This document discusses how cloud service provider marketplaces can help with white hat and black hat vulnerability research. It provides examples of analyzing images from AWS Marketplace, Azure Marketplace, and Google Cloud Marketplace. The key findings are that AWS Marketplace most strongly protects seller intellectual property, while Azure and GCP Marketplaces have advantages for security researchers by allowing low-cost access and analysis of listed products with few restrictions. The document cautions that legal risks must be considered before conducting any security research activities.
This document benchmarks several Infrastructure as a Service (IaaS) cloud providers (Google Compute Engine, Microsoft Azure, CenturyLink, Amazon Web Services) using Cassandra storage and the YCSB benchmarking tool. It describes how to set up Cassandra clusters on 3 nodes for each provider and deploy the YCSB tool on a test node to benchmark the Cassandra installations. The results of loading and running the YCSB workload on each Cassandra cluster are analyzed and graphed to compare the performance of the different cloud providers.
This document outlines the agenda for a meetup on cloud computing hosted by StartupDecode. The meetup includes sessions on what cloud computing is, cloud computing on AWS, hands-on tutorials for Heroku and AWS, and a networking apéro. The hands-on portions will guide attendees on deploying a sample Rails app to Heroku with AWS S3 integration for file storage.
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...QCloudMentor
Ch3 Elasticity and Scalability Concepts
Technical requirements
Sources of failure
Dividing and conquering
Virtualization technologies
LAMP installation
Scaling the webserver
Resiliency
EC2 persistence model
Disaster recovery
Cascading deletion
Bootstrapping
Scaling the compute layer
Scaling a database server
Summary
Further reading
Things I've learned working with Docker SupportSujay Pillai
This document provides instructions for backing up and restoring a Docker Enterprise installation including Docker Swarm, UCP, and DTR. It outlines the components included in each backup, prerequisites, and procedures for backing up each component while services are running. Containers are proposed for automating regular backups of UCP to a mounted volume. Exclusions from backups are also noted such as application data and image files stored externally.
Terraform is used to manage infrastructure as code. InSpec is a powerful framework for validating that infrastructure. In combination they allow for fast, safe infrastructure automation.
The document summarizes a presentation on integrating Oracle Real Application Clusters (RAC) with Oracle GoldenGate 12c. The presentation covers:
- Configuring an ASM Cluster File System (ACFS) for the shared storage needed by GoldenGate in a RAC environment.
- Installing Oracle GoldenGate 12c and configuring it to use the ACFS.
- Creating an application VIP and registering GoldenGate with the Oracle Grid Infrastructure bundled agent to enable automated startup and failover of GoldenGate processes on RAC nodes.
- Demonstrations of stopping GoldenGate on one node and verifying failover to the other node.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
This document benchmarks several Infrastructure as a Service (IaaS) cloud providers (Google Compute Engine, Microsoft Azure, CenturyLink, Amazon Web Services) using Cassandra storage and the YCSB benchmarking tool. It describes how to set up Cassandra clusters on 3 nodes for each provider and deploy the YCSB tool on a test node to benchmark the Cassandra installations. The results of loading and running the YCSB workload on each Cassandra cluster are analyzed and graphed to compare the performance of the different cloud providers.
This document outlines the agenda for a meetup on cloud computing hosted by StartupDecode. The meetup includes sessions on what cloud computing is, cloud computing on AWS, hands-on tutorials for Heroku and AWS, and a networking apéro. The hands-on portions will guide attendees on deploying a sample Rails app to Heroku with AWS S3 integration for file storage.
AWS Study Group - Chapter 03 - Elasticity and Scalability Concepts [Solution ...QCloudMentor
Ch3 Elasticity and Scalability Concepts
Technical requirements
Sources of failure
Dividing and conquering
Virtualization technologies
LAMP installation
Scaling the webserver
Resiliency
EC2 persistence model
Disaster recovery
Cascading deletion
Bootstrapping
Scaling the compute layer
Scaling a database server
Summary
Further reading
Things I've learned working with Docker SupportSujay Pillai
This document provides instructions for backing up and restoring a Docker Enterprise installation including Docker Swarm, UCP, and DTR. It outlines the components included in each backup, prerequisites, and procedures for backing up each component while services are running. Containers are proposed for automating regular backups of UCP to a mounted volume. Exclusions from backups are also noted such as application data and image files stored externally.
Terraform is used to manage infrastructure as code. InSpec is a powerful framework for validating that infrastructure. In combination they allow for fast, safe infrastructure automation.
The document summarizes a presentation on integrating Oracle Real Application Clusters (RAC) with Oracle GoldenGate 12c. The presentation covers:
- Configuring an ASM Cluster File System (ACFS) for the shared storage needed by GoldenGate in a RAC environment.
