SlideShare a Scribd company logo
Virtual Fox
Fest
VFP and IT Security
Eric Selje
Salty Dog Solutions, LLC
eric@saltydogllc.com
SaltyDogLLC.com
Virtual Fox
Fest
About Me
 Fox developer since 1985
 MadFox since 1995
 IT Security for the last few years
 First public speaking since 2019
Virtual Fox
Fest
Agenda
 What Does IT Security Do?
 IT Security Frameworks
 CIS Controls
 Visual FoxPro and IT Security
Virtual Fox
Fest
A Day in the Life
of IT Security
Virtual Fox
Fest
Lay of the Land
What do I need to address right now?
• Baselines / Abnormalities
• 🚩Alerts 🚩
♦ May come directly from the tool
• Anti-Virus, Scanner, Web-Based Threat Monitor, etc
♦ Better if comes from SIEM that aggregates information from
multiple sources
• Impossible unless systems are set up.
Easy once they are.
Virtual Fox
Fest
Tools, You Say?
SIEM (Security Information and Event Manager)
• My main source for alerts
• Aggregate logs from disparate sources
• Analyze/Act on that information
♦ Great for forensics after fact
♦ Better if ALERTS are set up to catch stuff before it happens
• Evidence of network traversal
• Hard drives filling up
• Who logged in with elevated privileges?
Virtual Fox
Fest
Sample Splunk Page
Virtual Fox
Fest
Dashboards
Virtual Fox
Fest
Some SIEM Examples
Virtual Fox
Fest
Lay of the Land
Review Vulnerability Scans
• Common Vulnerabilities and Exposure (CVE)
♦ CVE is Unique Identifier
♦ Assess its risk to your environment
♦ Will it be patched automatically, or do I need to
intervene?
Virtual Fox
Fest
Sample Vulnerability Scan
Virtual Fox
Fest
A Basic (Non-Credentialed) Scan
Virtual Fox
Fest
Drilling Into One Device
Virtual Fox
Fest
Drilling Down Further Into Vuln
Virtual Fox
Fest
Remediate / Mitigate
Triage the vulnerabilities and decide:
• Remediate: Fix the Problem
♦ Patch / Remove
♦ Will it automatically auto-update?
• Mitigate: Put a Band-Aid on the Problem
♦ Cordon off the threat
♦ Put extra controls to watch the problem
• Accept/Recast: Decide you can live with the risk
♦ Might require “paperwork”
Virtual Fox
Fest
Automatically Patch
“Patch Management as a Service”
• WSUS
• Kace Quest
• PDQ
Virtual Fox
Fest
What’s on the Horizon?
• Read Email Briefs
♦ Mandiant, Bleeping Computer, Krebs on Security
• Websites
♦ HackURLs.com
• Podcasts / YouTube channels
♦ Hacking Humans, Security Now, CyberSecurity Headlines, and Darknet
Diaries
• Watch Vendor Presentations
♦ New tools / software / threats
• Talk with my Colleagues
Virtual Fox
Fest
Plan, Prepare, Educate
• Policies!
♦ BYOD
♦ Appropriate Use
♦ Backup and Storage
♦ Configuration Management
♦ Incident Response
♦ Log Management
♦ Media Sanitization
♦ Password
• More Policies!
♦ Access Control
♦ Physical Security
♦ Remote Access
♦ Wireless Networks
♦ International Travel
♦ Contingency Planning and
Disaster Recovery
♦ Network Management
♦ Security Patch
Management
Virtual Fox
Fest
Security Awareness Training
 Test Phishing / Smishing/ Vishing
 Learning Campaigns w/ Knowledge Checks
• Social Engineering
• Good Passwords
• MFA
Virtual Fox
Fest
My Toolbox
 Log Management (SIEM)
 Vulnerability Scanner
 Anti-Virus/Malware
 Patch Management
 Web-Based Threat
Protection
 Security Awareness Training
Virtual Fox
Fest
Pause for Questions
Virtual Fox
Fest
IT Frameworks
Virtual Fox
Fest
Frameworks are Roadmaps
Some are for the
BIG Picture
Some are
for very
specific
purposes
Virtual Fox
Fest
BIG Risk Management Frameworks
NIST 800-53
“Security and Privacy Controls for Information Systems and Organizations”
Virtual Fox
Fest
1,000s of Controls
Virtual Fox
Fest
Smaller Risk Management Framework
NIST Cybersecurity Framework
Virtual Fox
Fest
Virtual Fox
Fest
CIS Controls
CIS Control 1: Inventory and Control of Enterprise Assets
 Know everything about what’s on your network.
CIS Control 2: Inventory and Control of Software Assets
 Have software in place that scans your workstations for what software is running on them
and keeps it up to date.
