Segurança além do Pentest

•Download as PPTX, PDF•

2 likes•1,295 views

"Indo além do Pentest" / Palestra apresentada na CPBR12 (Fev/2019) Muito se fala hoje em dia do Pentest, que já se tornou uma prática comum quando as empresas precisam testar a segurança de um site ou aplicação. A quantidade frequente de ataques bem sucedidos, resultando em fraudes e vazamentos de dados, mostram entretando que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem e devem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. Vamos conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan de vulnerabilidades, pentest, políticas de vulnerability disclosure e programas de bug bounty.

Technology

https://www.reddit.com/r/programming/comments/a1gbqw/ebay_japan_source_leak_as
_git_folder_deployed_to/?st=JP338IWS&sh=7ed38358

LOUIS CREMEN
https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-with-red-and-blue-security-teams-6437c1a07700

Code
Review
Security
Tests
Análise de
Vulnera-
bilidade
Pentest
Red
Team
Theat
Hunting
Vulnerability
Disclosure
Bug
Bounty

Code
Review
Security
Tests
Análise de
Vulnera-
bilidade
Pentest
Red
Team
Theat
Hunting
Vulnerability
Disclosure
Bug
Bounty
Fonte:IBM

Code
Review
Security
Tests
Análise de
Vulnera-
bilidade
•
•
•
•
•
•

Pentest
•
•
https://www.pcisecuritystandards.org/documents/Penetration_Testing_Gui
dance_March_2015.pdf

Vulnerability
Disclosure
Bug
Bounty
•
•
•
•
•
•

•
•
•
VRP
Vulnerabilidades
encontradas pelo melhor
pesquisador interno
Vulnerabilidades
encontradas pelo
programa de Bug Bounty
Chrome 263 371
Firefox 48 148
https://mfinifter.github.io/papers/vrps-usenix2013.pdf

https://www.google.com/about/appsecurity/reward-program/

•
https://hackernoon.com/introducing-the-infosec-colour-wheel-blending-developers-
with-red-and-blue-security-teams-6437c1a07700
•
https://anchisesbr.blogspot.com/2018/07/seguranca-custo-de-corrigir-os.html
•
http://blog.elevenpaths.com/2018/07/bug-bounty-ciberseguridad.html
•
https://mfinifter.github.io/papers/vrps-usenix2013.pdf
•
https://engineering.checkr.com/3-lessons-from-building-our-first-bug-bounty-
program-e73f49b9f1a7

A quantidade frequente de ataques bem sucedidos, fraudes e vazamentos de dados mostram que as empresas estão falhando em manter a segurança de seus sites, aplicações e bases de dados. Embora o "pentest" seja uma técnica muito comum de testar a segurança de um site, hoje temos a disposição um conjunto de ações que podem ser adotadas de forma complementar para testar e corrigir aplicações desde a sua concepção até a produção. amo conversar um pouco sobre as diferenças e vantagens de adotar práticas de testes de segurança, scan, pentest, vulnerability disclosure e bug bounty. Palestra realizada o Meetup OWASP São Paulo, 30/11/2018

Attacking open source using abandoned resources

Adam Baldwin

Make it Fixable (CppCon 2018)

Patricia Aas

From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security.

Approaching the unknown - Windows Phone application security assessment guide

SecuRing

Windows Phone should be gone by now. But somehow it survived, hanging around few percent of mobile OS market share. Maybe good camera which is in those phones does it. Sometimes even an application dedicated to WP platform shows up on pentest. How to do it? What tools to use? What to check? This talk will give you an overview of WP application security assessment, including some tips & tricks as well. We will cover topics like: - application internal structure - data storage - traffic interception - testing on emulator vs testing on rooted phone - code analysis of WP application - overview of security mechanisms available on WP There even will be a real phone with Windows Phone on it to see.

REST API Pentester's perspective

SecuRing

Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker. I will show: how to find hidden API interfaces ways to detect available methods and parameters fuzzing and pentesting techniques for API calls typical problems I will share several interesting cases from public bug bounty reports and personal experience, for example: * how I got various credentials with one API call * how to cause DoS by running Garbage Collector from API

Bug Bounty #Defconlucknow2016

Shubham Gupta

Hunting for the secrets in a cloud forest

SecuRing

Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun! Additional materials: https://www.securing.biz/en/seven-step-guide-to-securing-your-aws-kingdom/index.html

ATT&CKcon 2.0 2019 - Tracking and measuring your ATT&CK coverage with ATT&CK2...

Mauricio Velazco

Large number web sites defacing for various purposes are increasing. Many used technique within of the these attacks is targeting a popular product or these plug-ins like WordPress. In this report, was analyses about vulnerability that made 18,000 websites victims by exploiting “Slider Revolution". The point different from general attacks like SQL injection is that using normal function. Many of these vulnerabilities within of the CMS product are often in where there are assume used by admin. So, Limit of access to "/wp-admin" or "/admin" by editing ".htaccess" is very important.

