This document outlines a maturity-based and metrics-driven approach to starting a software security initiative within an organization. It discusses raising security awareness, conducting initial tactical responses like assessments and code reviews, developing a software security strategy and roadmap, and establishing a security initiative focused on people, processes, and tools to improve the organization's maturity over time. Metrics are recommended to measure progress and defend the value of the initiative to stakeholders.
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
From Code to Customer: How to Make Software Products SecureKaspersky
Because of having numerous components, some of which are deeply integrated into the OS, security software products are prone to recurring problems that may happen again and again.
But this can be avoided by applying healthy practices and processes, which are described in this whitepaper https://kas.pr/67hx
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...QADay
Online Quality Assurance Day 2020 #2
ОЛЬГА АКСЬОНЕНКО
«Безпечна розробка програмного забезпечення в Agile проектах»
telegram: wwww.t.me/goqameetup
fb: www.fb.com/goqaevent
fb: www.fb.com/qaday.org
Сайт: www.qaday.org
A two hour workshop that provides a practical introduction to secure coding. This was part of the {DECIPHER} Hackathon (https://www.eventbrite.sg/e/decipher-hackathon-tickets-57968120208).
From Code to Customer: How to Make Software Products SecureKaspersky
Because of having numerous components, some of which are deeply integrated into the OS, security software products are prone to recurring problems that may happen again and again.
But this can be avoided by applying healthy practices and processes, which are described in this whitepaper https://kas.pr/67hx
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...QADay
Online Quality Assurance Day 2020 #2
ОЛЬГА АКСЬОНЕНКО
«Безпечна розробка програмного забезпечення в Agile проектах»
telegram: wwww.t.me/goqameetup
fb: www.fb.com/goqaevent
fb: www.fb.com/qaday.org
Сайт: www.qaday.org
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
This presentation offers insight on defining appsec policies, highlighting the differences from InfoSec policy, attributes of effective policy and how to make policies actionable so they map to an organization's overall security and business processes.
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
The OWASP Top Ten List represents a consensus among many of the world’s leading information security experts about the greatest application risk - based on both the frequency of the attacks and the magnitude of business impact.
This whitepaper will quickly present the OWASP Top Ten, then offer insight into how it can transform application security, facilitate compliance, and reduce application risk.
The white paper can be accessed here: http://web.securityinnovation.com/owasp-top-ten.
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
Security Testing: Myths, Challenges, and Opportunities - Experiences in Integ...Achim D. Brucker
Security testing is an important part of any security development lifecycle (SDL) and, thus, should be a part of any software (development) lifecycle. Still, security testing is often understood as an activity done by security testers in the time between "end of development'" and "offering the product to customers.'"
On the one hand, learning from traditional testing that the fixing of bugs is the more costly the later it is done in development, security testing should be integrated into the daily development activities. On the other hand, developing software for the cloud and offering software in the cloud raises the need for security testing in a "close-to-production" or even production environment. Consequently, we need an end-to-end integration of security testing into the software lifecycle.
In this talk, we will report on our experiences on integrating security testing ``end-to-end'' into SAP's software development lifecycle in general and, in particular, SAP's Secure Software Development Lifecycle (S2DL). Moreover, we will discuss different myths, challenges, and opportunities in the are security testing.
Security & DevOps - What We Have Here Is a Failure to Communicate!DevOps.com
Past history, differing world views of their roles, shadow IT development, force-fitting security tools, and past frictions can all can make gelling as a cross-functional team difficult. Yet, it’s essential to achieve fast software creation and delivery, while also ensuring the applications created are secure and risk is always appropriately managed.
Where do we start? Start with this webinar featuring Mitch Ashley, security technologist and CEO of Accelerated Strategies Group, who will explore strategies for successful DevSecOps.
You will learn:
How to successfully implement purpose-built, developer friendly secrets management tools security professionals and dev teams are thrilled to embrace.
This presentation offers insight on defining appsec policies, highlighting the differences from InfoSec policy, attributes of effective policy and how to make policies actionable so they map to an organization's overall security and business processes.
Open Source has become the key building block for application development in today's market, where companies are under constant pressure to accelerate time to market.
