccubus,@F1nux
These slides go with the webinar linked below, in it we go over the topics covered in the slides and answer a few questions from people attending the live session.
http://lsntap.org/blogs/creating-technology-disaster-plan
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Getting Your System to Production and Keeping it ThereEoin Woods
It can be dispiriting to find that a well-designed system that has been carefully implemented runs into problems as soon as it hits production, but such things do happen. This session explores why this happens and discusses why good software development practice is important but ultimately isn't sufficient to create a reliable and effective enterprise system. We'll discuss what being "production ready" really means in order to allow us to understand the principles, patterns and practices that we need to be aware of and apply in order to get our systems into production safely and keep them there.
Talk given at London Java Community on 1st December 2016.
Building a Successful Organization By Mastering Failurejgoulah
The Etsy organization has grown by a significant amount over the last five years. As a company grows, more thought must be put into the techniques that it uses to communicate and deal with failures. This talk will cover several techniques that have helped foster a Just Culture, one in which an effort is made to balance both safety and accountability
These slides go with the webinar linked below, in it we go over the topics covered in the slides and answer a few questions from people attending the live session.
http://lsntap.org/blogs/creating-technology-disaster-plan
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...Adrian Sanabria
There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy.
Part one of this workshop will address the anatomy of malware and why it succeeds so often.
The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation.
- Passive prevention is effectively free and ideal
- Prevention will always fail a percentage of the time, so detection is essential
- Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal
- Remediation, because someone has to clean up this mess...
Every successful security strategy includes planning to handle failure quickly and effectively.
The remainder of the workshop will be hands-on.
Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them.
For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.
Getting Your System to Production and Keeping it ThereEoin Woods
It can be dispiriting to find that a well-designed system that has been carefully implemented runs into problems as soon as it hits production, but such things do happen. This session explores why this happens and discusses why good software development practice is important but ultimately isn't sufficient to create a reliable and effective enterprise system. We'll discuss what being "production ready" really means in order to allow us to understand the principles, patterns and practices that we need to be aware of and apply in order to get our systems into production safely and keep them there.
Talk given at London Java Community on 1st December 2016.
Building a Successful Organization By Mastering Failurejgoulah
The Etsy organization has grown by a significant amount over the last five years. As a company grows, more thought must be put into the techniques that it uses to communicate and deal with failures. This talk will cover several techniques that have helped foster a Just Culture, one in which an effort is made to balance both safety and accountability
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarKaren Skiles
Many organizations live perceiving Knowledge Management begins and ends with a Knowledge Base. However, a more robust Knowledge Management process exists. The KM process is a pipeline to Continual Service Improvement. This presentation provides insight and methods for developing and implementing a more comprehensive Knowledge Management process leading to improvement throughout the enterprise. This presentation covers design of the KM process, DIKW and its usages, the KM-CSI connection, knowledge repositories and much more.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Ensuring Security through Continuous TestingTechWell
Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle but fail to account for the testing of security-related use cases. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities will be found with less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-premise no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Beyond the Knowledge Base: Turning Data into Wisdom - an ITSM Academy WebinarKaren Skiles
Many organizations live perceiving Knowledge Management begins and ends with a Knowledge Base. However, a more robust Knowledge Management process exists. The KM process is a pipeline to Continual Service Improvement. This presentation provides insight and methods for developing and implementing a more comprehensive Knowledge Management process leading to improvement throughout the enterprise. This presentation covers design of the KM process, DIKW and its usages, the KM-CSI connection, knowledge repositories and much more.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This session will cover the foundations DevSecOps and the application of Chaos Engineering for Cyber Security. We will cover how the craft has evolved by sharing some lessons learned driving digital transformation at the largest healthcare company in the world, UnitedHealth Group. During the session we will talk about DevSecOps, Rugged DevOps, Open Source, and how we pioneered the application of Chaos Engineering to Cyber Security.
We will cover how DevSecOps and Security Chaos Engineering allows for teams to proactively experiment on recurring failure patterns in order to derive new information about underlying problems that were previously unknown. The use of Chaos Engineering techniques in DevSecOps pipelines, allows incident response and engineering teams to derive new information about the state of security within the system that was previously unknown.
As far as we know Chaos Engineering is one of the only proactive mechanisms for detecting systemic availability and security failures before they manifest into outages, incidents, and breaches. In other words, Security focused Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
Ensuring Security through Continuous TestingTechWell
Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle but fail to account for the testing of security-related use cases. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities will be found with less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-premise no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...Steve Werby
20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Vulnerability Management In An Application Security WorldDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
From the OWASP Washington DC meeting August 5, 2009.
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Rapid Risk Assessment: A New Approach to Risk ManagementEnergySec
Presented by: Andrew Plato, Anitian
Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results.
Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process.
This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.
Improve Security through Continuous TestingTechWell
Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle. But they fail to account for the testing of security-related issues. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities are uncovered but there is less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-site no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!