CIS Control 3: Data Protection
 Have controls in place so our data is not easily accessible to anyone snooping around either
when it’s at rest or in transit. You should also have a data retention plan in place so you know
whether you should purge the data regularly or hold onto it in perpetuity.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
 These determine who gets to make changes to your network or install new software and
what procedures they have to go through in order to document the changes.
Virtual Fox
Fest
CIS Controls
CIS Control 5: Account Management
 Who gets an account on the system? What service accounts are running? Do they have to
have passwords? How long?
CIS Control 6: Access Control Management
 This ties in with Control 5, Account Management, but deals with the rights users have. Do
users need administrative rights? Do you require Multi-Factor Authentication? Can a user log in
remotely or do they have to be in a specific geographic location based on their IP address when
they enter their credentials?
Virtual Fox
Fest
CIS Controls
CIS Control 7: Continuous Vulnerability Management
 Scan your devices for the known vulnerabilities and patch them automatically.
CIS Control 8: Audit Log Management
 Enable logging on all of your devices and as much of your software as possible and forward
those logs to a centralized repository.
CIS Control 9: Email and Web Browser Protections
 Have spam filtering on your inbox, prevent EXE files from getting into your inbox, and have
your anti-malware scan your downloads.
 Run your web traffic through a proxy server to block any attempts to navigate to known
malicious sites.
Virtual Fox
Fest
CIS Controls
CIS Control 10: Malware Defenses
 Have it
 Centralize it
 Log it
CIS Control 11: Data Recovery
 Have a secure recovery plan in place and test it regularly.
CIS Control 12: Network Infrastructure Management
 Ensure your network devices are patched and secure, and nothing gets introduced without it
being vetted.
Virtual Fox
Fest
CIS Controls
CIS Control 13: Network Monitoring and Defense
 Set up those alerts as mentioned in Control 8 (Log Management).
 Configure your firewalls to only allow in the traffic you want to get through (start with a Deny
All posture and open up the necessary ports from there after seeing what got blocked that you
really want to allow).
 Create VLANs to segregate traffic, especially to workstations that handle sensitive data.
Virtual Fox
Fest
CIS Controls
CIS Control 14: Security Awareness and Skills Training
 This is probably the second most important thing you can do, and this is actually one of my
favorite tasks.
• Video Campaigns
• Test Phishing / Vishing / Smishing
• Signed Policies
Virtual Fox
Fest
CIS Controls
CIS Control 15: Service Provider Management
 Keep track of who you’re working with, what data and services they have access to, and
monitor them to ensure compliance with any security policies you have.
CIS Control 16: Application Software Security
 How to make sure our applications and data are as secure as possible.
• Establishing a secure development process,
• Using 3rd party controls,
• Code-level security checks.
Virtual Fox
Fest
CIS Controls
CIS Control 17: Incident Response Management
 Know how to recognize an “incident” and what to do when it is discovered.
CIS Control 18: Penetration Testing
 This includes the dramatic “red-teaming” to ensure your network defenses are intact, but
also includes having someone test your applications for vulnerabilities by inputting edge cases,
poking odd buttons, and trying to find ways to make it do things you didn’t intend.
Virtual Fox
Fest
Pause for Questions
Virtual Fox
Fest
VFP and Security
Virtual Fox
Fest
Three Different Contexts
1
Development
Is VFP Secure?
2
Deployed Apps
Are my apps
secure?
3
Environment
Are the things I
need to run my
apps secure?
Virtual Fox
Fest
Is VFP9.exe itself secure?
1
2
3
Virtual Fox
Fest