- Installing Oracle GoldenGate 12c and configuring it to use the ACFS.
- Creating an application VIP and registering GoldenGate with the Oracle Grid Infrastructure bundled agent to enable automated startup and failover of GoldenGate processes on RAC nodes.
- Demonstrations of stopping GoldenGate on one node and verifying failover to the other node.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
The document discusses running memcached clusters on Amazon EC2. It covers key concepts like caching, clusters, and infrastructure as a service (AWS). It then provides step-by-step instructions for setting up a memcached cluster on EC2, including creating security groups, launching EC2 instances from AMIs, and configuring the memcached servers and clients. The summary concludes that setting up and running memcached clusters on infrastructure as a service environments like EC2 is straightforward.
DevOps (Continuous Integrations, Continuous Delivery & Continuous deployment using Jenkins and Visual studio team services, setting up VTST build Agents, Integrating VSTS with SonarQube, NDepend,) , Complete automation of pushing code into VSTS from Visual Studio, Building Code by a Jenkin Server hosted on Azure and pushing that successful build on to Azure Web App via Release Pipeline or directly from Jenkins,VSTS Default agents, Setting up local agent from scratch, Setting up agents for code build, VSTS, Visual Studio Online Agents, Agent Pools, Hosted Agents, Hosted VS2017. Hosted Linux Agents, Setting up agent on VS Dev Test Labs, Setting up Template Parameters for Continuos Pipeline, Build Agent Creation Dynamically, Random Machine Name, Random Passwords, Dynamic Agent creation in VS Dev Test labs, Sonarcube, Code quality, Code Analysis, MSBuild, Integrate VSTS Build with NDepend, Package manager, Monolithic Architecture, Nuget, Package management, Npm js.com, Semantic versioning, Creating a nuget package, nuspec file, GitVersion Plugin, FeedURL, Chocolatey for package management, Chocolatey, chocolatey workflow,
1. The document demonstrates how to use various AWS services like Kinesis, Redshift, Elasticsearch to analyze streaming game log data.
2. It shows setting up an EC2 instance to generate logs, creating a Kinesis stream to ingest the logs, and building Redshift tables to run queries on the logs.
3. The document also explores loading the logs from Kinesis into Elasticsearch for search and linking Kinesis and Redshift with Kinesis Analytics for real-time SQL queries on streams.
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
This document discusses assembling an open source tool chain for hybrid cloud environments using tools like Packer, Vagrant, Ansible, and BoxCutter. It provides examples of using Packer to build machine images for multiple platforms from a single blueprint and using Vagrant and Ansible to provision virtual machines across different cloud providers in a standardized way. Overall, the document promotes the use of these open source automation tools to help manage infrastructure across hybrid cloud environments.
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Laurent Domb
Virtual machines and containers are not necessarily in competition - in fact, in many situations they are complementary. And the deployment of containers and their underlying VMs can be completely automated with Ansible - providing an on demand environment for production and development. Find out how in this session with Laurent Domb of Red Hat. He will provide slides and a demonstration.
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
Cloudstack Top 5 technical issues and troubleshooting. Cloudstack is a mature product in use by companies world-wide. While being associated with CloudStack development for over 5 years, Abhi has come across some technical issues that once in a while affect the CloudStack deployment. This presentation is an effort to put together top 5 such issues, analyze their symptoms, see them from CloudStack architecture perspective and from the distributed nature of cloud orchestration, then look at ways to avoid them and finally be able to troubleshoot if they occur.
This HowTo is about how to manage Public- and Hybrid Cloud deployments with openQRM. As the deployment manager for Amazon EC2 and its API compatible derivatives (e.g Eucalyptus) openQRM is capable to fully automate Instance provisioning and to add additional value by attaching automated application deployment via Puppet, automated monitoring via Nagios and also highavailability on Infrastructure-Level to the providers cloud features. The whole workflow of Instance-deployment in openQRM is exactly the same as for local resources in the internal IT-environment.
About docker cluster management tools
1. Base concepts of cluster
management and docker
2. Docker Swarm
3. Amazon EC2 Container Service
4. Kubernetes
5. Mesosphere
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
Some of the best businesses today are deploying their code dozens of times a day. How? By making heavy use of automation, smart tools, and repeatable patterns to get process out of the way and keep the workflow moving. Come to this session to learn how you can do this too, using services such as AWS OpsWorks, AWS CloudFormation, Amazon Simple Workflow Service, and other tools. We'll discuss a number of different deployment patterns, and what aspects you need to focus on when working toward deployment automation yourself.