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Mazin Ahmed

Bug bounty

n|u - The Open Security Community

Oh no, was that CSRF #Ouch

Abhinav Sejpal

Overview: Are you web developer / Tester / Architect, why don’t you stop sucking you web app against CSRF attacks? Mission :- This session is on detecting and exploiting CSRF / XSRF issues. At the end of this session, the participant will be able manually identify CSRF / XSRF vulnerabilities in web applications. URL :- http://weekendtesting.com/archives/3843 Agenda :- Introduction What is Cross Side Request Forgery CSRF check & How to test (Iron OWASP , CSRF Finders) Prevention of CSRF attacks Q & A Prerequisite knowledge: Basic Technical knowledge about web application

Heybe Pentest Automation Toolkit - BlackHat USA 2015

Bahtiyar Bircan

Bug Bounty 101

Shahee Mirza

Building Twitter's SDKs for Android

Andy Piper

Learn hints, tips and tricks from the Twitter Fabric development team, and the principles that guided their creation of this modular and powerful SDK. Presentation delivered at DroidconNL, Amsterdam, Nov 2014 Thanks to Andrea Falcone and the Fabric team for content and materials. You can see a lightning version of this talk delivered at Twitter Flight here -> https://www.youtube.com/watch?v=3h7jQU1AOvw&index=2&list=PLFKjcMIU2WsjUiy7UcPiWNxktpin0WDgu

How to hack a node app? @ GDG DevFest Ukraine 2017

Asim Hussain

Twitter APIs for #MediaHackday

Andy Piper

Spring Security 5.1 by Example - Josh Cummings

VMware Tanzu

Technical Debt Must Die: Communicating Code to Business Stakeholders

Matt Eland

Our software sucks. We're up to our necks in bugs and technical debt, yet we often seem to hit roadblocks explaining things in ways that bring about meaningful change. In this session you'll learn to gather, analyze, and interpret data in order to create effective presentations to communicate quality, technical debt, and other technical matters in ways that tell a compelling story. You’ll master how to communicate effectively with key stakeholders by taking a data-driven approach blended with storytelling techniques to bridge common gaps between development and business stakeholders. You’ll explore the 7 tools of software quality and how they can bring clarity and sanity to the decision-making process, justify paying down technical debt, and focusing on improving our software in the areas that need it most.

BSides São Paulo - Trabalho no exterior e segurança de aplicações

Ismael Goncalves

Tale of Forgotten Disclosure and Lesson learned

Anant Shrivastava

Software Security Basics

CY Lee

HITCON Defense Summit 2019 －從 SAST 談持續式資安測試

Secview

議程會從 DevSecOps 開始，介紹如何將靜態安全測試（SAST）左移，導入開發流程中。開場簡介 DevSecOps，介紹如何在敏捷開發中導入資安。並且介紹在 CI/CD pipeline 中可以導入的資安項目。接著會以 SAST 為例來探討。分享整合開源工具的方法，以及實踐自動化和調整工具的經驗，來達到持續性、並且自動化的資安測試。 * DevSecOps Overview * Security in CI/CD pipeline * Open source SAST tools integration * Continuous Integration: SAST improvement and vulnerabilities triage

BSides Roma 2018 - Red team techniques

Guglielmo Scaiola

Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES

EMERSON EDUARDO RODRIGUES

Malware Analysis

Ramin Farajpour Cami

Introduction to red team operations

Sunny Neo

Blue team reboot - HackFest

Haydn Johnson

Co Speaker: Cheryl Biswas Talk Description: How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed. We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies. We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.

RIoT (Raiding Internet of Things) by Jacob Holcomb

Priyanka Aash

The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform. Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security. For more signup(it's free): www.cisoplatform.com

How i'm going to own your organization v2

RazorEQX

What's hot

MR201504 Web Defacing Attacks Targeting WordPress

FFRI, Inc.

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Mazin Ahmed

Bug bounty

n|u - The Open Security Community

Oh no, was that CSRF #Ouch

Abhinav Sejpal

Heybe Pentest Automation Toolkit - BlackHat USA 2015

Bahtiyar Bircan

Bug Bounty 101

Shahee Mirza

Building Twitter's SDKs for Android

Andy Piper

How to hack a node app? @ GDG DevFest Ukraine 2017

Asim Hussain

Twitter APIs for #MediaHackday

Andy Piper

Spring Security 5.1 by Example - Josh Cummings

VMware Tanzu

Technical Debt Must Die: Communicating Code to Business Stakeholders

Matt Eland

BSides São Paulo - Trabalho no exterior e segurança de aplicações

Ismael Goncalves

Tale of Forgotten Disclosure and Lesson learned

Anant Shrivastava

Software Security Basics

CY Lee

What's hot (14)