VFP is probably ok. What else?
ActiveX Controls w/ Vulnerabilities
 ComCt232.ocx
 MsChrt20.ocx
 MsFlxGrd.ocx
 MsMask32.ocx
 MsWinSck.ocx
 Update those w/ Service Packs
 MSXML
1
2
3
Virtual Fox
Fest
Anything else?
www.cve.org
1
2
3
Virtual Fox
Fest
What about VFPA and X#?
VFPA
Same as VFP9
Look at Externalities
 Firewall logs
X#
Open Source
Source Code Analyzers
1
2
3
Virtual Fox
Fest
Secure Application Development
 Keep a manifest of all 3rd party tools that you use
• Even Windows components
♦ Webview? Webview2?
• ActiveX Controls
• FLLs, Thor Tools, APIs,
16.4. Establish and manage an inventory of third-party software components
16.5. Use up-to-date and trusted third-party software components
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Error Handling and Logging
Centralize Place to Collect Errors / Logs
ErrorHandler Class (Doug Hennig?)
16.2. Establish and maintain a process to accept and address
software vulnerabilities
16.3. Perform root cause analysis on security vulnerabilities
1
2
3
Virtual Fox
Fest
Secure Code and Testing – Input
Validation
16.10. Apply secure design principles in application architectures
Never trust user input
Do it in the U/I AND
in the database!
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Authentication and Authorization
16.10. Apply secure design principles in application architectures
• If you can, Outsource Identity Access Management to 3rd party
• Google Login
• Active Directory
• Okta
• Use Multi-Factor Authentication for Sensitive Data
• If you store credentials in your apps
• Salted Hashes Only!
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Authentication and Authorization
16.10. Apply secure design principles in application architectures
• Don’t allow
unauthenticated
users to open
database outside of
your application
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Database Security
PROCEDURE BeforeOpen
LOCAL lReturn
lReturn = PEMSTATUS(_VFP, “oUser”, 5) AND VARTYPE(_VFP.oUser.CanOpenDatabase)
RETURN lReturn
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
CRYPTOGRAPHIC PRACTICES
• e.g. _crypt.vcx for Cryptography
• Protect keys and salts from unauthorized access. What’s a good
way to store secrets in Visual FoxPro?
• Never assume magic strings in source code are safe!
16.11. Leverage vetted modules or services for application security components
1
2
3
Virtual Fox
Fest
Secure Code and Testing – Web Apps
OWASP TOP 10
• XSS
• XSFR / CSRF
• SQL Injection
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Source Control
• Source Control
• Use It!
• No Sensitive Information
• Push Early and Often
• Use VPFX’s Project Explorer to automate much of the drudgery away
• Automatically check in / check out
• Automatically serialize
• Monitor 3rd party access to repositories
16.1. Establish and maintain a secure application development process
1
2
3
Virtual Fox
Fest
Secure Code and Testing –
Testing
16.12. Implement code-level security checks
1
2
3
• Dynamic Analysis
• FoxUnit
• Static Analysis
• VFPX CodeAnalysis
• Human Testing
Virtual Fox
Fest
Deployment - SMB
1
2
3
Server Message Blocking
v 1.0 had huge bug
v 2 & 3 better
Turn off Opportunistic Locking
Virtual Fox
Fest
Deployment - Code Signing
 Required as of
Windows 11 2H22 if
“Smart App Control” enabled
 ~$70/yr for a certificate
 SIGNTOOL from SDK
 See Doug’s “Deploying VFP
Apps” whitepaper
1
2
3
Virtual Fox
Fest
Deployment - Encryption
 ReFox
 C++ Compiler for VFP
 See John Ryan’s
session next
Wednesday
1
2
3
Virtual Fox
Fest
Automate your Deployment
16.1. Establish and maintain a secure application
development process
1
2
3
Virtual Fox
Fest
Summary
Virtual Fox
Fest
What You Learned Today
 Give you an idea of what my days are now like
 Overview of IT Frameworks and the CIS Controls
 How what I’ve learned applies to VFP devs
 Fox Rocks…
 …And so do you!
Virtual Fox
Fest
Pause for Questions
Virtual Fox
Fest
Thank You!
Eric Selje
Eric@SaltyDogLLC.com