Introduction To Managing VMware With PowerShellHal Rottenberg
This document introduces the VMware Infrastructure PowerShell Toolkit which provides over 120 cmdlets for automating and managing VMware Infrastructure including VirtualCenter and ESX Server. It summarizes the key capabilities and features of the toolkit such as accessing the VI SDK through cmdlets, two PowerShell providers for filesystem and inventory navigation, and examples of common administrative tasks that can be automated using the cmdlets.
- Puppet is a tool that allows you to define infrastructure as code and manage your infrastructure in a consistent, versioned way like software. It uses resources and relationships between them to define what state should exist.
- Modules contain Puppet code, files, and templates to manage specific components like Apache or MySQL. They can be found on the Puppet Forge or GitHub.
- Puppet uses a dependency graph of resources to determine the order of operations needed to ensure resources are in the desired state. It is highly customizable through Ruby plugins.
- The autoami module contains tools to automatically generate new AMIs when Puppet runs detect configuration changes, ensuring infrastructure is always up to date. It uses custom Puppet faces
This document discusses assembling an open source tool chain for a hybrid cloud environment. It describes using Packer to build machine images for multiple platforms like AWS, VMware, and VirtualBox from a single blueprint. It also discusses using Vagrant and Ansible for automation, configuration management, and provisioning virtual machines across different cloud providers in a standardized way.
This document provides an introduction to Google Cloud Platform services including Google Cloud Storage, Cloud SQL, BigQuery, and Compute Engine. It includes steps to get started with each service through tutorials and labs. The document demonstrates how to create buckets and load data to Cloud Storage, set up databases in Cloud SQL, load CSV data to BigQuery, and create virtual machines on Compute Engine along with networking configurations. Quick start links are also provided for each service.
Krux operates a large infrastructure serving thousands of user requests per second. They use Puppet and tools like Cloudkick, Foreman, Boto, and Vagrant to manage their infrastructure in an automated and scalable way. Their Puppet configuration is split into modules, environments, and datacenters. They launch AWS nodes programmatically and configure them with Puppet. Cloudkick is used for monitoring and parallel SSH. Boto allows full Python API access to AWS. Vagrant allows consistently provisioning development machines locally. Automation and external configuration enable their small operations team to manage a large, dynamic infrastructure.
Hands-on Lab to compare and contrast relational queries (using RDS for MySQL) with non-relational queries (using ElastiCache for Redis). You’ll need a laptop with a Firefox or Chrome browser.
Embedded Ansible allows users to run Ansible playbooks from within CloudForms. It installs and configures a headless Ansible Tower on the CloudForms appliance. To activate it, the "Embedded Ansible" role must be enabled. This will trigger the Ansible Tower setup which may take several minutes. Playbooks can then be run from services, buttons, control policies, or automate states. Logs are found under /var/log/tower. Potential issues can be troubleshooted by restarting services or reconfiguring credentials and secrets.
This document provides instructions for a hands-on lab to set up ElastiCache for Redis, Amazon RDS for MySQL, and load Landsat satellite image data into both systems. Key steps include: creating EC2 and database instances; installing MySQL and Redis clients; loading data into the MySQL database; running a Python script to populate Redis from MySQL; and performing sample queries against each database to compare performance.
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:InventHenning Jacobs
Many clusters, many problems? Having many clusters has benefits: reduced blast radius, less vertical scaling of cluster components, and a natural trust boundary. In this session, Zalando shows its approach for running 140+ clusters on AWS, how it does continuous delivery for its cluster infrastructure, and how it created open-source tooling to manage cost efficiency and improve developer experience. The company openly shares its failures and the learnings collected during three years of Kubernetes in production.
AWS re:Invent session OPN211 on 2019-12-05
by Gowri Balasubramanian, Sr. Solutions Architect & Steven David, Enterprise Solution Architect, AWS
Hands-on Lab to set up and use Amazon RDS and Amazon Aurora.
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessAlexandre Sieira
Slide deck for talk presented at DEF CON 28 "Safe Mode" Cloud Village.
AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.
One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.
In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.
SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.
O documento discute introdução à segurança de containers, abordando tópicos como Dockerfile, imagens, variáveis de ambiente, escolha de imagens base seguras, soluções de varredura de vulnerabilidades, orquestradores como Kubernetes e suas configurações padrão inseguras, e opções para melhorar a segurança de ambientes containerizados.
More Related Content
Similar to Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research
The document discusses running memcached clusters on Amazon EC2. It covers key concepts like caching, clusters, and infrastructure as a service (AWS). It then provides step-by-step instructions for setting up a memcached cluster on EC2, including creating security groups, launching EC2 instances from AMIs, and configuring the memcached servers and clients. The summary concludes that setting up and running memcached clusters on infrastructure as a service environments like EC2 is straightforward.