MR201504 Web Defacing Attacks Targeting WordPress

Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed

Bug bounty

Oh no, was that CSRF #Ouch

Heybe Pentest Automation Toolkit - BlackHat USA 2015

Bug Bounty 101

Building Twitter's SDKs for Android

How to hack a node app? @ GDG DevFest Ukraine 2017

Twitter APIs for #MediaHackday

Spring Security 5.1 by Example - Josh Cummings

Technical Debt Must Die: Communicating Code to Business Stakeholders

BSides São Paulo - Trabalho no exterior e segurança de aplicações

Tale of Forgotten Disclosure and Lesson learned

Software Security Basics

Similar to Segurança além do Pentest

HITCON Defense Summit 2019 －從 SAST 談持續式資安測試

Secview

BSides Roma 2018 - Red team techniques

Guglielmo Scaiola

Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES

EMERSON EDUARDO RODRIGUES

Malware Analysis

Ramin Farajpour Cami

Introduction to red team operations

Sunny Neo

Blue team reboot - HackFest

Haydn Johnson

RIoT (Raiding Internet of Things) by Jacob Holcomb

Priyanka Aash

How i'm going to own your organization v2

RazorEQX

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Hacks in Taiwan (HITCON)

Modern Web 2019 從零開始加入自動化資安測試

Secview

CI/CD 是現在企業常用的開發流程，敏捷的開發速度自然需要自動化的流程幫助我們加速驗證和部署。但為了求快速，資安測試和檢查往往在開發流程中會被捨去。議題會大致分成兩大部分：資安測試以及 DevSecOps。這次議題內容會講解如何在現有的 DevOps 開發文化中，加上自動化的資安測試。會介紹像是靜態測試（SAST）和動態測試（DAST），以及要套用哪些標準來提升測試的價值。並且以自身經驗，跟大家分享要導入這些資安測試時，在 CI/CD 每個階段不同的需求和做法。同時也會簡單介紹 DevSecOps，希望能將資安融入在快速、敏捷開發的文化中，讓產品可以不斷推進，產品也可以持續保持在足夠的安全性上。

Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf

lior mazor

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

FaithWestdorp

Level up your SOC - Guide for a Resilient Education Program.pdf

Brandon DeVault

black hat deephish

Alejandro Correa Bahnsen, PhD

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Chris Gates

CyberMLToolkit: Anomaly Detection as a Scalable Generic Service Over Apache S...

Databricks

Cybercrime is one the greatest threats to every company in the world today and a major problem for mankind in general. The damage due to Cybercrime is estimated to be around $6 Trillion By 2021. Security professionals are struggling to cope with the threat. As a result, powerful and easy to use tools are necessary to aid in this battle. For this purpose we created an anomaly detection framework focused on security which can identify anomalous access patterns. It is built on top of Apache Spark and can be applied in parallel over multiple tenants. This allows the model to be trained over the data of thousands of customers over a Databricks cluster within less than an hour. The model leverages proven technologies from Recommendation Engines to produce high quality anomalies. We thoroughly evaluated the model’s ability to identify actual anomalies by using synthetically generated data and also by creating an actual attack and showing that the model clearly identifies the attack as anomalous behavior. We plan to open source this library as part of a cyber-ML toolkit we will be offering.

Play,Learn and Hack- CTF Training

Heba Hamdy Farahat

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Chris Gates

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Rob Fuller

Malware collection and analysisChong-Kuan Chen

Similar to Segurança além do Pentest (20)

HITCON Defense Summit 2019 －從 SAST 談持續式資安測試

BSides Roma 2018 - Red team techniques

Adversary Emulation and Cracking The Bridge – Overview EMERSON EDUARDO RODRIGUES

Malware Analysis

Introduction to red team operations

Blue team reboot - HackFest

RIoT (Raiding Internet of Things) by Jacob Holcomb

How i'm going to own your organization v2

【HITCON FreeTalk 2018 - Spectre & Meltdown 漏洞的修補策略與 risk mitigation】

Modern Web 2019 從零開始加入自動化資安測試

Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins

Level up your SOC - Guide for a Resilient Education Program.pdf

black hat deephish

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

CyberMLToolkit: Anomaly Detection as a Scalable Generic Service Over Apache S...

Play,Learn and Hack- CTF Training

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Malware collection and analysis

More from Anchises Moraes

Post pandemics threat scenario

Segurança além do Pentest

Recommended

Recommended

More Related Content

What's hot

What's hot (14)

Similar to Segurança além do Pentest

Similar to Segurança além do Pentest (20)

More from Anchises Moraes

More from Anchises Moraes (20)

Recently uploaded

Recently uploaded (20)

Segurança além do Pentest

Editor's Notes