Using and Extending Vega
Vega is an open-source web application vulnerability assessment platform that provides an automated scanner and intercepting proxy. The automated scanner recursively crawls targets and runs injection modules to find vulnerabilities. The intercepting proxy allows editing requests and responses and running response processing modules. Modules are written in JavaScript and Vega is highly extensible. Future plans include improving detections, adding a fuzzer, and making the platform more scriptable.
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
Malware classification using Machine LearningJapneet Singh
Uses examples from book titled "Malware Data Science" to explain how AV companies use Machine learning to identify malware. Also, refers to open-source project "Ember" which provides a data set and python code to train and classify malware.
An overview of the Agile Manifesto and the principles and practices that define Agile software development. A comparison of Agile Development methodologies and an organisational culture that supports them
The WannaCry ransomware outbreak shook the world when it occured in May 2017.
This slidedeck looks at the attack, how it was carried out, and its success rate. It also attempts to figure out who was likely to have been behind this devastating cyber attack.
For more information on this outbreak, take a look at these additional resources:
What you need to know about the WannaCry Ransomware: https://www.symantec.com/connect/blogs/wannacry-3
WannaCry: Ransomware attacks show strong links to Lazarus group: https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
Can files locked by WannaCry be decrypted: A technical analysis: https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
Malware classification using Machine LearningJapneet Singh
Uses examples from book titled "Malware Data Science" to explain how AV companies use Machine learning to identify malware. Also, refers to open-source project "Ember" which provides a data set and python code to train and classify malware.
An overview of the Agile Manifesto and the principles and practices that define Agile software development. A comparison of Agile Development methodologies and an organisational culture that supports them
The 10 Steps to Becoming a Great Agile CoachLeadingAgile
Recently, at TriAgile 2020, Mike Cottmeyer presented his talk on how to become a great Agile coach. In it, he goes into the four primary areas that make up a great coach, the hard skills you'll need to develop, and how those apply to particular coaching roles.
You can check out the talk here: https://hubs.ly/H0pGFRH0
So you want to become a great Agile coach?
Join us for the premier of Mike Cottmeyer's remote talk that he delivered at TriAgile 2020 and learn the 10 steps you can take to do exactly that.
Watch as Mike explores the four primary skill areas that make a great coach and the hard skills you'll need to develop, and learn how those translate to specific types of coaching roles.
Il arrive parfois que nous, développeurs, pensions qu’il n’est pas nécessaire de connaître ce qu’ils appellent les « design patterns » ou « patrons de conception ». Nous pensons parfois que nous n’avons pas besoin de cette théorie. Après des années d’expériences avec la faible maintenabilité de mon propre code et de celui de mes clients, j’ai exploré de nombreuses façons de découpler nos applications afin de créer des applications « enterprise ready » qui peuvent vivre pendant de nombreuses années. Via des exemples concrets, je vais vous présenter quelques design patterns qui peuvent vous aider à travailler sur une codebase propre, structurée et bien découplée.
This slide introduces viewers to Jira Service Management software by Atlassian. The slide contains information about different roles in Jira Service Management, issues, and step-by-step process for setting up a Jira service management portal.
Lessons from 100+ ransomware recoveriesDatabarracks
In this session, Databarracks will share lessons learned recovering from complex cyber attacks. These are real-life lessons, learned the hard way.
Agenda:
• The evolution of ransomware attacks
• 5 specific recovery stories that outline different recovery approaches
• The timeline of an attack
• The key lessons to improve your cyber resilience
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Intro to Construct 2: Ghost Shooter - Step by StepShahed Chowdhuri
Derived from Beginner’s Guide to Construct 2 originally published by Ashley, it expands upon the written tutorial by providing detailed screenshots of every step and is grouped into concepts that I identified from my learning. Also, the steps and screenshots from a recent version (as of 2014). Finally, it explains relevant concepts such as Parallax and X-Y Coordinates for Graphics Programming.
