There are many ways to secure software. In this talk, I will explain some of the different techniques used to prevent introducing security vulnerabilities into your software, using threat modelling, automated testing and dependency validation.
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch
With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.
Volodymyr Kimak "Security Tips for Android App"Igor Beliaiev
Are you interested how to make android app more secure against common threats? He is the one who might help ;) Check out Volodymyr Kimak speech "Security Tips for Android App"
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
By Isabelle Mauny, Chief Product Officer & Co-Founder at 42Crunch
With the crazy rate at which APIs are developed, enterprises face a delicate situation to secure them. Data validation, input sanitization, security testing are tasks that require a lot of attention and time. When done very late in the API lifecycle, results are usually disastrous. API Security must be fully part of the API lifecycle, as transparent as possible, preventing developers from introducing vulnerabilities early on. A bug discovered in production can cost up to 30 times more effort to solve. Security vulnerabilities are no different.
Volodymyr Kimak "Security Tips for Android App"Igor Beliaiev
Are you interested how to make android app more secure against common threats? He is the one who might help ;) Check out Volodymyr Kimak speech "Security Tips for Android App"
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
Mobile Penetration Testing: Episode 1 - The Forensic MenaceNowSecure
This is Episode 1 of a trilogy on mobile penetration testing - forensic analysis of data at rest on the device.
Episode 2 - Return of the Network/Back-end
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-ii-attack-of-the-code
Episode 3 - Attack of the Code
http://www.slideshare.net/nowsecure/mobile-penetration-testing-episode-iii-attack-of-the-code
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
The presentation shows what’s wrong with passwords.
Then it elaborates what is Two-Factor Authentication.
Finally, it demonstrates standard web API WebAuthn (Web Authentication).
The presentation were presented at OWASP Appsec IL 2018
https://appsecisrael2018.sched.com/event/FvfG/passwords-are-passe-webauthn-is-simpler-stronger-and-ready-to-go
Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like?
At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why.
The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO
Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat
\"If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. In this session, we present the concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as:
- Transport and message encryption.
- Digital Signatures
- Auditing and non-repudiation
- SecDevOps and security as code
- Coding best practices and how to enforce them
- Infrastructure Best Practices
Attendees attending this session will leave with practical information to apply directly to their APIs. \"
Addressing web server vulnerabilities is key to application security. Consider the impact the Apache Struts vulnerability had on organizations that ignored it and it suddenly becomes clear that responding quickly to Common Vulnerabilities and Exposures (CVE’s) is part of an effective appsec security posture.
Real world business conditions are not always conducive to patching software in a timely manner. An automated method of identifying and triaging CVEs from qualification to virtual patches can be achieved with a robust process for staying on top of the latest CVE related vulnerabilities.
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
API First talk from Gluecon '14, talking about putting the API behind all of your products and having a single stack. Presenter notes are included and probably necessary for when you don't have my interpretive dance to watch.
Talk delivered by Chema Alonso at RootedCON Satellite (Saturday 12th of September 2015) about how to do hacking & pentesting using dorks over Tacyt, a Big Data of Android Apps
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Hackers & Attackers Exposed! There are those that know they have been hacked and those that don't know it yet. National Cyber Security Awareness Month. Improve your personal security by being aware of the threats.
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
In the last decade, the way software is developed and deployed has completely changed, yet the way we secure it has stood still. Today, developers use Git and open source and deploy via devops to the cloud. All of this has introduced security risks that are being exploited by hackers.
In this one hour webinar, learn the top threats facing companies from their code environments and how to address them.
You will learn:
How Git-based environments post a threat to enterprise security
Why companies lack visibility into who has downloaded their code on unprotected devices
How to mitigate the threats from code without altering or slowing down the software development process
How code security must fit into an overall information security strategy
Who should attend:
CISOs or infosec directors
Devsecops leaders and engineers
Appsec leaders and engineers
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
The number of cyber breaches due to vulnerable components has increased in the last years. Attacks come fast, exploits are automated, and damages are high.
The most common cause is the incorrect implementation of external libraries. This makes it difficult to maintain them, increases the technical debt and the risk of being breached via vulnerable components.
This presentation contains the most common situations when third party libraries are used, discusses the attack surface introduced by these components and explores the best practices to reduce it.