More Related Content

Similar to SELJE - VFP and IT Security.pptx

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
AlgoSec
 
The Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - PowertechThe Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - Powertech
HelpSystems
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
Quick Heal Technologies Ltd.
 
Sandboxing
SandboxingSandboxing
Sandboxing
SandboxingSandboxing
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
nitinscribd
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
Hostway|HOSTING
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
xband
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
Gurvinder Singh, CISSP, CISA, ITIL v3
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Product of Things
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 

Similar to SELJE - VFP and IT Security.pptx (20)

CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
PoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail IndustryPoS Malware and Other Threats to the Retail Industry
PoS Malware and Other Threats to the Retail Industry
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Microsegmentation from strategy to execution
Microsegmentation from strategy to executionMicrosegmentation from strategy to execution
Microsegmentation from strategy to execution
 
The Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - PowertechThe Truth About Viruses on Power Systems - Powertech
The Truth About Viruses on Power Systems - Powertech
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
Sandboxing
SandboxingSandboxing
Sandboxing
 
soctool.pdf
soctool.pdfsoctool.pdf
soctool.pdf
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha SeltzerAvoid embarrassing press by designing secure IoT products with Misha Seltzer
Avoid embarrassing press by designing secure IoT products with Misha Seltzer
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 

More from Eric Selje

SELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdfSELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdf
Eric Selje
 
SELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdfSELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdf
Eric Selje
 
SELJE - VFP Advanced.pptx
SELJE - VFP Advanced.pptxSELJE - VFP Advanced.pptx
SELJE - VFP Advanced.pptx
Eric Selje
 
SELJE - Look at X Sharp.pptx
SELJE - Look at X Sharp.pptxSELJE - Look at X Sharp.pptx
SELJE - Look at X Sharp.pptx
Eric Selje
 
SELJE - Look at X Sharp.pdf
SELJE - Look at X Sharp.pdfSELJE - Look at X Sharp.pdf
SELJE - Look at X Sharp.pdf
Eric Selje
 
OneNote to Rule Them All.pdf
OneNote to Rule Them All.pdfOneNote to Rule Them All.pdf
OneNote to Rule Them All.pdf
Eric Selje
 
FoxUnit in Depth.pptx
FoxUnit in Depth.pptxFoxUnit in Depth.pptx
FoxUnit in Depth.pptx
Eric Selje
 
OneNote to Rule Them All Slides.pptx
OneNote to Rule Them All Slides.pptxOneNote to Rule Them All Slides.pptx
OneNote to Rule Them All Slides.pptx
Eric Selje
 
SELJE_Database_Unit_Testing_Slides.pdf
SELJE_Database_Unit_Testing_Slides.pdfSELJE_Database_Unit_Testing_Slides.pdf
SELJE_Database_Unit_Testing_Slides.pdf
Eric Selje
 
SELJE_Database_Unit_Testing.pdf
SELJE_Database_Unit_Testing.pdfSELJE_Database_Unit_Testing.pdf
SELJE_Database_Unit_Testing.pdf
Eric Selje
 
Selje_SSMS (Slides).pdf
Selje_SSMS (Slides).pdfSelje_SSMS (Slides).pdf
Selje_SSMS (Slides).pdf
Eric Selje
 
Selje_SSMS for the Accidental DBA.pdf
Selje_SSMS for the Accidental DBA.pdfSelje_SSMS for the Accidental DBA.pdf
Selje_SSMS for the Accidental DBA.pdf
Eric Selje
 
Selje_Fox on the Run.ppt
Selje_Fox on the Run.pptSelje_Fox on the Run.ppt
Selje_Fox on the Run.ppt
Eric Selje
 
Selje_Fox on the Run.pdf
Selje_Fox on the Run.pdfSelje_Fox on the Run.pdf
Selje_Fox on the Run.pdf
Eric Selje
 
