1. The document contains obfuscated JavaScript code that is attempting to execute an alert pop-up window containing the number 0 by bypassing input validation defenses.
2. It uses various encoding and obfuscation techniques to construct and execute the JavaScript, making it difficult for security filters to detect.
3. The goal is to demonstrate how input can be crafted in complex ways to bypass defenses and execute arbitrary JavaScript code on a vulnerable site.
Elixir è un nuovo linguaggio di programmazione che offre la gioia e la produttività di Ruby fondendola con la solidità e le performance di Erlang. In questo talk introdurrò velocemente il linguaggio di programmazione per concentrarmi sugli aspetti che fanno di Elixir un eccellente linguaggio per la creazione di sistemi concorrenti e distribuiti. Non perdete l'occasione di esplorare un linguaggio di programmazione che sarà protagonista nei prossimi anni. Attenzione! Questo talk potrebbe seriamente danneggiare il rapporto fra voi e il vostro linguaggio di programmazione preferito :-)
Writing DSLs with Parslet - Wicked Good Ruby ConfJason Garber
A well-designed DSL improves programmer productivity and communication with domain experts. The Ruby community has produced a number of very popular external DSLs--Coffeescript, HAML, SASS, and Cucumber to name a few.
Parslet makes it easy to write these kinds of DSLs in pure Ruby. In this talk you’ll learn the basics, feel out the limitations of several approaches and find some common solutions. In no time, you’ll have the power to make a great new DSL, slurp in obscure file formats, modify or fork other people’s grammars (like Gherkin, TOML, or JSON), or even write your own programming language!
Elixir è un nuovo linguaggio di programmazione che offre la gioia e la produttività di Ruby fondendola con la solidità e le performance di Erlang. In questo talk introdurrò velocemente il linguaggio di programmazione per concentrarmi sugli aspetti che fanno di Elixir un eccellente linguaggio per la creazione di sistemi concorrenti e distribuiti. Non perdete l'occasione di esplorare un linguaggio di programmazione che sarà protagonista nei prossimi anni. Attenzione! Questo talk potrebbe seriamente danneggiare il rapporto fra voi e il vostro linguaggio di programmazione preferito :-)
Writing DSLs with Parslet - Wicked Good Ruby ConfJason Garber
A well-designed DSL improves programmer productivity and communication with domain experts. The Ruby community has produced a number of very popular external DSLs--Coffeescript, HAML, SASS, and Cucumber to name a few.
Parslet makes it easy to write these kinds of DSLs in pure Ruby. In this talk you’ll learn the basics, feel out the limitations of several approaches and find some common solutions. In no time, you’ll have the power to make a great new DSL, slurp in obscure file formats, modify or fork other people’s grammars (like Gherkin, TOML, or JSON), or even write your own programming language!
A C# coding challenge to solve a range of mazes with differing dimensions and styles. The total run time was considerably less than a target maximum run time.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Building Real Time Systems on MongoDB Using the Oplog at StripeStripe
MongoDB's oplog is possibly its most underrated feature. The oplog is vital as the basis on which replication is built, but its value doesn't stop there. Unlike the MySQL binlog, which is poorly documented and not directly exposed to MySQL clients, the oplog is a well-documented, structured format for changes that is query-able through the same mechanisms as your data. This allows many types of powerful, application-driven streaming or transformation. At Stripe, we've used the MongoDB oplog to create PostgresSQL, HBase, and ElasticSearch mirrors of our data. We've built a simple real-time trigger mechanism for detecting new data. And we've even used it to recover data. In this talk, we'll show you how we use the MongoDB oplog, and how you can build powerful reactive streaming data applications on top of it.