DevOps (Continuous Integrations, Continuous Delivery & Continuous deployment using Jenkins and Visual studio team services, setting up VTST build Agents, Integrating VSTS with SonarQube, NDepend,) , Complete automation of pushing code into VSTS from Visual Studio, Building Code by a Jenkin Server hosted on Azure and pushing that successful build on to Azure Web App via Release Pipeline or directly from Jenkins,VSTS Default agents, Setting up local agent from scratch, Setting up agents for code build, VSTS, Visual Studio Online Agents, Agent Pools, Hosted Agents, Hosted VS2017. Hosted Linux Agents, Setting up agent on VS Dev Test Labs, Setting up Template Parameters for Continuos Pipeline, Build Agent Creation Dynamically, Random Machine Name, Random Passwords, Dynamic Agent creation in VS Dev Test labs, Sonarcube, Code quality, Code Analysis, MSBuild, Integrate VSTS Build with NDepend, Package manager, Monolithic Architecture, Nuget, Package management, Npm js.com, Semantic versioning, Creating a nuget package, nuspec file, GitVersion Plugin, FeedURL, Chocolatey for package management, Chocolatey, chocolatey workflow,
1. The document demonstrates how to use various AWS services like Kinesis, Redshift, Elasticsearch to analyze streaming game log data.
2. It shows setting up an EC2 instance to generate logs, creating a Kinesis stream to ingest the logs, and building Redshift tables to run queries on the logs.
3. The document also explores loading the logs from Kinesis into Elasticsearch for search and linking Kinesis and Redshift with Kinesis Analytics for real-time SQL queries on streams.
Assembling an Open Source Toolchain to Manage Public, Private and Hybrid Clou...POSSCON
This document discusses assembling an open source tool chain for hybrid cloud environments using tools like Packer, Vagrant, Ansible, and BoxCutter. It provides examples of using Packer to build machine images for multiple platforms from a single blueprint and using Vagrant and Ansible to provision virtual machines across different cloud providers in a standardized way. Overall, the document promotes the use of these open source automation tools to help manage infrastructure across hybrid cloud environments.
Automating Container Deployments on Virtualization with Ansible: OpenShift on...Laurent Domb
Virtual machines and containers are not necessarily in competition - in fact, in many situations they are complementary. And the deployment of containers and their underlying VMs can be completely automated with Ansible - providing an on demand environment for production and development. Find out how in this session with Laurent Domb of Red Hat. He will provide slides and a demonstration.
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
Cloudstack Top 5 technical issues and troubleshooting. Cloudstack is a mature product in use by companies world-wide. While being associated with CloudStack development for over 5 years, Abhi has come across some technical issues that once in a while affect the CloudStack deployment. This presentation is an effort to put together top 5 such issues, analyze their symptoms, see them from CloudStack architecture perspective and from the distributed nature of cloud orchestration, then look at ways to avoid them and finally be able to troubleshoot if they occur.
This HowTo is about how to manage Public- and Hybrid Cloud deployments with openQRM. As the deployment manager for Amazon EC2 and its API compatible derivatives (e.g Eucalyptus) openQRM is capable to fully automate Instance provisioning and to add additional value by attaching automated application deployment via Puppet, automated monitoring via Nagios and also highavailability on Infrastructure-Level to the providers cloud features. The whole workflow of Instance-deployment in openQRM is exactly the same as for local resources in the internal IT-environment.
About docker cluster management tools
1. Base concepts of cluster
management and docker
2. Docker Swarm
3. Amazon EC2 Container Service
4. Kubernetes
5. Mesosphere
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...Amazon Web Services
Some of the best businesses today are deploying their code dozens of times a day. How? By making heavy use of automation, smart tools, and repeatable patterns to get process out of the way and keep the workflow moving. Come to this session to learn how you can do this too, using services such as AWS OpsWorks, AWS CloudFormation, Amazon Simple Workflow Service, and other tools. We'll discuss a number of different deployment patterns, and what aspects you need to focus on when working toward deployment automation yourself.
Introduction To Managing VMware With PowerShellHal Rottenberg
This document introduces the VMware Infrastructure PowerShell Toolkit which provides over 120 cmdlets for automating and managing VMware Infrastructure including VirtualCenter and ESX Server. It summarizes the key capabilities and features of the toolkit such as accessing the VI SDK through cmdlets, two PowerShell providers for filesystem and inventory navigation, and examples of common administrative tasks that can be automated using the cmdlets.