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
The presentation shows what’s wrong with passwords.
Then it elaborates what is Two-Factor Authentication.
Finally, it demonstrates standard web API WebAuthn (Web Authentication).
The presentation were presented at OWASP Appsec IL 2018
https://appsecisrael2018.sched.com/event/FvfG/passwords-are-passe-webauthn-is-simpler-stronger-and-ready-to-go
Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like?
At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why.
The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
What do Google, Facebook, Paypal, IRS, and USPS have in common? The answer is hackers exploited their APIs to access sensitive customer information. Although these API attacks were detected and exposed, most API-based attacks go undetected in today's technologically sophisticated world – particularly attacks that come from authenticated sources. With the number of APIs increasing constantly right along with the number of API attacks, API security has never been so important to an organization's success.
YOU MUST REGISTER HERE TO GET THE CONFERENCE LINK: https://bigcompass.typeform.com/to/emg9DO
Ping Identity and Azure have partnered together with a market-leading solution to tackle the complexities and nuances of protecting API infrastructures and the digital assets that they connect.
This session will discuss today’s API threat landscape and explore what you can do to both detect and block advanced attacks on APIs. The presentation will first dive into the API development lifecycle using a live API built with Azure. We will look at some common monitoring capabilities on the Azure API and what a security violation would look like.
Then, we will have some fun by simulating attacks on our own API. In this phase of the presentation, we will simulate some basic attacks and show how security policies or a web application firewall can block these common attacks.
From there, we will dive even deeper by simulating more advanced attacks from authenticated users (data theft and API takeover), hackers who have reverse engineered an API, and layer 7 DoS attacks that fly under the SLA radar. This is where we will showcase PingIntelligence’s advanced capabilities by showing how a Azure API (or any other API) can connect with PingIntelligence to detect and prevent sophisticated attacks. This will allow the audience to see how the PingIntelligence software uses AI to discover and model normal behavior on an API to block and report on advanced attacks.
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat
\"If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS. But in order to properly secure APIs, you will have to address many other aspects. In this session, we present the concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as:
- Transport and message encryption.
- Digital Signatures
- Auditing and non-repudiation
- SecDevOps and security as code
- Coding best practices and how to enforce them
- Infrastructure Best Practices
Attendees attending this session will leave with practical information to apply directly to their APIs. \"
Addressing web server vulnerabilities is key to application security. Consider the impact the Apache Struts vulnerability had on organizations that ignored it and it suddenly becomes clear that responding quickly to Common Vulnerabilities and Exposures (CVE’s) is part of an effective appsec security posture.
Real world business conditions are not always conducive to patching software in a timely manner. An automated method of identifying and triaging CVEs from qualification to virtual patches can be achieved with a robust process for staying on top of the latest CVE related vulnerabilities.
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
Diapositivas de la presentación impartida por Chema Alonso durante el congreso CELAES 2015 el 15 de Octubre en Panamá. En ella se habla de cómo en Eleven Paths y Telefónica se utilizan las tecnologías Tacyt, Sinfonier y Faast para luchar contra el e-crime.
API First talk from Gluecon '14, talking about putting the API behind all of your products and having a single stack. Presenter notes are included and probably necessary for when you don't have my interpretive dance to watch.
Talk delivered by Chema Alonso at RootedCON Satellite (Saturday 12th of September 2015) about how to do hacking & pentesting using dorks over Tacyt, a Big Data of Android Apps
Hijacking Softwares for fun and profitNipun Jaswal
Presentation for my talk at Global Infosec Summit, LPU (11 Nov 2017). The Presentation demonstrates risk of using outdated and cracked software. Additionally, demonstrates the hand-on approach to finding DLL search order hijacking vulnerabilities. The Presentation is for educational purposes only.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Hackers & Attackers Exposed! There are those that know they have been hacked and those that don't know it yet. National Cyber Security Awareness Month. Improve your personal security by being aware of the threats.
Preventing Code Leaks & Other Critical Security Risks from CodeDevOps.com
In the last decade, the way software is developed and deployed has completely changed, yet the way we secure it has stood still. Today, developers use Git and open source and deploy via devops to the cloud. All of this has introduced security risks that are being exploited by hackers.