If you'd like to see the presentation with presenter's notes, I've published my Google Docs presentation at https://docs.google.com/presentation/d/19NcoFI9BG7PwLoBV7zvidjs2VLgQWeVVcUd7Xc7NoV0/pub
Originally given at MongoDB World 2014 in New York
Groupes, Permutations, Anneaux, Arithmétique dans Z, Corps commutatif, Les polynômes formels à une indéterminée à coefficients dans un corps K, Fonctions polynomiales, racines, Espaces vectoriels, K-algèbres, Espaces vectoriels de type fini, Matrices, Déterminants, Fractions rationnelles, Produit scalaire sur un R-ev, Espace vectoriel euclidien, R-ev euclidien orienté de dimension 2, R-ev euclidien orienté de dimension 3, Espaces affines, Géométrie dans un espace affine euclidien
A C# coding challenge to solve a range of mazes with differing dimensions and styles. The total run time was considerably less than a target maximum run time.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Beyond PHP - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just writing PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Building Real Time Systems on MongoDB Using the Oplog at StripeStripe
MongoDB's oplog is possibly its most underrated feature. The oplog is vital as the basis on which replication is built, but its value doesn't stop there. Unlike the MySQL binlog, which is poorly documented and not directly exposed to MySQL clients, the oplog is a well-documented, structured format for changes that is query-able through the same mechanisms as your data. This allows many types of powerful, application-driven streaming or transformation. At Stripe, we've used the MongoDB oplog to create PostgresSQL, HBase, and ElasticSearch mirrors of our data. We've built a simple real-time trigger mechanism for detecting new data. And we've even used it to recover data. In this talk, we'll show you how we use the MongoDB oplog, and how you can build powerful reactive streaming data applications on top of it.
If you'd like to see the presentation with presenter's notes, I've published my Google Docs presentation at https://docs.google.com/presentation/d/19NcoFI9BG7PwLoBV7zvidjs2VLgQWeVVcUd7Xc7NoV0/pub
Originally given at MongoDB World 2014 in New York
Groupes, Permutations, Anneaux, Arithmétique dans Z, Corps commutatif, Les polynômes formels à une indéterminée à coefficients dans un corps K, Fonctions polynomiales, racines, Espaces vectoriels, K-algèbres, Espaces vectoriels de type fini, Matrices, Déterminants, Fractions rationnelles, Produit scalaire sur un R-ev, Espace vectoriel euclidien, R-ev euclidien orienté de dimension 2, R-ev euclidien orienté de dimension 3, Espaces affines, Géométrie dans un espace affine euclidien
With over 3400 available built-in function, PHP offers a tremendously rich environment. Yet, some of these functions are still unknown to most programmers. During this session, Damien Seguy will highlight a number of functions that are rarely used in PHP, but are nonetheless useful and available within standard distributions.
El juicio iniciado en contra de los hermanos Wiliiam Isaias y Roberto Isaias es un juicio sin informes y sin conocimiento, sin fundamentos, en el cual los acusados por un delito no tipificado. A los hermanos Isaias también se les negó el derecho de apelación.
El juicio iniciado en contra de los hermanos Wiliiam Isaias y Roberto Isaias es un juicio sin informes y sin conocimiento, sin fundamentos, en el cual los acusados por un delito no tipificado. A los hermanos Isaias también se les negó el derecho de apelación.
Help, my browser is leaking! Exploring XSLeaks attacks and defenses - Tom Van...NoNameCon
https://cfp.nonamecon.org/nnc2020/talk/9LMJAH/
For many years, injection-based vulnerabilities such as XSS and SQL-injection have dominated the web security landscape. However, as browsers and applications are becoming increasingly complex, new vulnerability classes surface. One of these new-kids-on-the-block is XSLeaks, a vulnerability class that exploit side-channel leaks in the browser to extract information across origins. In this presentation, I will describe the various types of leaks in different browser features and the network layer, and discuss how these issues can be exploited to extract sensitive information from an unwitting victim. Furthermore, the talk will cover the numerous (new) defences that need to be adopted in order to safeguard web applications (SameSite cookies, COOP, COEP, ...), and their potential shortcomings. Finally, we will take a peak into the future, and discuss how XSLeaks will likely evolve in the coming months and years.