- Puppet is a tool that allows you to define infrastructure as code and manage your infrastructure in a consistent, versioned way like software. It uses resources and relationships between them to define what state should exist.
- Modules contain Puppet code, files, and templates to manage specific components like Apache or MySQL. They can be found on the Puppet Forge or GitHub.
- Puppet uses a dependency graph of resources to determine the order of operations needed to ensure resources are in the desired state. It is highly customizable through Ruby plugins.
- The autoami module contains tools to automatically generate new AMIs when Puppet runs detect configuration changes, ensuring infrastructure is always up to date. It uses custom Puppet faces
This document discusses assembling an open source tool chain for a hybrid cloud environment. It describes using Packer to build machine images for multiple platforms like AWS, VMware, and VirtualBox from a single blueprint. It also discusses using Vagrant and Ansible for automation, configuration management, and provisioning virtual machines across different cloud providers in a standardized way.
This document provides an introduction to Google Cloud Platform services including Google Cloud Storage, Cloud SQL, BigQuery, and Compute Engine. It includes steps to get started with each service through tutorials and labs. The document demonstrates how to create buckets and load data to Cloud Storage, set up databases in Cloud SQL, load CSV data to BigQuery, and create virtual machines on Compute Engine along with networking configurations. Quick start links are also provided for each service.
Krux operates a large infrastructure serving thousands of user requests per second. They use Puppet and tools like Cloudkick, Foreman, Boto, and Vagrant to manage their infrastructure in an automated and scalable way. Their Puppet configuration is split into modules, environments, and datacenters. They launch AWS nodes programmatically and configure them with Puppet. Cloudkick is used for monitoring and parallel SSH. Boto allows full Python API access to AWS. Vagrant allows consistently provisioning development machines locally. Automation and external configuration enable their small operations team to manage a large, dynamic infrastructure.
Hands-on Lab to compare and contrast relational queries (using RDS for MySQL) with non-relational queries (using ElastiCache for Redis). You’ll need a laptop with a Firefox or Chrome browser.
Embedded Ansible allows users to run Ansible playbooks from within CloudForms. It installs and configures a headless Ansible Tower on the CloudForms appliance. To activate it, the "Embedded Ansible" role must be enabled. This will trigger the Ansible Tower setup which may take several minutes. Playbooks can then be run from services, buttons, control policies, or automate states. Logs are found under /var/log/tower. Potential issues can be troubleshooted by restarting services or reconfiguring credentials and secrets.
This document provides instructions for a hands-on lab to set up ElastiCache for Redis, Amazon RDS for MySQL, and load Landsat satellite image data into both systems. Key steps include: creating EC2 and database instances; installing MySQL and Redis clients; loading data into the MySQL database; running a Python script to populate Redis from MySQL; and performing sample queries against each database to compare performance.
How Zalando runs Kubernetes clusters at scale on AWS - AWS re:InventHenning Jacobs
Many clusters, many problems? Having many clusters has benefits: reduced blast radius, less vertical scaling of cluster components, and a natural trust boundary. In this session, Zalando shows its approach for running 140+ clusters on AWS, how it does continuous delivery for its cluster infrastructure, and how it created open-source tooling to manage cost efficiency and improve developer experience. The company openly shares its failures and the learnings collected during three years of Kubernetes in production.
AWS re:Invent session OPN211 on 2019-12-05
by Gowri Balasubramanian, Sr. Solutions Architect & Steven David, Enterprise Solution Architect, AWS
Hands-on Lab to set up and use Amazon RDS and Amazon Aurora.
Similar to Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research (20)
SaaSpocalypse - The Complexity and Power of AWS Cross Account AccessAlexandre Sieira
Slide deck for talk presented at DEF CON 28 "Safe Mode" Cloud Village.
AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.
One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.
In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.
SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.
O documento discute introdução à segurança de containers, abordando tópicos como Dockerfile, imagens, variáveis de ambiente, escolha de imagens base seguras, soluções de varredura de vulnerabilidades, orquestradores como Kubernetes e suas configurações padrão inseguras, e opções para melhorar a segurança de ambientes containerizados.
Uma Introdução a Threat Intelligence e Threat Hunting para Empresas Sem Orçam...Alexandre Sieira
Apresentação da Trilha Vanguarda do Mind The Sec 2017 sobre como threat intelligence e threat hunting pode ajudar no monitoramento de segurança e resposta a incidentes de organizações.