BSidesLondon 20th April 2011 - Rory Mccune (@raesene) -----------
"Penetration testing" has become a staple of a the security programmes of a lot of companies around the world and particularly in the UK. Unfortunately in most cases it's poorly understood, the value for customers is minimal and it bears absolutely no resemblence to what a modern attacker would do.
So it's time for it to die. ------ for more info about Rory Mccune go to www.7elements.co.uk
BSidesLondon 20th April 2011 - Manuel
--
This talk will show you the basics of reverse engineering Android apps with the ultimate goal of re-implementing the decryption routines of the Kobo Android reader to achieve interopability of other software with that closed interface.
--- for more about Manuel
http://sporkbomb.eu and Kobo http://sporkbomb.eu/kobopier/
You built a security castle and forgot the bridge…now users are climbing your...Security BSides London
BSidesLondon 20th April 2011 - Soraya Viloria Montes de Oca
------------
Successful IT projects are not always security successful. The question of How much time do you ever spend at understanding the business needs, the data that the system is handling before you propose security controls? is asked...and discussed.
------- for more about Iggy follow @GeekChickUK
BSidesLondon 20th April 2011 - David Rook (@securityninja)
-----------------------
This demonstration filled talk will start by discussing the problems with the security code review approaches most people follow and the reasons why I created Agnitio. This will include a look at existing manual and automated static analysis procedures and tools. The talk will move onto exploring the Principles of Secure Development and how the principles have been mapped to over 60 different checklist items in Agnitio.
---- for more about David go to
http://www.securityninja.co.uk/
---- for more about Agnito go to
http://sourceforge.net/projects/agnitiotool/
BSidesLondon 20th April 2011 - Jim Shields (@JimShout) Note: watch this video before the presentation http://vimeo.com/22580155
---------------------------
addressing the human factor with Jim from Twist & Shout, Jim not only shared his technical expertise recording the BSides sessions but also share some useful insight of "user awareness" ------ due to copyright issues, many of the images/clips cannot be shown
------------ for more about Jim
www.twistandshout.co.uk
BSidesLondon 20th April 2011 - @wickedclownuk
---------------------------------------------------
Lots of companies are using RDP to support their external users. The administrators lock down the servers via group policy believing it is all secure, I will demostrate how you can instantly bypass group policy and how to escalate your privileges with the use of Metasploit.
---f
BSidesLondon 20th April 2011 - Steve Lord (@stevelord)
----------------------------------------------------------------
The majority of Penetration testing teams have staff falling into 3 of four categories: Nessus Monkeys, Experts-in-Training and Jaded Cynicists. This is a talk about improving penetration testing skills to get to the rare fourth Jedi master level normally occupied by less than 1% of the team where nothing is impossible. The talk will be backed up by video footage from actual penetration tests as well as live demos and a Q&A session.
---- for more about Steve
http://www.mandalorian.com
BSidesLondon 20th April 2011 - Xavier Mertens (@xme)
========================
Your IT infrastructure generates thousands(millions?) of events a day. They are stored in several places under multiple forms and contain a lot of very interesting information. Using free tools, This presentation will give you some ideas how to properly manage this continuous flow of information and how to make them more valuable.
for more about Xavier
http://blog.rootshell.be
BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie)
----------------------------------------------------------------------
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited.
--- for more about Justin
http://www.gdssecurity.com
BSidesLondon 20th April 2011 - David Rook and Chris Wysopal (@securityninja & @WeldPond)
--------------------------------------------------------------------
From the perspective of both an employee of a financial transaction provider and a security vendor, this presentation will focus on how to effectively sell the business value of application security to executives, middle management, and development groups
-----------for more about David & Chris go to
http://www.securityninja.co.uk/blog
http://www.veracode.com/blog/
BSidesLondon 20Th April 2011 - Arron "finux" Finnon
---------------------------------------------------------------------
The presentations aim is to talk about how simple it is to deploy DNS Tunnelling infrastructure at little or no cost. Also shows how to establish a ssh connection from target to attacker, and act as a taster for peoples further research.
----- for more about @F1nux go to www.finux.co.uk
BSidesLondon 20th April 2011- @Jimmy Blake
-----------------------------------------------------------------
The media hype, both positive and negative, around cloud computing is often sensationalist. The reality is that cloud computing has a place as a tool in the modern computing environment – but how do you realistically balance the benefits with the risks?
---- for more about Jimmy
jimmyblake.com
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Security YMCA
1. Security YMCA
Why shouting into the security echo chamber does no good!
Are we, as security people reaching the
people we need to reach the
most…developers?
2. Disclaimers
• Be careful what you say on twitter
• This started of as a joke
• We do not represent our employers, these are or
own opinions
• Our survey has NO scientific basis
• Our survey is NOT free of bias
• The outfits are just so
you won’t take us
seriously ;)
Image: YMCA a CC NC image from bogdog Dan’s Flicks stream:
http://www.flickr.com/photos/25689440@N06/2866020311/
3. Points of order
• We have about 25 minutes left in this
presentation
• In this 25 minutes we will try to start a discussion
• Maybe we may even get people to do some real
research
• 10 minutes are reserved for Q&A and YMCA song
• The next 20 slides will auto-advance every 45
seconds…
• This talk is interactive… so interact!