Originally published
https://speakerdeck.com/vixentael/data-encryption-cyberkids-edition
Exercises
https://www.dropbox.com/s/rbyvvaw9c7vs4ib/cyberkids-encryption-example.pdf?dl=0
NoName CyberKids – charity event for kids and their parents during NoNameCon to teach basics of privacy, security, encryption, anti-bullying, behaviour in social networks, lock picking.
https://nonamecon.org
https://www.facebook.com/events/2048121308814429/
Ihor Malchenyuk – What is privacy and how to protect it [NoName CyberKids]NoNameCon
NoName CyberKids – charity event for kids and their parents during NoNameCon to teach basics of privacy, security, encryption, anti-bullying, behaviour in social networks, lock picking.
https://nonamecon.org
https://www.facebook.com/events/2048121308814429/
Original slides
https://www.slideshare.net/OlgaPasko/hunting-fileless-malware-149129867
Workshop by Olha Pasko at NoNameCon 2019.
https://nonamecon.org
Fileless malware and system tools as bypass techniques in cyber-attack. Hunting with SysInternals tools and Digital Forensics techniques.
1. Fileless malware and system tools as bypass technique: an explanation of “bypass technique” and “fileless malware”. Creating custom fileless malware by abusing Powershell.
2. Threat hunting with Sysinternals tools: an explanation of system processes, threads, jobs, resources. Anomaly detection of system processes with Sysinternals tools. Fileless malware detection.
3. Threat hunting with Digital Forensics techniques: an explanation of “digital forensics”. Acquisition and analysis of RAM memory dump with Digital Forensics tools.
4. Summary or “what can participant obtain from this workshop”: knowledge about top bypass techniques, hard skills for detection and hunting malicious code, understand differences of hunting with SysInternals and Digital Forensics tools.
Nazar Tymoshyk - Automation in modern Incident Detection & Response (IDR) pro...NoNameCon
Talk by Nazar Tymoshyk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/GSRUTP/
Incident Detection & Response requires People - to Think, Tools - to provide data and analytics and Processes - to avoid fuckups and assure the quality. But with more alerts, the analysis takes more time, decisions and moreover - actions need to be taken immediately. Attackers actively use automation, so Defenders should also optimize their processes.
In our presentation, we'd like to share with the community our lessons learned. Our focus would be on practical moments, the challenges we faced and the simple working solutions we discovered.
We plan to challenge the audience with simple but vital questions that will help to establish a good communication bridge to make this delivery effective and valuable for engineers to improve their defense. We'd like to discuss also a variety of actions to be taken after the incident is confirmed. Come and take it.
Ruslan Kiyanchuk - Калина, Купина, та інша флора вітчизняної криптографіїNoNameCon
Talk by Ruslan Kiyanchuk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/NKB9UF/
Огляд українських криптографічних алгоритмів та стандартів
З метою замінити застарілий радянський стандарт шифрування ГОСТ 28147-89 успадкований багатьма країнами СНД, у 2006-му році Служба Безпеки України оголосила відкритий конкурс криптографічних алгоритмів.
Знадобилося 8 років розробки, бюрократії, Майдан та революція, щоб стандарт нарешті прийняли: і ось у 2015-му році світ побачили ДСТУ 7624:2014 та ДСТУ 7564:2014 — українські національні стандарти криптографічного захисту інформації, розроблені українськими криптографами. Стандартизованими алгоритмами стали блоковий шифр «Калина» та функція хешування «Купина».
У доповіді розглянемо умови та хід проведення конкурсу, криптоалгоритми, котрі брали участь у конкурсі, їхні властивості, переваги та недоліки, а також перспективи застосування у сучасних інформаційних системах.
Artem Storozhuk - Search over encrypted records: from academic dreams to prod...NoNameCon
Talk by Artem Storozhuk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/NUMHDY/
The search over encrypted data is the modern cryptographic engineering problem. We will talk about existing approaches (both well-known and modern), and concentrate on practical solution based on blind index technique to search data in databases. What’s inside: cryptographic and functional schemes, implementation details, practical security evaluation (risk modelling and potential attacks). We will show how theoretical models turn into real, usable, maintainable, security tools.
Lately most conscious companies store data in databases encrypted, but search over encrypted data is still a challenge. There are many existing academic solutions, proposed over the course of years, like CryptDB, Homomorphic/SSE, PEKS, Mylar. Unfortunately, most approaches are far from being production ready, usable and maintainable.