* Original Tutorial: https://www.scirra.com/tutorials/37/beginners-guide-to-construct-2
* Ashley from Scirra: https://www.scirra.com/users/ashley
Understanding the Agile Release and Sprint Planning Process John Derrico
How to easily understand the agile release and sprint planning process. Simple diagrams based on six sigma principles to clearly convey the goals of the planning process including the understanding of the customers as well as the inputs and outputs required for Agile Release and Sprint Planning ant tactics for success.
CryptoJacking and Security: Evolution of a HackBryan Becker
Bryan Becker's talk at the 2018 RMISC discussing the changing types of attacks focusing on "cryptojacking" and the future challenges for blockchain security.
The 10 Steps to Becoming a Great Agile CoachLeadingAgile
Recently, at TriAgile 2020, Mike Cottmeyer presented his talk on how to become a great Agile coach. In it, he goes into the four primary areas that make up a great coach, the hard skills you'll need to develop, and how those apply to particular coaching roles.
You can check out the talk here: https://hubs.ly/H0pGFRH0
So you want to become a great Agile coach?
Join us for the premier of Mike Cottmeyer's remote talk that he delivered at TriAgile 2020 and learn the 10 steps you can take to do exactly that.
Watch as Mike explores the four primary skill areas that make a great coach and the hard skills you'll need to develop, and learn how those translate to specific types of coaching roles.
Il arrive parfois que nous, développeurs, pensions qu’il n’est pas nécessaire de connaître ce qu’ils appellent les « design patterns » ou « patrons de conception ». Nous pensons parfois que nous n’avons pas besoin de cette théorie. Après des années d’expériences avec la faible maintenabilité de mon propre code et de celui de mes clients, j’ai exploré de nombreuses façons de découpler nos applications afin de créer des applications « enterprise ready » qui peuvent vivre pendant de nombreuses années. Via des exemples concrets, je vais vous présenter quelques design patterns qui peuvent vous aider à travailler sur une codebase propre, structurée et bien découplée.
This slide introduces viewers to Jira Service Management software by Atlassian. The slide contains information about different roles in Jira Service Management, issues, and step-by-step process for setting up a Jira service management portal.
Lessons from 100+ ransomware recoveriesDatabarracks
In this session, Databarracks will share lessons learned recovering from complex cyber attacks. These are real-life lessons, learned the hard way.
Agenda:
• The evolution of ransomware attacks
• 5 specific recovery stories that outline different recovery approaches
• The timeline of an attack
• The key lessons to improve your cyber resilience
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Intro to Construct 2: Ghost Shooter - Step by StepShahed Chowdhuri
Derived from Beginner’s Guide to Construct 2 originally published by Ashley, it expands upon the written tutorial by providing detailed screenshots of every step and is grouped into concepts that I identified from my learning. Also, the steps and screenshots from a recent version (as of 2014). Finally, it explains relevant concepts such as Parallax and X-Y Coordinates for Graphics Programming.
* Original Tutorial: https://www.scirra.com/tutorials/37/beginners-guide-to-construct-2
* Ashley from Scirra: https://www.scirra.com/users/ashley
Understanding the Agile Release and Sprint Planning Process John Derrico
How to easily understand the agile release and sprint planning process. Simple diagrams based on six sigma principles to clearly convey the goals of the planning process including the understanding of the customers as well as the inputs and outputs required for Agile Release and Sprint Planning ant tactics for success.
CryptoJacking and Security: Evolution of a HackBryan Becker
Bryan Becker's talk at the 2018 RMISC discussing the changing types of attacks focusing on "cryptojacking" and the future challenges for blockchain security.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
Protecting your organization against attacks via the build systemLouis Jacomet
Organisations build software all the time, from developer machines to CI, even public pull requests.
There are security risks associated with these actions! Come discover what they are and how to mitigate them.
The build tool is about execution of modifications and thus inherently insecure. However risks can be mitigated through:
* Trusted dependencies
* Reproducibility
* Vulnerability tracking
Gradle will be used for examples
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
A presentation about security of mobile apps by our senior quality assurance engineer Kristaps Felzenbergs. It was presented at TAPOST 2017 software testing conference.