In this one hour webinar, learn the top threats facing companies from their code environments and how to address them.
You will learn:
How Git-based environments post a threat to enterprise security
Why companies lack visibility into who has downloaded their code on unprotected devices
How to mitigate the threats from code without altering or slowing down the software development process
How code security must fit into an overall information security strategy
Who should attend:
CISOs or infosec directors
Devsecops leaders and engineers
Appsec leaders and engineers
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
The number of cyber breaches due to vulnerable components has increased in the last years. Attacks come fast, exploits are automated, and damages are high.
The most common cause is the incorrect implementation of external libraries. This makes it difficult to maintain them, increases the technical debt and the risk of being breached via vulnerable components.
This presentation contains the most common situations when third party libraries are used, discusses the attack surface introduced by these components and explores the best practices to reduce it.
Creating secure apps using the salesforce mobile sdkMartin Vigo
Creating a mobile app has never been easier with the wide-range of frameworks and languages available at your fingertips. But is it easy to secure a mobile app? Join our mobile security experts as they walkthrough the Salesforce Mobile SDK and learn everything you need to know about hardening your mobile apps. We will discuss common vulnerabilities and mistakes, followed by a dive deep into how the Salesforce Mobile SDK makes following our security best practices easy and painless!
17 марта 2016 года в московском офисе Яндекса состоялась очередная встреча OWASP Russia Meetup — встреча сообщества специалистов по информационной безопасности. Основной темой этой встречи стала безопасность мобильных приложений. На встрече выступили эксперты, которые рассказали о различных аспектах этой темы и поделились примерами из реальной жизни и личного опыта.
В мероприятии участвовал Юрий Чемёркин, эксперт-исследователь «Перспективного мониторинга» с докладом «Безопасность мобильных приложений и утёкшие данные». Он рассказал, насколько не защищены многие популярные мобильные приложения и что нужно сделать, чтобы повысить их уровень защищённости.
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...apidays
pidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Addressing OWASP API Security Top 10 starts at design time
Isabelle Mauny, Field CTO & Co-Founder at 42Crunch
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods.
What will you learn :
-New Attack techniques hackers are using targeting WFH
-How to handle decentralisation of IT and technology decisions?
-Application risks as enterprises pivot to online/new business model(s)
-New risks in the Cloud and due to Shadow IT
-Security risks due to uninformed employees & their home infrastructure
-How to handle Misconfigurations & Third party risks
-How to build a robust breach response and recovery program?
Full video - https://youtu.be/bQLfnmhDnQs
Mobile apps are the entry point to your web applications, APIs and web services. But sometimes the developer implements security in the mobile app that can easily be bypassed by a malicious attacker, allowing the attacker to exploit your web applications and steal confidential information. In this presentation I will show you how easy it is to attack a mobile application, intercept the communication and exploit the trust model of mobile apps. I will also give an overview of the OWASP Top 10 Mobile Risks.
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsBeyondTrust
In this presentation from his webinar, Rob Black, CISSP, Founder and Managing Principal of Fractional CISO, explores IoT architectures, the different types of credentials in an IoT system, the common challenges with IoT credential management, and what you can do to mitigate the risks of credential-based attacks.
You can also watch the full webinar on-demand here: https://www.beyondtrust.com/resources/webinar/5-crazy-mistakes-administrators-make-iot-system-credentials/
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
Over 30 years, the term Open Source has been gaining momentum and it is at its peak right now, with all tech giants shifting focus into open source. In contrast, you don’t see a lot of penetration in open source IAM, this is largely due to the uncertainty and doubts around the topic. Register here for an in-depth explanation of facts and fiction in this space.
View the on-demand webinar: https://wso2.com/library/webinars/open-source-value-benefits-risks/
A question of trust - understanding Open Source risksTim Mackey
As presented at the Bay Area Cyber Security Meetup on January 25th, 2018.
Open source development paradigms have become the norm for most software development. This is regardless of whether you're making the next great IoT device, a new container microservice, or desktop application. While open source components are often viewed as free, and definately help solve problems in a scalable way, using them in a secure manner requires an understanding of how open source development really works.