Selje_Extending Web Apps.ppt
Selje_Extending Web Apps.pptSelje_Extending Web Apps.ppt
Selje_Extending Web Apps.ppt
Eric Selje
 
Selje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfSelje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdf
Eric Selje
 
Don't Be a Target!
Don't Be a Target! Don't Be a Target!
Don't Be a Target!
Eric Selje
 
Energy audit tablet screenshots
Energy audit tablet screenshotsEnergy audit tablet screenshots
Energy audit tablet screenshots
Eric Selje
 

More from Eric Selje (18)

SELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdfSELJE - VFP and IT Security.pdf
SELJE - VFP and IT Security.pdf
 
SELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdfSELJE - VFP Advanced.pdf
SELJE - VFP Advanced.pdf
 
SELJE - VFP Advanced.pptx
SELJE - VFP Advanced.pptxSELJE - VFP Advanced.pptx
SELJE - VFP Advanced.pptx
 
SELJE - Look at X Sharp.pptx
SELJE - Look at X Sharp.pptxSELJE - Look at X Sharp.pptx
SELJE - Look at X Sharp.pptx
 
SELJE - Look at X Sharp.pdf
SELJE - Look at X Sharp.pdfSELJE - Look at X Sharp.pdf
SELJE - Look at X Sharp.pdf
 
OneNote to Rule Them All.pdf
OneNote to Rule Them All.pdfOneNote to Rule Them All.pdf
OneNote to Rule Them All.pdf
 
FoxUnit in Depth.pptx
FoxUnit in Depth.pptxFoxUnit in Depth.pptx
FoxUnit in Depth.pptx
 
OneNote to Rule Them All Slides.pptx
OneNote to Rule Them All Slides.pptxOneNote to Rule Them All Slides.pptx
OneNote to Rule Them All Slides.pptx
 
SELJE_Database_Unit_Testing_Slides.pdf
SELJE_Database_Unit_Testing_Slides.pdfSELJE_Database_Unit_Testing_Slides.pdf
SELJE_Database_Unit_Testing_Slides.pdf
 
SELJE_Database_Unit_Testing.pdf
SELJE_Database_Unit_Testing.pdfSELJE_Database_Unit_Testing.pdf
SELJE_Database_Unit_Testing.pdf
 
Selje_SSMS (Slides).pdf
Selje_SSMS (Slides).pdfSelje_SSMS (Slides).pdf
Selje_SSMS (Slides).pdf
 
Selje_SSMS for the Accidental DBA.pdf
Selje_SSMS for the Accidental DBA.pdfSelje_SSMS for the Accidental DBA.pdf
Selje_SSMS for the Accidental DBA.pdf
 
Selje_Fox on the Run.ppt
Selje_Fox on the Run.pptSelje_Fox on the Run.ppt
Selje_Fox on the Run.ppt
 
Selje_Fox on the Run.pdf
Selje_Fox on the Run.pdfSelje_Fox on the Run.pdf
Selje_Fox on the Run.pdf
 
Selje_Extending Web Apps.ppt
Selje_Extending Web Apps.pptSelje_Extending Web Apps.ppt
Selje_Extending Web Apps.ppt
 
Selje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfSelje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdf
 
Don't Be a Target!
Don't Be a Target! Don't Be a Target!
Don't Be a Target!
 
Energy audit tablet screenshots
Energy audit tablet screenshotsEnergy audit tablet screenshots
Energy audit tablet screenshots
 

Recently uploaded

Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Zilliz
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
KAMAL CHOUDHARY
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
Tatiana Al-Chueyr
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
Anant Gupta
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
Ivanti
 

Recently uploaded (20)

Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and OllamaTirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
Tirana Tech Meetup - Agentic RAG with Milvus, Llama3 and Ollama
 
Recent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS InfrastructureRecent Advancements in the NIST-JARVIS Infrastructure
Recent Advancements in the NIST-JARVIS Infrastructure
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
Best Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdfBest Practices for Effectively Running dbt in Airflow.pdf
Best Practices for Effectively Running dbt in Airflow.pdf
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes..."Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
"Mastering Graphic Design: Essential Tips and Tricks for Beginners and Profes...
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
July Patch Tuesday
July Patch TuesdayJuly Patch Tuesday
July Patch Tuesday
 