However, the increasing adoption of open source components has introduced new security challenges that most teams are not prepared to mitigate in their current posture. Join Sharon Sharlin, Product Marketing Manager at WhiteSource, as she presents best practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising security.
Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Most application security efforts are misguided and ineffective. Why? Because while many security practitioners have a good understanding of how to find application vulnerabilities and exploit them, they often don't understand how software development teams work, especially in Agile/DevOps organizations. This leads to flawed programs. If we want to build secure applications, we have to meet development teams where they are by embedding security into their processes.
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
The OWASP Top Ten List represents a consensus among many of the world’s leading information security experts about the greatest application risk - based on both the frequency of the attacks and the magnitude of business impact.
This whitepaper will quickly present the OWASP Top Ten, then offer insight into how it can transform application security, facilitate compliance, and reduce application risk.
The white paper can be accessed here: http://web.securityinnovation.com/owasp-top-ten.
Collaborative security : Securing open source softwarePriyanka Aash
There’s no guarantee that software will ever be free from vulnerabilities, whether it is open source or proprietary, but there is still plenty we can do. The Linux Foundation CTO Nicko van Someren will discuss new tools and techniques that help improve the security and quality of open source projects, presenting data from various open source projects including pre- and post-Heartbleed OpenSSL.
(Source : RSA Conference USA 2017)
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
HP Protect 2015 Presentation with Denim Group's John Dickson and HP's Bruce Jenkins - Software security historically has been a bolt-on afterthought, frequently a "nice to do" and not a "must do" activity in many organizations. Despite the obvious need to build security in from the outset, organizations continue to struggle to gain momentum and focus resources in support of a structured and measurable software security assurance program. How can organizations determine the best-fit activities and appropriate resource allocation levels to adequately address software risk? How can security leaders know what other organizations are doing to produce more secure software? This session provides an overview of the Open Software Assurance Maturity Model (OpenSAMM) framework and illustrates how organizations can use it to give their security program the edge necessary to stay competitive in today's DevOps world and need-for-speed go-to-market strategies. The session includes case studies on how organizations are using comparative data and OpenSAMM benchmarking to realize measurable software security improvement.
Originally shared here - https://sessioncatalog.hpglobalevents.com/go/agendabuilder.sessions/?l=19&sid=4026_2744&locale=en_US
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
Abstract: The Building Security In Maturity Model (or BSIMM)
BSIMM observes and measures what firms' software security initiatives are actually doing. John, who has helped several firms build or improve their security initiatives, will share sometimes surprising data about security initiatives big and small. His presentation will focus on what
activities organizations use to "boot" security initiatives and which they presently focus on.
This presentation articulates a key trend I'm seeing in technology delivery. Namely, the need to "right-size the rigor" applied using risk-based methods.
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
This is my MBA project paper of the External Audit course. The project paper was tapped to the hottest topics of the U.S. economic crisis in 2008, three months after the collapse of the biggest U.S. bank institution.
The author incorporated the audit principles in analyzing the root causes of the U.S. economic crisis and how this disaster can be avoided.
Ensure Software Security already during developmentIT Weekend
"How to Code Security into Software? Software Security Assurance with HP Fortify." Nowadays it becomes more and more obvious that security should not only be applied as an afterthought, but already during development. I will show possibilities on how you can integrate Software Security assurance in your Development Lifecycle, and what technologies and processes can help you with that."
Lucas v. Stockhausen
Software Security Consultant
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
This presentation presents how Quality Risk management can be applied in Commissioning & Qualification of Facility , System and Equipments in Pharmaceutical Facilities.
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
DevOps and Cloud Tips and Techniques to Revolutionize Your SDLCCA Technologies
Cloud computing started a technology revolution; now DevOps is driving that revolution forward. By enabling new approaches to service delivery, cloud and DevOps together are delivering even greater speed, agility and efficiency. No wonder leading innovators are adopting DevOps and cloud together! This presentation explores the synergies in these two approaches, with practical tips, techniques, research data, war stories, case studies and recommendations.