Sharing is Caring: Medindo a Eficácia de Comunidades de Compartilhamento de T...Alexandre Sieira
O compartilhamento de threat intelligence está subindo na lista de prioridades da maioria das grandes organizações. Muitas áreas de segurança estão sendo cobradas para consumir estas informações sem necessariamente ter processos implementados para usá-las. Junte-se a nós nesta apresentação para uma exploração baseada em dados quantitativos sobre práticas e comunidades de compartilhamento de threat intelligence. Nosso objetivo é demonstrar o que deve ser feito para que o compartilhamento de threat intelligence possa escalar além das barreiras técnicas e de confiança que atualmente atuam como fortes limitadores.
Esta é mais uma apresentação da série Data-Driven Threat Intelligence. Na Mind The Sec do ano passado, apresentamos ferramentas e metodologias que permitiam a análise quantitativa de fontes individuais de threat intelligence, em especial feeds abertos e pagos, além de uma análise crítica em cima dos resultados baseados em um grande conjunto de indicadores coletados por nós. Este ano, o objetivo é estender estas ferramentas e metodologias para medir e analisar a eficácia, benefícios e barreiras associadas ao uso de comunidades de compartilhamento de threat intelligence, que estão proliferando mundialmente em diversas verticais do mercado.
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
The human mind evolved to draw quick conclusions for survival. Behavioral economists, like Daniel Kahneman and Dan Ariely, are publishing research on when, why and how decision making can be consistently and predictably irrational. You could say these researchers are reverse engineering the wetware, finding bugs and race conditions and disclosing them.People are key to an organization’s information security, even if you believe in the “people, processes and technology” tripod. People define and execute processes. People decide funding for, implement, operate and/or monitor the technology. Your adversaries are people. At least until we reach the AI singularity, that is.Until then, the aim of this talk is to present some of the counter-intuitive findings of behavioral economics research and their implications for how information security is handled at the organizational and market levels. Our hope is that the audience will find they could benefit from changing established, seemingly sensible and logical actions we all do to better match how the wetware actually works.
Presented at BSides SF on Feb. 28th, 2016.
Threat Intelligence Baseada em Dados: Métricas de Disseminação e Compartilham...Alexandre Sieira
Sessão apresentada no Mind The Sec no dia 26 de Agosto de 2015.
Esta sessão vai fazer uma exploração tecnológica bem-humorada de feeds de threat intelligence abertos e comerciais que têm sido tratados pelo mercado de segurança como a nova panacéia para resolver os desafios de monitoramento e resposta a incidentes. Mesmo que nem todo o mercado de threat intelligence possa ser reduzido a feeds de indicadores, eles têm atraído atenção suficiente do mercado para merecer uma análise científica e factual para que os tomadores de decisão possam maximizar os resultados obtidos com os dados disponíveis.
Nos últimos 18 meses, a Niddel vem coletando indicadores de threat intelligence de múltiplas fontes, visando entender o ecossistema e desenvolver métricas de eficiência e qualidade para avaliar os diferentes feeds. Serão apresentadas análises factuais e baseadas em dados do viés estatístico, sobreposição, representatividade, idade de indicadores e unicidade entre diferentes feeds. Todos os dados utilizados será publicado e o código para geração dos gráficos está disponível em projetos open source chamados Combine e TIQ-Test. Estas são as mesmas técnicas e análises por trás da contribuição da Niddel no Verizon Data Breach Incident Report (DBIR) de 2015, um dos mais respeitados relatórios de segurança da informação do mundo.
Esta apresentação também irá apresentar dados agregados de uso de comunidades de compartilhamento de threat intelligence, de forma a identificar os padrões reais de uso e as preocupações e benefícios que os gestores podem esperar deste tipo de iniciativa.
Slide deck (in Brazilian Portuguese) presented at the II Fórum RNP (forum.rnp.br) at August 29th, 2013 in Brasília. It is an explanation of what BYOD is and what its benefits are, and also a discussion on information security risks and controls available.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
2. sts:GetCallerIdentity
arn:aws:iam:sa-east-1:*:user/GlayssonTomaz
Cloud Security Researcher @ Tenchi Security
arn:aws:iam:sa-east-1:*:user/AlexandreSieira
Co-Founder and CTO @ Tenchi Security
> 25+ years in cybersecurity - old_man_yells_at_cloud.gif
> Co-founder & CTO @ Cipher (acquired by Prosegur)
> Co-founder & CTO @ Niddel (acquired by Verizon)
> Global Head of Detection & Response products @ Verizon
> AWS Certified Security - Specialty
> 12+ years of experience in Cybersecurity
> Security researcher in AppSec, IoT, Cloud
arn:aws:iam:sa-east-1:*:user/MarceloLima
Cloud Security Consultant @ Tenchi Security
> 25+ years of experience in Infrastructure and security
> Cloud Infrastructure Manager @ Claro
> GCP Professional Cloud Security Engineerl
asieira@tenchisecurity.com
@AlexandreSieira
gtomaz@tenchisecurity.com
https://github.com/s4dhulabs
mlima@tenchisecurity.com
3. Why should you care?
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-
papers-of-ransomware.html
Black hats are looking for a way in:
● Access brokers want to exploit Internet-facing
products;
● Malware developers want to bypass your
detection and prevention security products;
● Perimeter security appliances are a double
whammy!