SELJE - VFP and IT Security.pptx

  • 1. Virtual Fox Fest VFP and IT Security Eric Selje Salty Dog Solutions, LLC eric@saltydogllc.com SaltyDogLLC.com
  • 2. Virtual Fox Fest About Me  Fox developer since 1985  MadFox since 1995  IT Security for the last few years  First public speaking since 2019
  • 3. Virtual Fox Fest Agenda  What Does IT Security Do?  IT Security Frameworks  CIS Controls  Visual FoxPro and IT Security
  • 4. Virtual Fox Fest A Day in the Life of IT Security
  • 5. Virtual Fox Fest Lay of the Land What do I need to address right now? • Baselines / Abnormalities • 🚩Alerts 🚩 ♦ May come directly from the tool • Anti-Virus, Scanner, Web-Based Threat Monitor, etc ♦ Better if comes from SIEM that aggregates information from multiple sources • Impossible unless systems are set up. Easy once they are.
  • 6. Virtual Fox Fest Tools, You Say? SIEM (Security Information and Event Manager) • My main source for alerts • Aggregate logs from disparate sources • Analyze/Act on that information ♦ Great for forensics after fact ♦ Better if ALERTS are set up to catch stuff before it happens • Evidence of network traversal • Hard drives filling up • Who logged in with elevated privileges?
  • 10. Virtual Fox Fest Lay of the Land Review Vulnerability Scans • Common Vulnerabilities and Exposure (CVE) ♦ CVE is Unique Identifier ♦ Assess its risk to your environment ♦ Will it be patched automatically, or do I need to intervene?
  • 12. Virtual Fox Fest A Basic (Non-Credentialed) Scan
  • 14. Virtual Fox Fest Drilling Down Further Into Vuln
  • 15. Virtual Fox Fest Remediate / Mitigate Triage the vulnerabilities and decide: • Remediate: Fix the Problem ♦ Patch / Remove ♦ Will it automatically auto-update? • Mitigate: Put a Band-Aid on the Problem ♦ Cordon off the threat ♦ Put extra controls to watch the problem • Accept/Recast: Decide you can live with the risk ♦ Might require “paperwork”
  • 16. Virtual Fox Fest Automatically Patch “Patch Management as a Service” • WSUS • Kace Quest • PDQ
  • 17. Virtual Fox Fest What’s on the Horizon? • Read Email Briefs ♦ Mandiant, Bleeping Computer, Krebs on Security • Websites ♦ HackURLs.com • Podcasts / YouTube channels ♦ Hacking Humans, Security Now, CyberSecurity Headlines, and Darknet Diaries • Watch Vendor Presentations ♦ New tools / software / threats • Talk with my Colleagues
  • 18. Virtual Fox Fest Plan, Prepare, Educate • Policies! ♦ BYOD ♦ Appropriate Use ♦ Backup and Storage ♦ Configuration Management ♦ Incident Response ♦ Log Management ♦ Media Sanitization ♦ Password • More Policies! ♦ Access Control ♦ Physical Security ♦ Remote Access ♦ Wireless Networks ♦ International Travel ♦ Contingency Planning and Disaster Recovery ♦ Network Management ♦ Security Patch Management
  • 19. Virtual Fox Fest Security Awareness Training  Test Phishing / Smishing/ Vishing  Learning Campaigns w/ Knowledge Checks • Social Engineering • Good Passwords • MFA
  • 20. Virtual Fox Fest My Toolbox  Log Management (SIEM)  Vulnerability Scanner  Anti-Virus/Malware  Patch Management  Web-Based Threat Protection  Security Awareness Training
  • 23. Virtual Fox Fest Frameworks are Roadmaps Some are for the BIG Picture Some are for very specific purposes
  • 24. Virtual Fox Fest BIG Risk Management Frameworks NIST 800-53 “Security and Privacy Controls for Information Systems and Organizations”
  • 26. Virtual Fox Fest Smaller Risk Management Framework NIST Cybersecurity Framework
  • 28. Virtual Fox Fest CIS Controls CIS Control 1: Inventory and Control of Enterprise Assets  Know everything about what’s on your network. CIS Control 2: Inventory and Control of Software Assets  Have software in place that scans your workstations for what software is running on them and keeps it up to date. CIS Control 3: Data Protection  Have controls in place so our data is not easily accessible to anyone snooping around either when it’s at rest or in transit. You should also have a data retention plan in place so you know whether you should purge the data regularly or hold onto it in perpetuity. CIS Control 4: Secure Configuration of Enterprise Assets and Software  These determine who gets to make changes to your network or install new software and what procedures they have to go through in order to document the changes.