In this sesssion, I covered how secure development practices with data center regulations can benefit from an understanding of open source development. Specifically, we looked at fork management, community engagement and patch management. We ended with an open source maturity model.
[WSO2 Integration Summit San Francisco 2019] Protecting API Infrastructures —...WSO2
What do Google, Facebook, Paypal, IRS, T-mobile, and USPS have in common? Answer -- hackers used their APIs to access sensitive customer information. Although these API attacks were exposed, most API-based attacks go undetected these days. This deck will discuss today’s evolving API threat landscape and explore what you can do to both detect and block cyberattacks from authenticated users and hackers who have reverse engineered your API with an integrated solution from WSO2 and PingIntelligence.
Grab the Secure Mobile Application Development Reference here - http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Are you looking to build a program to ensure maximum mobile security coverage?
If you are tasked with putting together a security testing program to address risk with internally developed mobile applications, there is no shortage of technical and process factors to consider. It is also critical to balance the security with a positive end-user experience, helping propel the overall brand forward - safely. Without proper mobile security, one significant loss can quickly destroy the trust foundation your company has worked years to craft.
This webinar will provide the security leader an overview of the challenges associated with mobile testing, certain technologies that one can use to identify mobile application vulnerabilities, and repeatable process strategies that will help build the foundation for a recurring testing program.
The session will provide attendees a broad understanding of mobile technologies, as well as a mobile testing launch checklist that will help your organization go from ground floor to a fully-functioning testing program in 30 days.
The session will also include:
An overview of the major mobile technologies and their defining attributes
An overview of how iOS and Android handle certain security issues differently via the Denim Group Mobile Development Reference Guide
An overview of a typical mobile application architecture and how it differs from a web application environment
How important web services are to a typical mobile architecture
The limitations of automated testing and how to augment security reviews to overcome testing gaps
How to make a program repeatable and economically feasible without disrupting the software development process
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
Arxan Technologies, FS-ISAC, and IBM joined forces to deliver a presentation on how to protect your applications and data from emerging risks. This session will cover:
- The threat landscape regarding mobile payments
- How cybercriminals can hack your applications
- Comprehensive prevention and protection techniques
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)Davide Cioccia
Big companies only use mobile BDD tests to check that all the functionalities work. BDD security testing is becoming more and more important in the business panorama, where complex applications need to be tested continuously because part of continuous delivery (CD) and continuous integration (CD). Agile way of working requires more flexibility also in the security testing,so this means that a complete pentest at the end of the development is not enough anymore. OWASP MASVS and MSTG (Mobile Security Testing Guide), gives developers and security professionals hints on what to test and how. What if we can automate this tests directly in the development pipeline before building the application? Integrating together Cucumber, Calabash and Ruby is possible to create simple, medium and advanced security tests, automating the UI, accessing the Filesystem, Keychain, Databases, Logs in the background and check the memory on the fly.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
No Onions, No Tiers - An Introduction to Vertical Slice Architecture by Bill ...Alex Cachia
Vertical Slice Architecture helps us build maintainable applications by separating concerns around features rather than technical responsibilities allowing us to add features without modifying existing code.
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
In this talk Glenn will walk you through the OWASP top 10 published towards the end of 2021 to explain what's hot and what's hotter. He will give a brief description of each weakness and explain how these they are exploited and, more importantly, what you can do to mitigate against attackers exploiting them in your code
If you think open source is not for you, think again by Jane ChakravortyAlex Cachia
Years ago open source was considered unsuitable for the mainstream. We had Windows, didn’t we? Times have changed, we all use open source these days, but often don’t know it. So, let’s take a closer look at open source.
Chaos Engineering – why we should all practice breaking things on purpose by ...Alex Cachia
What can we learn from fire fighters to make the systems we come to depend upon become more robust and resilient? In this talk, I will introduce what Chaos Engineering is and why it is important and share some real case studies of how people like Netflix and Amazon are applying these techniques to create more resilient systems for the benefit of their customers.
Treating your career path and training like leveling up in games by Raymond C...Alex Cachia
Treating your career path and training like leveling up in games
We will take a look at how you can actively plan your career through learning specific skills. Picking a moon-shot job and working out the path to get there. Then how to start taking practical steps to get started
Digital forensics and giving evidence by Jonathan Haddock Alex Cachia
Digital forensics is being used more and more as computers become increasingly prevalent in our lives. In this talk, Jonathan will walk us through a basic forensic process and discuss some of the complications. Jonathan will highlight some key forensics principles that you can follow without specialist software, allowing you to implement them as part of your own incident response process.