We will show the practical solution, that is based on a hardened version of blind indexing, a long-known technique that has several usability constraints and security caveats. There is an open source implementation CipherSweet, and cryptographically it’s pretty solid, but it stores keys on a client side, which may lead to potential problems during usage.
Our solution doesn't share this design approach, since the generation of index references and keys to them are stored in a separate node, away from all untrusted sides (client application, backend application, database). Also, our solution enforces several limitations on data, which is going to limit collision risks mentioned in the original technique.
We will explain in details how it works, show the functional and cryptographic schemes, and dig into implementation details. We will show to the attendees the process of building complex security tool from theoretical concepts (and mathematical models) to production-ready software.
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
Oksana Safronova - Will you detect it or not? How to check if security team i...NoNameCon
Talk by Oksana Safronova at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/AXCDXU/
Before the real incident happens, security team must test their detection capabilities in different ways. An overview of MITRE ATT&CK Matrix, test environments and other friends of Blue Team.
Obstacles, unexpected discoveries, lack of information, a flood of logs, new technologies - you will meet them all if you want to build an effective defense team. The talk will expend the next topics based on the experience we have:
How to test the security team's detection and incident response processes
Best practices for endpoint monitoring tools configuration
Some problems, that defense team can encounter
Additional resources that can help you detect threats
Bert Heitink - 10 major steps for CybersecurityNoNameCon
Talk by Bert Heitink at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/DXN7DM/
There's no such thing as 100% security, but this talk will demonstrate 10 main topics what needs attention to reduce the risk of being hacked.
Our current digital era creates a lot of possibilities, also for Ukraine! But how to deal with the threats on business and national level? 10 pragmatic steps you cannot ignore and are indisputable. Some are easy to implement, even tomorrow.
Ievgen Kulyk - Advanced reverse engineering techniques in unpackingNoNameCon
Talk by Ievgen Kulyk at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/HMVMNL/
There are a lot of packers/protectors used to hide the functionality of the software. Sometimes this software is legal, sometimes malicious. It is vital to be able to unpack such software for future investigation. But the main issue is that many commercial protections use different algorithms to make automation of unpacking difficult. We will discuss more advanced techniques that are powerful and can be used to break strong protection. We will talk about debugging without debugging API. Year, it's strange but it's real life.
During the debugging, we often talk about debugging API on windows or ptrace routine on Linux. These mechanisms are provided by OS developers. So it is strongly recommended to use them for user-mode debugging (debugging in ring3). But software protection systems can use a lot of techniques for detecting and preventing debugging.
In practical reverse engineering anti-anti debugging plugins can be used. The most famous of them: - Phantom and StrongOD (for OllyDbg); - ScyllaHide (for x64dbg, IDA Pro)
But such plugins can only protect from well-known detection algorithms. If some unknown technique will be used they will fail. So we will talk about how to implement your own tracing/debugging engine without debugging API and hide such an engine from anti-debug. We will dive into kernel development and implement our engine from scratch.
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...NoNameCon
Talk byStanislav Kolenkin & Igor Khoroshchenko at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/3EXNKX/
We will try to describe the most interesting security problems with Kubernetes environments from a DevOps and Security side.
We'll discuss the actual cloud security threats and trends for 2019.
Look behind the curtain of modern data breaches, weak identity and access management and incident response flaws.
The rise of Serverless and Kubernetes as Enterprise solutions and lack of related security expertise during SDLC.
Summarize the analytics and practical researches on adversaries techniques and tactics, a mass scan of cloud services and the uncertainty of business impacts behind them.
Provide materials for further education.
Pavlo Zhavoronkov - What is autumn like in prison camps?NoNameCon
Talk by Pavlo Zhavoronkov at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/BARKBD/
This speech will give you a complete understanding of how to get in jail by doing cybercrimes in Ukraine.
What is autumn like in prison camps?
This speech will give you a complete understanding of how to get in jail by doing cybercrimes in Ukraine.