White hats want the fun and the profit:
● Evaluate product security;
● Profit from bug bounties;
● Create logos and name vulnerabilities.
4. Why should you care?
A few notable examples:
Data collected August 3rd, 2022
5. AWS Marketplace
Product codes (a.k.a. offer IDs) != product IDs.
Seem designed to ensure software isn't executed
on instances not created by AWS Marketplace
(https://docs.aws.amazon.com/marketplace/latest/userguide/best-practices-fo
r-building-your-amis.html#verifying-ami-runtime)
Shown to buyers in at least four places:
● the marketplace wizard;
● notification e-mail;
● instance identity document of EC2
instances;
● ec2:DescribeInstances.
Console calls undocumented APIs at
discovery.marketplace.us-east-1.amazonaws.com
and "offerId" is used to return the product code.
6. AWS Marketplace
Product code has potential uses for defenders (asset management) and attackers (recon).
If you visit https://aws.amazon.com/marketplace/pp/ref=bill_eml_2?sku=<product code> you can manually
discover the seller and product of a product code.
List all instances with a Marketplace product code:
aws ec2 describe-instances --filters Name=product-code.type,Values=marketplace
List all instances with a specified Marketplace product code:
aws ec2 describe-instances --filters Name=product-code,Values=<product code>
List all public AMIs associated with a specified Marketplace product code:
aws ec2 describe-images --filters Name=product-code,Values=<product code>
7. AWS Marketplace
Trying to run an instance with a Marketplace AMI without a subscription:
$ aws –region us-east-1 ec2 run-instances --image-id ami-0ceb5feceacf87c44 --subnet-id
subnet-<redacted>
An error occurred (OptInRequired) when calling the RunInstances operation: In order to
use this AWS Marketplace product you need to accept terms and subscribe. To do so please
visit https://aws.amazon.com/marketplace/pp?sku=
f2ew2wrz425a1jagnifd02u5t
After launching an instance through the Marketplace and subscribing:
$ aws ec2 describe-instances --instance-id i-<redacted> | jq
'.Reservations[].Instances[] | .ProductCodes'
[
{
"ProductCodeId": "
6njl1pau431dv1qxipg63mvah",
"ProductCodeType": "marketplace"
}
]
8. AWS Marketplace
Boot volume seems normal under "aws ec2 describe-volumes", no product
codes. Let's try to mount at as a secondary disk on a new analysis instance to
rummage through it:
1. Detach from Marketplace instance: ✅
2. Create new Linux instance and stop it: ✅
3. Attach volume as secondary disk on the analysis instance: 🛑
$ aws ec2 attach-volume --device xvdb --instance-id
i-<redacted> --volume-id vol-<redacted>
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary volume
xvdb
9. AWS Marketplace
Only visible association to the original AMI and the Marketplace is through
the snapshot it was created from. So let's try:
1. Create a new snapshot of the volume: ✅
2. Create a new volume from this snapshot: ✅
3. Attach newly created volume as secondary disk on the analysis
instance: 🛑
$ aws ec2 attach-volume --device xvdb --instance-id
i-<redacted> --volume-id vol-<redacted>
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary
volume xvdb
10. AWS Marketplace
Maybe the association is via the AMI? So let's try this:
1. Create an AMI from the Marketplace instance: ✅
2. Create a new instance from that AMI: ✅
3. Detach the boot volume from new instance: ✅
4. Attach volume as secondary disk on the new instance: 🛑
$ | => aws ec2 attach-volume --device xvdb --instance-id
i-02f09c8ee2628f46e --volume-id vol-09db9337b82217687
An error occurred (OperationNotPermitted) when calling the
AttachVolume operation: One or more of
[6njl1pau431dv1qxipg63mvah] are not allowed as secondary
volume xvdb
11. AWS Marketplace
Found an old mailing list post mentioning a workaround
(https://www.mail-archive.com/packer-tool@googlegroups.com/msg04649.
html):
1. Create an AMI from the Marketplace instance: ✅
2. Share it with another account: ✅
3. Create an instance at other account using the shared AMI: 🛑
ec2:DescribeImages still shows the product codes associated with the
new AMI, so AWS closed that loophole at some point.
Also tried copying a snapshot to S3 and using direct access APIs. All
blocked.