Data Preparation and the Importance of How Machines Learn by Rebecca VickeryAlex Cachia
Machine learning is the ability of a machine to perform a task without being explicitly programmed. In this talk, I will cover how to manipulate data into a state that a machine can understand and make accurate predictions, and introduce a Python library that makes this easier.
Why Rust? by Edd Barrett (codeHarbour December 2019)Alex Cachia
For longer than I have existed, memory errors have plagued systems programming. Although many such errors are benign, sadly many end up being security vulnerabilities, or worse, exploits. In this talk, I will discuss how a security exploit is born, and how the Rust
programming language tries to prevent them.
Issue with tracking? Fail that build! by Steve Coppin-Smith (codeHarbour Nove...Alex Cachia
The analytics strategy must be a primary citizen of the software delivery process in a data driven business! This talk will include a live demo of extending the Nightwatch automated testing framework to uncover and resolve issues in tracking code that would have otherwise hit production.
Hack your voicemail with Javascript by Chris Willmott (codeHarbour October 2019)Alex Cachia
You're a developer, so you probably have working knowledge of Javascript. Its 2019, but people still leave you voicemails, pff. In this short practical talk, I'll show you how to hack and upgrade ANY mobile voicemail to do almost anything you want with the Twilio platform.
Developing for Africa by Jonathan Haddock (codeHarbour October 2019)Alex Cachia
There are always challenges developing an app to scale and these are compounded when set in an African context. African Pastors Fellowship’s eVitabu project, launched in March 2018, provides an Android app pastors can use to access multimedia teaching resources.
Revving up with Reinforcement Learning by Ricardo SueirasAlex Cachia
In this session I will share my journey that started with me taking my children discarded toys and trying to get them to drive themselves, to a fully autonomous driving model car.
Blockchain For Your Business by Kenneth Cox (codeHarbour July 2019)Alex Cachia
Blockchain is an emerging technology that has captured the attention of the financial experts, the media and the technical enthusiasts. In this talk we take a look at the technology; how it works, why you should consider it for your business and how it's given life to cryptocurrencies.
Seeking Simplicity by Phil Nash (codeHarbour June 2019)Alex Cachia
What is simplicity and why do we value it so much? How does it relate to complexity? When is complexity good and when is it bad? How does simplicity differ from ease? As we examine these questions we'll find that the situation is not quite as simple (!) as it might first appear. In the course of the discussion we'll come up with a mental model for framing problems that we can apply to many things - but we'll particularly look at how we can apply it to our designs and code. We'll also look at how some programming languages help us more than others in our drive towards simplicity.
Sharing Data is Caring Data by Mark Terry (codeHarbour June 2019)Alex Cachia
Considerations for creating, storing and trusting a unified business approach to data in a distributed environment. In order to prevent disjointed and competing views of business facts.
Managing technical debt by Chris Willmott (codeHarbour April 2019)Alex Cachia
Managing technical debt by Chris Willmott
With the talk primarily aimed at those in technical roles, I'll be providing a number of practical methods to use when managing technical debt. About half the talk will be things we can do as developers to quickly identify then reduce the impact of technical debt, and half will be around how to explain technical debt to non-technical stakeholders.
Hosted by Alex Cachia, codeHarbour provides an opportunity for discussion and a platform for digital presenters to get their technological ideas out there to the people who need to hear it.
Telephone Systems and Voice over IP by Bob Eager (codeHarbour April 2019)Alex Cachia
Telephone Systems and Voice over IP by Bob Eager
The speaker will talk about his experiences with a gradually evolving SOHO telephone system, starting with a single POTS (landline), through ISDN, to the current VoIP solution, and the eventual removal of the original telephones. The majority of the talk will concern the use of the open source Asterisk platform to provide numerous facilities (including one or two quite unusual ones) in a large, rambling house used also as an office for part of the time. This will include an introduction to VoIP for beginners. Costs and savings will also be considered. There will be time for questions and discussion.