  • 29. Virtual Fox Fest CIS Controls CIS Control 5: Account Management  Who gets an account on the system? What service accounts are running? Do they have to have passwords? How long? CIS Control 6: Access Control Management  This ties in with Control 5, Account Management, but deals with the rights users have. Do users need administrative rights? Do you require Multi-Factor Authentication? Can a user log in remotely or do they have to be in a specific geographic location based on their IP address when they enter their credentials?
  • 30. Virtual Fox Fest CIS Controls CIS Control 7: Continuous Vulnerability Management  Scan your devices for the known vulnerabilities and patch them automatically. CIS Control 8: Audit Log Management  Enable logging on all of your devices and as much of your software as possible and forward those logs to a centralized repository. CIS Control 9: Email and Web Browser Protections  Have spam filtering on your inbox, prevent EXE files from getting into your inbox, and have your anti-malware scan your downloads.  Run your web traffic through a proxy server to block any attempts to navigate to known malicious sites.
  • 31. Virtual Fox Fest CIS Controls CIS Control 10: Malware Defenses  Have it  Centralize it  Log it CIS Control 11: Data Recovery  Have a secure recovery plan in place and test it regularly. CIS Control 12: Network Infrastructure Management  Ensure your network devices are patched and secure, and nothing gets introduced without it being vetted.
  • 32. Virtual Fox Fest CIS Controls CIS Control 13: Network Monitoring and Defense  Set up those alerts as mentioned in Control 8 (Log Management).  Configure your firewalls to only allow in the traffic you want to get through (start with a Deny All posture and open up the necessary ports from there after seeing what got blocked that you really want to allow).  Create VLANs to segregate traffic, especially to workstations that handle sensitive data.
  • 33. Virtual Fox Fest CIS Controls CIS Control 14: Security Awareness and Skills Training  This is probably the second most important thing you can do, and this is actually one of my favorite tasks. • Video Campaigns • Test Phishing / Vishing / Smishing • Signed Policies
  • 34. Virtual Fox Fest CIS Controls CIS Control 15: Service Provider Management  Keep track of who you’re working with, what data and services they have access to, and monitor them to ensure compliance with any security policies you have. CIS Control 16: Application Software Security  How to make sure our applications and data are as secure as possible. • Establishing a secure development process, • Using 3rd party controls, • Code-level security checks.
  • 35. Virtual Fox Fest CIS Controls CIS Control 17: Incident Response Management  Know how to recognize an “incident” and what to do when it is discovered. CIS Control 18: Penetration Testing  This includes the dramatic “red-teaming” to ensure your network defenses are intact, but also includes having someone test your applications for vulnerabilities by inputting edge cases, poking odd buttons, and trying to find ways to make it do things you didn’t intend.
  • 38. Virtual Fox Fest Three Different Contexts 1 Development Is VFP Secure? 2 Deployed Apps Are my apps secure? 3 Environment Are the things I need to run my apps secure?
  • 39. Virtual Fox Fest Is VFP9.exe itself secure? 1 2 3