12. AWS Marketplace
No KYC, domain, URL or logo validation required
to become a seller eligible to publish free products.
KYC is required to sell paid products to EMEA,
apparently, though T&Cs allows them across the
board.
AWS purports to do regular scanning of images to
check for vulnerabilities, and provides on-demand
scanning to sellers.
Defines security standards for images, such as:
● no known vulnerabilities;
● no hardcoded passwords;
● no remote access by seller.
13. Azure Marketplace
Azure is kind enough to have documented APIs and CLI commands to interact with Marketplace images!
(https://docs.microsoft.com/en-us/cli/azure/vm/image?view=azure-cli-latest)
14. Azure Marketplace
You can attach a marketplace boot disk as a secondary disk in another VM!
1) First find the Publisher.Offer part of the URL:
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/tidalmediainc.tinyproxy-easy-ub
untu?tab=Overview
2) Obtain the SKU name:
$ az vm image list-skus -l brazilsouth -p tidalmediainc -f tinyproxy-easy-ubuntu | jq
.[].name
"tinyproxy-easy-ubuntu"
3) Obtain the URN of the images:
$ az vm image list -p tidalmediainc -s tinyproxy-easy-ubuntu --all | jq .[].urn
"tidalmediainc:tinyproxy-easy-proxy-server-ubuntu:tinyproxy-easy-ubuntu-server:1.0.1"
"tidalmediainc:tinyproxy-easy-ubuntu:tinyproxy-easy-ubuntu:1.0.0"
15. Azure Marketplace
4) Accept the terms of the license (appears to be optional):
$ az vm image terms accept --urn
"tidalmediainc:tinyproxy-easy-proxy-server-ubuntu:tinyproxy-easy-ubuntu-server:1.0.1"
5) Create a disk based on that image:
$ az disk create -g <resource group> -n <disk name> -l brazilsouth --image-reference
tidalmediainc:tinyproxy-easy-ubuntu:tinyproxy-easy-ubuntu:1.0.1
6) Attach as a secondary disk on an analysis VM:
$ az vm disk attach -g <resource group> –vm-name <VM name>
-n <disk name> -l brazilsouth
7) Profit!
16. Google Cloud Marketplace
GCP provides an easy way to deploy any marketplace infrastructure with predefined deployments. You can
filter for the kind of software you want, select it and the GCP will do all the rest.
You can attach a marketplace boot disk as a secondary disk in another VM!
1) Open Google Cloud console and go to the Marketplace:
https://console.cloud.google.com/marketplace
2) Pick up a vendor product with Virtual Machines type. Use filters to choose on
3) Deploy the application and stop the virtual machine(s).
$ gcloud compute instances stop <marketplace-product-instance-name>
4) Create a snapshot from the instance you just stopped.
$ gcloud compute snapshots create <snapshot-name> --zone=<zone>
--source-disk=<marketplace-instance-disk>
17. Google Cloud Marketplace
5) Create a disk from the snapshot
$ gcloud compute disks create <disk-name> --source=<snapshot-name> --zone=<zone>
6) Create a new instance and attach the new disk as a secondary disk to the VM.
$ gcloud compute instances create <new-instance-name> --machine-type=<machine-type>
--disk=boot=no,device-name=<disk-name>,mode=rw,name=<disk-name> --zone=<zone>
7) From the GCP console SSH to the new VM
8) Run fdisk to see the disks and mount the disk (it should be /dev/sdbX where X is the physical partition)
$ sudo fdisk -l
$ sudo mount /dev/sdbX /<mounting-point>
18. Google Cloud Marketplace
9) If the disk is not mounted it is probably because it has an invalid partition type or it is a volume group.
In both cases run a logical volume scan in the physical partition and mount it. You should see
something similar as /dev/sdbX/<logical-volume>.
$ sudo lvscan -a
$ sudo mount /dev/sdbX/<logical-volume> /<mounting-point>
10) Start digging
19. Final Words
● AWS Marketplace seems to offer better protection for seller
intellectual property than selling hardware appliances, kudos!
○ Should have documented APIs, SDK and CLI support for
buyers;
○ Beware of instance restrictions (backup, etc).
● Azure and GCP Marketplaces offers big advantages to white
and black hat security researchers:
○ Low or no cost (BYOL or pay-as-you-go);
○ No pesky sanctions or logistics-related difficulties to
obtaining access to products;
○ Very low barrier to entry (account with fake/stolen
payment data);
○ Very amenable to automation! DevSecResearchOps
FTW
IANL disclaimer - don't do any
of this before you are sure of
the legal risks involved.
20. Thank you!
> Alex Sieira
asieira@tenchisecurity.com
@AlexandreSieira