Hosted by Alex Cachia, codeHarbour provides an opportunity for discussion and a platform for digital presenters to get their technological ideas out there to the people who need to hear it.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
4. How secure is my software?
February 2020 @Dynaminet 3
5. The 5 key practices for more secure software:
Good design
Security Testing
Dependency checking
Protect your Source Code
Education
February 2020 @Dynaminet 4
8. NEVER STORE PASSWORDS IN PLAIN
TEXT…. EVER!
• Use STRONG hashing
• Use Salted values (randomised!!)
Build in Multifactor Authentication
(MFA)
• Something your user knows
• Something your user has
• Something your user is
Enforce Password policies
• Password rotation
• Password strength
February 2020 @Dynaminet 7
9. Use STRONG Encryption…
EVERYWHERE
• No excuse for weak encryption
• Encrypt Data at Rest and Data in Transit
Asymmetric Encryption
• Used for authentication and confidentiality
• Public key can be shared
• Private key must be kept secret / stored
securely
Symmetric Key
• Sender and user use same key
• Use with HMAC
February 2020 @Dynaminet 8
10. Validate ALLinput
• User input
• Query string parameters
• API parameters
• Validate EVERY VALUE (zero trust)
Use Whitelisting
• IP Addresses
• Trusted Domain Names (be explicit)
• Valid Characters
Avoid Implicit Serialisation
• Explicitly define object state
February 2020 @Dynaminet 9
✓ ✗
11. Always Enable / Configure Security
Related Headers
• Control your response / request headers
Content Security Policy (CSP)
• Set policies in Content-Security-Policy
header
• Defend against Cross Site Scripting (XSS)
• Prevents packet sniffing
Cross-Origin Resource Sharing (CORS)
• Set Access-Control-Allow-Origin
headers appropriately
• Set CDN / external JavaScript / CSS libraries
and public API endpoints
February 2020 @Dynaminet 10
12. Always Log Security Events
• Authentication / Authorisation Failures
• Application / System Errors
• Suspicious / Unexpected Behaviour
Keep Logs Secure
• Prevent Attackers from Hiding Their Tracks
• Prevent Data Leaks
Do NOT Log Data Illegally /
Unnecessarily, such as:
• Access Tokens
• Personally Identifiable Information (PII)
• Secrets / Encryption Keys
• Payment Data
February 2020 @Dynaminet 11
13. All Code Is Guilty Until
Proven Innocent
February 2020 @Dynaminet 12
14. February 2020 @Dynaminet 13
Unit Tests
Pen
Tests
Static Application
Security Tests
Integration Security
Tests
slower
faster
more
expensive
cheaper
15. Write Security Unit Test Cases:
• Identity, Authentication & Access Control
• Input Validation & Encoding
• Encryption
• User and Session Management
• Error and Exception Handling
• Auditing and Logging
February 2020 @Dynaminet 14
✓✗
✓
✓
✓
✓
✓
✓
16. Use Static Code Analysis Tools
• Integrate into IDE / CI/CD Pipeline
• Identifies Most Common Source Code
Vulnerabilities
• Scans Source Code or Binaries
Top SAST Tools Include:
• Checkmarx
• Veracode
• Fortify on Demand
• SonarQube
• HCL AppScan
BUT…
• Can Generate Many False Positives
• Bound to Specific Technologies
February 2020 @Dynaminet 15
17. Automate Tests Beyond Source Code
Using DAST, IAST and RASP
• Dynamic Application Security Testing
• Simulates Real Attacks
• Integrates into CI/CD Pipeline
• Interactive Application Security Testing
• Runtime instrumentation used in TESTING
• Identifies Events at Runtime that may have
Security Relevance
• Runtime Application Self Protection
• Runtime Instrumentation used in
PRODUCTION
• Prevents Exploitation of Common
Vulnerabilities
February 2020 @Dynaminet 16
18. Use Penetration Testers Exploit
Vulnerabilities in your Code
• They use complex chains of vulnerabilities
not Identified by Automated Tests
• Imitate Hackers and use Hacker Tools
• Provide a Report of Vulnerabilities
BUT…
• Do NOT rely EXCLUSIVELY on Pen Testing
• Usually Performed TOO LATE in the SDLC
for developers
February 2020 @Dynaminet 17
19. “Before software can be
reusable it first has to be
usable” - Ralph Johnson
February 2020 @Dynaminet 18
20. Check that your Free Open Source
Software are not Vulnerable
• Use Scanning Tools to Scan your
Dependencies
• Known Vulnerabilities are Exploited by
Hackers
• CVEs are Publicly Available (mitre.org)
• Patch!!!