Vulnerability Management In An Application Security World: AppSecDCDenim Group
Identifying application-level vulnerabilities via penetration tests and code reviews is only the first step in actually addressing the underlying risk. Managing vulnerabilities for applications is more challenging than dealing with traditional infrastructure-level vulnerabilities because they typically require the coordination of security teams with application development teams and require security managers to secure time from developers during already-cramped development and release schedules. In addition, fixes require changes to custom application code and application-specific business logic rather than the patches and configuration changes that are often sufficient to address infrastructure-level vulnerabilities.
This presentation details many of the pitfalls organizations encounter while trying to manage application-level vulnerabilities as well as outlines strategies security teams can use for communicating with development teams. Similarities and differences between security teams’ practice of vulnerability management and development teams’ practice of defect management will be addressed in order to facilitate healthy communication between these groups.
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
This presentation goes over core principles involved in launching secure web applications and effectively managing security in a cloud services environment.
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Secure application deployment in the age of continuous deliveryTim Mackey
As presented at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Cybersecurity is a compulsory, tough and expensive task for all organizations, private and public, large , medium and small.
No one can ignore it anymore, and building a viable Cybersecurity strategy is a complex task that needs to balance budget, keeping up with attacker technologies, available skills and a plethora of expensive tools on the market.
Let's discus s on how available Opensource solutions may greatly help ours organizations to be more effective in implementing their Cybersecurity posture, while optimizing available budget.
Agenda:
- SDLC vs S-SDLC
- Mobile development security process
- What tools using for security testing?
- How to integrate into existing processes?
- What additionally you can do?
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Risk Analysis Of Banking Malware AttacksMarco Morana
Analysis of How Banking Malware Like Zeus Exploit Weakenesses In On-Line Banking Applications and Security Controls. This prezo is a walkthrough the attack scenarion, the attack vectors, the vulnerability exploits and the techniques to model the threats so that countermeasures can be identified
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
3. Software Security Awareness : Threats
On-line fraud overtakes viruses as the
greatest source of financial loss (Symantec)
93.8% of all phishing attacks in 2007 are
targeting financial institutions (Anti-
Phishing Group)
Phishing attacks soar in 2007 (Gartner)
3.6 Million victims, $ 3.2 Billion Loss (2007)
2.3 Million victims, $ 0.5 Billion Loss (2006)
OWASP 3
5. Software Security Awareness: Software
Security Vs. Application Security
Security built Security applied
into each phase of by catch and
the SDLC patches
Look at root Look at
problem external
causes symptoms
Proactive, Reactive,
Threat Analysis, Incident Response,
Risk Management Compliance
OWASP 5
7. Tactical Responses: Initial Security Assessment
The symptoms: are the clues that lead to
potential vulnerabilities and exploits
The root causes: security design flaws,
security bugs (coding errors), insecure-
configuration
The risk factors: how much damage can be
done, how easy is to reproduce the exploits,
how many users are exposed and how easy is to
discover the vulnerabilities
OWASP 7
9. Tactical Responses: Risk Analysis
Risk terminology:
Threat (e.g. the cause)
Vulnerability (e.g. the application weakness)
Impact (e.g. the loss of data)
Risk (e.g. The rating, likelihood x exposure)
Risk models:
STRIDE/DREAD
Threat X Vulnerability X Impact (OWASP)
ALE = SLE X ARO
OWASP 9
11. Software Security Strategy: First Approaches
Be Realistic
Organization is not yet ready (e.g. mature)
Engineers are not trained in software security
There are no tools available
Make up strategy
Based upon your company strenghts
With stakeholders buy in (CIOs, ISOs, PM,
Developers, Architects)
With achieveable goals: reduce 30% of
vulnerabilities found through ethical hacking via
source code analysys
OWASP 11
12. Software Security Strategy: Initial Business
Cases
Not fixing security bugs early is
expensive:
$9,000 per defect after system tests (90X
factor @ 100 dollars / hour x 1 hour= 9000