  • 40. Virtual Fox Fest VFP is probably ok. What else? ActiveX Controls w/ Vulnerabilities  ComCt232.ocx  MsChrt20.ocx  MsFlxGrd.ocx  MsMask32.ocx  MsWinSck.ocx  Update those w/ Service Packs  MSXML 1 2 3
  • 42. Virtual Fox Fest What about VFPA and X#? VFPA Same as VFP9 Look at Externalities  Firewall logs X# Open Source Source Code Analyzers 1 2 3
  • 43. Virtual Fox Fest Secure Application Development  Keep a manifest of all 3rd party tools that you use • Even Windows components ♦ Webview? Webview2? • ActiveX Controls • FLLs, Thor Tools, APIs, 16.4. Establish and manage an inventory of third-party software components 16.5. Use up-to-date and trusted third-party software components 1 2 3
  • 44. Virtual Fox Fest Secure Code and Testing – Error Handling and Logging Centralize Place to Collect Errors / Logs ErrorHandler Class (Doug Hennig?) 16.2. Establish and maintain a process to accept and address software vulnerabilities 16.3. Perform root cause analysis on security vulnerabilities 1 2 3
  • 45. Virtual Fox Fest Secure Code and Testing – Input Validation 16.10. Apply secure design principles in application architectures Never trust user input Do it in the U/I AND in the database! 1 2 3
  • 46. Virtual Fox Fest Secure Code and Testing – Authentication and Authorization 16.10. Apply secure design principles in application architectures • If you can, Outsource Identity Access Management to 3rd party • Google Login • Active Directory • Okta • Use Multi-Factor Authentication for Sensitive Data • If you store credentials in your apps • Salted Hashes Only! 1 2 3
  • 47. Virtual Fox Fest Secure Code and Testing – Authentication and Authorization 16.10. Apply secure design principles in application architectures • Don’t allow unauthenticated users to open database outside of your application 1 2 3
  • 48. Virtual Fox Fest Secure Code and Testing – Database Security PROCEDURE BeforeOpen LOCAL lReturn lReturn = PEMSTATUS(_VFP, “oUser”, 5) AND VARTYPE(_VFP.oUser.CanOpenDatabase) RETURN lReturn 1 2 3
  • 49. Virtual Fox Fest Secure Code and Testing – CRYPTOGRAPHIC PRACTICES • e.g. _crypt.vcx for Cryptography • Protect keys and salts from unauthorized access. What’s a good way to store secrets in Visual FoxPro? • Never assume magic strings in source code are safe! 16.11. Leverage vetted modules or services for application security components 1 2 3
  • 50. Virtual Fox Fest Secure Code and Testing – Web Apps OWASP TOP 10 • XSS • XSFR / CSRF • SQL Injection 1 2 3
  • 51. Virtual Fox Fest Secure Code and Testing – Source Control • Source Control • Use It! • No Sensitive Information • Push Early and Often • Use VPFX’s Project Explorer to automate much of the drudgery away • Automatically check in / check out • Automatically serialize • Monitor 3rd party access to repositories 16.1. Establish and maintain a secure application development process 1 2 3
  • 52. Virtual Fox Fest Secure Code and Testing – Testing 16.12. Implement code-level security checks 1 2 3 • Dynamic Analysis • FoxUnit • Static Analysis • VFPX CodeAnalysis • Human Testing
  • 53. Virtual Fox Fest Deployment - SMB 1 2 3 Server Message Blocking v 1.0 had huge bug v 2 & 3 better Turn off Opportunistic Locking
  • 54. Virtual Fox Fest Deployment - Code Signing  Required as of Windows 11 2H22 if “Smart App Control” enabled  ~$70/yr for a certificate  SIGNTOOL from SDK  See Doug’s “Deploying VFP Apps” whitepaper 1 2 3
  • 55. Virtual Fox Fest Deployment - Encryption  ReFox  C++ Compiler for VFP  See John Ryan’s session next Wednesday 1 2 3
  • 56. Virtual Fox Fest Automate your Deployment 16.1. Establish and maintain a secure application development process 1 2 3
  • 58. Virtual Fox Fest What You Learned Today  Give you an idea of what my days are now like  Overview of IT Frameworks and the CIS Controls  How what I’ve learned applies to VFP devs  Fox Rocks…  …And so do you!
  • 60. Virtual Fox Fest Thank You! Eric Selje Eric@SaltyDogLLC.com