Speech contents:
The complete overview of Ukrainian court practice on articles in the section "CRIME IN THE FIELD OF USE OF ELECTRONIC COMPUTING MACHINES (COMPUTERS), SYSTEMS AND COMPUTER NETWORKS AND DIGITAL COMMUNICATIONS NETWORKS" of the Criminal Code of Ukraine.
Stories about the most famous Ukrainian cybercriminals.
Thoughts on current state of Ukrainian judicial system.
Alexander Olenyev & Andrey Voloshin - Car Hacking: Yes, You can do that!NoNameCon
Talk by Alexander Olenyev & Andrey Voloshin at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/AARZTL/
The complete list of (I hope) all {not only} publicly disclosed vulnerabilities in car hacking. Contains a detailed description of Who When How has been hacked, toolz and technics. Encourage every other-field pentester to use their skills in car hacking giving fundamental knowledge of where to start and what to expect. Tesla, BMW, Toyota, Nissan — few words about all of them
Kostiantyn Korsun - State Cybersecurity vs. Cybersecurity of the State. #FRD ...NoNameCon
Talk by Kostiantyn Korsun at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/DA3TLK/
Про роль кібер-волонтерів та кібер-чиновників у сучасній кібер-війні
Кібервійна проти України триває вже п'ять років. За цей час регулярні війська України стали однією з найбільш боєздатних армій Європи та Світу. Але чи став таким ж крутими кіберзахист України?
У виступі серед інших обговорюватимуться наступні питання: Роль кібер-волонтерів та кібер-чиновників у сучасній кібер-війні; Наскільки ефективний кіберзахист державним коштом та скільки це коштує платнику податків; Оціночна ефективність роботи кібер-чиновників та кібер-міністерства; Яким шляхом краще йти кібер-Україні: довгим чи коротким, дешевим чи дорогим, закритим чи прозорим?
Презентація майже повністю складається зі скріншотів #FRD та демонструє ретроспективу ролі волонтерської ініціативи #FRD та зміну ставлення до неї з часом.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
6. White List Black List
Web Application
Firewall
Validation
Складно імплементувати
Складно підтримувати
Легко імплементувати
Впливає на навантаження
Весело обходити
Вразливість залишається на
сервері
BlackHat територія
Не відноститься до безпеки
напряму
Ускладнює пошук
вразливостей
Baaax61x61x61dNot bad remediation
Does not apply to security Vulnerability still exist
7. 01.
02.
03. 04.
Defense Reaction
03. Erase
End session for malicious user.
04. Logout
HTML encode input/output string.
01. Encode
Delete bad symbols, words.
02. Delete
Delete whole string, parameter is empty.
12. Xss Space
NULL <scri%00pt>alert ()</scri%00pt>
TAB <svg+src=“jav%09ascript:alert(1)">
Newline <script>//>%0Aalert(1);</script>
Carriage Return <script>//>%0Dalert(1);</script>
Spaces < s c r i p t > p r o m p t ( 1 ) < / s c r i p t
24. Sql Injection
Space%09 – Horizontal Tab
%0A – New Line
%0D – Carriage Return
%0B – Vertical Tab
%0C – New Page
%A0 - Non-breaking Space
/**/ - comment
/*!*/ - comment
'%0A%09UNION%0CSELECT%A0NULL%20%23
25. Sql Injection
Space Mssql%01 Start of Heading
%02 Start of Text
%03 End of Text
%04 End of Transmission
%05 Enquiry
%06 Acknowledge
%07 Bell
%08 Backspace
%09 Horizontal Tab
%0A New Line
%0B Vertical Tab
%0C New Page
%0D Carriage Return
%0E Shift Out
%0F Shift In
%10 Data Link Escape
%11 Device Control 1
%12 Device Control 2
%13 Device Control 3
%14 Device Control 4
%15 Negative Acknowledge
%16 Synchronous Idle
%17 End of Transmission Block
%18 Cancel
%19 End of Medium
%1A Substitute
%1B Escape
%1C File Separator
%1D Group Separator
%1E Record Separator
%1F Unit Separator
%20 Space
%25 %
S%E%L%E%C%T%01column%02FROM%03table;