• Why the f*ck did you guys pick this talk? No Really
4. Who are we?
• Chris John Riley
• Arron “F1nux” Finnon
5. Who are we?
• Frank “Seccubus” Breedijk
• Chris “Suggy” Sumner
6. So what is this about?
Raise of hands:
• Who in this room is not working in info security?
• Who in this room has ever presented at a
conference?
• Of those, who presented at a non-security
conference?
• And yet we wonder why “developers don’t get
it?”
7. HTTP Parameter Pollution
• There are multiple ways to send parameters
• Sending parameters with both GET and
POST can lead to interesting results
• This problem has been known for 11 years
• Yet 30% for the Alexa top 5000 sites has at
least on page with this problem*
• Including Microsoft, Google, VMWare,
Facebook, Symantec and Paypal
* Taken from Marco Balduzzi’s talk “HTTP Parameter Pollution Vulnerabilities in Web Applications”
Black Hat Europe 2011
8. So we did a survey
• Not scientific (we’re no scientists)
• Bias introduced (but we’re are biased ;)
• Intended to generate discussion and actual
research
• Writing a survey to prove a point is not good
science
• We do not know if the participants were actually
developers
9. Demographics - Roles
Senior
management or
Sponsor Application
Security Architect Application
Architect Developer
Project Manager
Application
Support
Business Owner
Other
Responses from all over the
geographic spectrum…
Lots from UK and USA
10. Demographics -Experience
more than 15 less than 2 years
years
2 -4 years
10 - 15 years
4 - 10 years
12. What a 12 step program
boils down to…
• Recognize /admit there is a problem
• Accept it needs to be fixed
• Get to know the problem
• Fix the problem
• Learn new rules to avoid the problem
• Help others avoid the problem
13. Admitting/recognizing the problem
• Where do you find most problem when it
comes to securing applications you develop?
– I'm not able spot security issues
• Disagree – 25% 25%
• Somewhat agree – 28% 48%
• Agree – 19%
27%
• Strongly Agree – 1%
• No Answer – 27%
14. Accept that you need to fix it
• Where do you find most problem when it
comes to securing applications you develop?
– Security loses out to features
11
• Disagree – 11% %
63%
• Somewhat agree – 17%
• Agree – 25%
26%
• Strongly Agree – 21%
• No Answer – 26%
15. Investigate the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Understanding information on how to secure
things
• Disagree – 28% 28%
• Somewhat agree – 27% 46%
• Agree – 16%
• Strongly Agree – 3% 26%
• No Answer – 26%
16. Fixing the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Fitting security into the development timeline
7
• Disagree – 7% %
• Somewhat agree – 22% 66%
• Agree – 21%
• Strongly Agree – 23% 27%
• No Answer – 27%
17. Help others avoid the problem
• Where do you find most problem when it
comes to securing applications you develop?
– Finding the right tools to assist in secure
development
• Disagree – 13% 13%
• Somewhat agree – 24% 60%
• Agree – 29%
• Strongly Agree – 7% 27%
• No Answer – 27%
18. Where do you find most problems when it comes to
securing applications you develop?
Disagree "Agree"
66
60 63
60
48
46
1. Make it easier to find the right information & tools
2. Acknowledge the timeline & features issues
28
25
12 11 13
7
Understanding I'm not able spot Finding the correct Fitting security Security loses out Finding the right
information on security issues information into the to features tools to assist in
how to secure development secure
things timeline development
19. Information Sources
How often to you refer to the following information
sources to ensure the security of your applications?
Rarely / Never Regularly / Constantly
31 24
40 45
49 49
60
61 67
51 47
43 43
32
Blogs Social Books Forums Training Best Internal
Networks Material Practice Coding
Guides Guidelines
20. How often to you refer to the following information
sources to ensure the security of your applications?
Rarely / Never Regularly / Constantly
31 24
40 45
49 49
60
61 67
51 47
43 43
32
Blogs Social Books Forums Training Best Practice Internal
Networks Material Guides Coding
Guidelines
We don’t suck We suck
22. Detect / Prevent
When developing applications do you or your
company use any of the following to ensure security
of the applications developed?
35
30
25
20 Code-Review (automated
or manual)
15 Penetration Testing
10
Security Review
5
0
Surprised by code review, do
they mean a Security Code
Review or Quality Review?
23. About tools
• In our survey our audience said: 80.8 % wanted
more tools, however my 2 pence worth (as
usual in security your being over charged), is
that we have too many tools.
• Dare I say too much fragmentation in choice of
tools.
• I wonder about a world with only x1 port
scanner, all training material, all methodologies,
all good practice would reflect the x1 single
tool.
• So my question is, am i officially crazy?
24. And now for the singing and dancing
Image: “Chewbacca wasn't sure they had disco on Kashyyyk but he sure as hell wasn't going to put all that practice at looking like an 'M' go to
waste” a CC NC SA image from harold.loyd’s Flickr stream: http://www.flickr.com/photos/14434912@N07/3503661701/