• Use Scanning Tools Directly in your IDE –
UPDATE LIBS QUICKLY in DEV
• SCAN CONTAINERS – they bring a whole
bunch of vulnerabilities with them!!!!
February 2020 @Dynaminet 19
21. ”It’s not enough for code to
work” – Robert C. Martin
February 2020 @Dynaminet 20
22. Secure your Source Code…
ALWAYS
• Secure the Development Environment
• Keep it separate from Production
• Flexible Security – don’t Hinder
Development
• Protect the Source Code Repository
• Access Controls
• Monitor for Unusual Code Changes (e.g.
external)
• Secure the Build and Deployment Pipeline
• Control Secrets and Credentials
• Automate
• Only Promote TRUSTED Branches
February 2020 @Dynaminet 21
23. “Knowledge is a weapon. I
intend to be formidably
armed.”― Terry Goodkind
February 2020 @Dynaminet 22
We’re all familiar with the dangers of being hacked:
Data exfiltration
Ransomware
Sabotage
As software engineers, architects, tester, we are all responsible for securing software. But what does this entail?
Good software starts with good design
“Good design doesn’t cost, but it pays”
Cannot say this loud enough or clear enough!!!!
Randomised = use cryptographically safe random generators such as CryptGenRandom in Windows and uRandom in UNIX
Something your user knows = pin / password
Something your user has = mobile device / hardware token
Something your user is = facial recognition / fingerprint
Data in Transit = avoid using SSL or older versions of TLS. You should use TLS 1.2 as a minimum
know when and how to use asymmetric keys versus symmetric keys
Never share a private key used for encryption
HMAC = Hash-based Message Authentication Code (used to verify integrity and authenticity of a message)
Whitelisting = ensure that only characters that are permitted can be used
Centralise validation within domain primitives (Domain primitives gives greater control on how the application behaves e.g. an age is not an Integer unless someone lives to 2 billion years of age and also has negative age!
Logging is a huge topic so will not cover it in this slide, other factors to mention:
Create a central log or at least keep logs consistent
Do not log everything – too much noise
Use a Security Information and Event Management (SIEM)
Mike Cohn = three layers 1) Unit Tests 2) Service Tests 3) UI Tests
Unit Tests = happy and unhappy paths based on logic (e.g. can I order -2 billion items?)
Static application tests = automated source code analysis. Scan source code for potential bad security practice (e.g. SQLi, XSS, unencrypted passwords etc). Lots of false positives if not configured correctly.
Integration Security tests = automated dynamic code analysis. Validates that integrated services are secure using fuzz testing. Grey testing
Pen testing = full black box testing. Usually carried out by skill penetration testers. Look for all sorts of issues. Traditional testing for many projects and carried out at end of SDLC
Build security into the unit testing tools
SAST = Static Application Security Testing
Pen testing can come too late in the SDLC for developers
Alternative quote = “A chain is only as long as its weakest link”
Dependencies probably make up between 80% and 90% of your code base
CVE = Common Vulnerability Enumeration
You are under attack… constantly. Arm yourself with knowledge
OWASP - Open Web Application Security Project
Top 10 Security vulnerabilities (https://owasp.org/www-project-top-ten/)
SANS - SANS is the most trusted and by far the largest source for information security training in the world
Top 25 Most dangerous coding error (https://www.sans.org/top25-software-errors/)
Centre for Internet Security (CIS)
CIS Benchmarks for a raft of different technologies (https://www.cisecurity.org/cis-benchmarks/)
National Cyber Security Centre (https://www.ncsc.gov.uk/collection/developers-collection) UK
NIST – National Institute of Standards and Technology USA
Cybersecurity resources (https://www.nist.gov/topics/cybersecurity)
Mozilla Web Security page (https://infosec.mozilla.org/guidelines/web_security)