dollars) (NIST, Economic Impact of In-
secure Testing)
$100,000 per security bulletin (M. Howard
and D. LeBlanc in Writing Secure Software
book)
OWASP 12
13. Software Security Strategy: Create a
Roadmap
1. Assess software maturity of the organization
software security development processes, people
and tools
2. Document the software security process:
security enhanced SDLCs and checkpoints
3. Implement a framework: software engineering
and risk management processes
4. Create business cases and set objectives
5. Collect metrics and measurements
6. Gain stakeholders commitments
OWASP 13
15. Software Security Initiative: People,
Process, Technology
People: Who
manages software
security risks
Process: What where
and how security can
be build in the SDLC
Tools: How
processes can be
automated
Security = Commitment *(People+Tools
+Process^2)
OWASP 15
17. Software Security Initiative: Maturity Levels
Maturity Innocence (CMM 0-1)
No formal security requirements
Issues addressed with penetration testing and
incidents
Penetrate and patch and reactive approach
Maturity Awareness (CMM 2-3)
All applications have penetration tests done
before going into production
Secure coding standards are adopted as well
as source code reviews
OWASP 17
18. Software Security Initiative: Maturity Levels
Maturity Enlightenment (CCM 4-5)
Threat analysis in each phase of the SDLC
Risk metrics and vulnerability measurements
are used for security activity decision making
(money for the bang)
OWASP 18
20. Software Security Initiative: People
What not to look for:
Ethical hackers that cannot tell how to build
applications securely
Security engineers with no experience in
software engineering, design, coding
Information security professionals that only
know how security auditing
What to look for:
Security professionals that understand both
coding and security
Software security consultants
OWASP 20
24. Software Security Initiative: Defending the
case
Fight common misconceptions that software
security impacts:
performance
costs/budget
development
Make the case for each role
Developers that are tired to rebuild software
Project managers that worry about missing
deadlines
Information Security Officers worry about
compliance
CIOs worry about budget,ROSI OWASP 24
25. Software Security Initiative: Commitment
Top Down
Two months freeze on development
Every developer on training
SDL delivered across projects
Bottom up
Project Managers commit resources to
training and demand secure code reviews
Architects and engineering leads test and
address security issues as early as are found
in the source code and the application
CISO address compliance with information
security policies as well secure coding
standards OWASP 25
26. Concluding Remarks
Remember Rome was not build in a day!
You need time to mature you processes,
train your employees and implement
the right process, tools and technologies
OWASP 26
28. Thanks for listening, further references
Symantec threat report
http://www.symantec.com/business/theme.jsp?th
emeid=threatreport )
Gartner study on phising:
http://www.gartner.com/it/page.jsp?id=565125)
UC Berkeley Center for Law and Technology on
identity theft
http://repositories.cdlib.org/cgi/viewcontent.cgi?a
rticle=1045&context=bclt
OWASP 28
32. Appendix: Insecure Shopping Cart
http://www.coolcart.com/jewelrystore.html
The price charged for the
“Two Stone Feather
Ring” is now 99 cents
OWASP 32
35. Appendix: Tie Attacks To Vulnerabilities
Phishing
A1, A4, A7, A10
Privacy violations
A2, A4, A6, A7, A10
Identity theft
A3, A7, A8, A9, A10
System compromise, data alteration or data
destruction
A2, A3
Financial loss
A4, A5, A7, A10
Reputation loss
A1, A2, A3, A4, A5, A6 ,A7, A8, A9, A10
OWASP 35
36. Appendix: The Motto
“If your software
security
practices are not
yet mature be
pragmatic and
start making
software security
a responsibility
for who builds
software in your
organization
OWASP 36
37. Appendix: About Me
Graduated from University of Padua, Italy in 1987 (Dr. Ing, Laurea
Ingegneria Meccanica)
Worked as Aerospace engineer in Italy between 1990-1994
Got a Master in Computer System Engineering from Northwestern
Polytechnic University in 1996
Worked as Software Eng. in silicon valley between 1996-1998
While working at NASA as Sterling Software contractor, developed
the first e-mail S/MIME and got a patent in 1997
Founded CerbTech LLC in 2003 and I worked at a security project
for VISA
Developed commercial security tools/products for ISS (Safesuite
Decisions) and Sybase (Security Manager) (1998-2004)
As Sr. Security Consultant with Foundstone/McAfee (2004-2006) and
consulted for major banks and telco in USA
Joined Citigroup in 2006 as Technology Information Security Officer
(Sr. Director/VP)
Founded the OWASP Cincinnati USA chapter in 2007
OWASP 37