What is the Secure Supply Chain and the Current State of the PHP Ecosystemsparkfabrik
In this talk I’ll present the current state of the software supply chain, the big global recent events (SolarWinds, log4shell, codecov, packagist) and the state of the PHP and Drupal ecosystem, the threats and the mitigations that can be applied using tools like Sigstore, Syft, and Grype for digital signatures, SBOM generation, and automatic vulnerability scanning and how to use them for real-world projects to gain unprecedented levels of knowledge of your digital artifacts.
There will be also a demo of the mentioned tools in action to implement a secure supply chain pipeline for your Drupal projects.
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
In the agile, lean, devops communities people talk about improving security by "shifting left". Patterns and tools are emerging, or re-emerging, that make security less of a pain in the development process while also making applications more secure.
2. Introduction
Who We Are
Open-source security startup
Based in Montreal
Experienced founders:
• Secure Networks Inc.
• SecurityFocus (Symantec)
• Core Security Technologies
• Netifera
• REcon
www.subgraph.com
3. Open Source and Security
Kerckhoffs’ principle
Auguste Kerckhoffs: 19th Century Dutch
linguist and cryptographer
Made an important realization:
“
“
“The security of any cryptographic
The security of any cryptographic system does
system doessecrecy, it in itsbe able to fall
not rest in its
not rest must secrecy, it
mustthe enemy’s hands without inconvenience.
into be able to fall into the enemy’s
hands without inconvenience”
The adversary knows the system (Claude
The adversary knows the system
Shannon) (Claude Shannon)
”
”
As opposed to “security through
obscurity”
www.subgraph.com
4. Open Source and Security
Kerckhoffs’ Principle
Well understood in the world of
cryptography
New ciphers not trusted
Because cryptography is a
“black box”
Once in a while, less now,
companies try to market
proprietary ciphers
There’s a term for this: “snake oil”
Kerckhoffs’ principle can be
understood as “open source is
good security”
www.subgraph.com
5. Commercial Web Security Software
Advantages
Ease of installation, upgrade, use
User experience
Quality assurance, bug fixes
Documentation and help
Development driven by demand and need
Disadvantages
Expensive
Sometimes bizarre licensing restrictions
EOL, acquisitions, other events
Proprietary / closed source
www.subgraph.com
6. Open Source Web Security Tools
Let’s just talk about disadvantages..
No integration / sharing between tools
Poor or non-existent UI, documentation / help
Painful, broken installations
Code is of inconsistent quality
Developer / contributor unreliability
Developer interest driven by interest, skill level, whim
Forks
Abandonment
Developer finished college, got a job
Successfully reproduced
www.subgraph.com
8. Our Vision
One web, one web security tool
Open source
Consistent, well-designed UI
Functions really well as an automated scanner
Shouldn’t need to be a penetration tester
Advanced features for those who are
User extensibility
Community
Plus all that boring stuff
Documentation, help, business friendly features
We are building the ultimate platform for web security
Rapidly prototype attacks
Nobody should have to use commercial tools
Because Vega is free
www.subgraph.com
9. Introducing Vega Platform
‣ Open-source web application
vulnerability assessment platform
‣ Easy to use Graphical Interface
‣ Works on Windows, Mac, Linux
‣ Automated scanner, attacking proxy
finds vulnerabilities
‣ Based on Eclipse RCP
‣ Extensible: Javascript – language
every web developer knows
‣ Shipped first release July 1
‣ EPL 1.0
www.subgraph.com
10. Vega is Built On:
Eclipse RCP / Equinox OSGi
Apache HC
JSoup
Mozilla Rhino
Eliteness
www.subgraph.com
11. Automated Scanner
Recursive crawl over target scope
404 detection
Probes path nodes to determine if files, directories
Builds tree-like internal representation of target
application
Vega runs injection modules on nodes, abstracted in API
Response processing modules run on all responses
Modules written in Javascript
New for 1.0
Expanded scope, more than one base URI
Support for authentication: HTTP, form-based, NTLM
Much better scanner modules
Very annoying crawler bugs fixed
www.subgraph.com
18. Can be reviewed / replayed, module
highlights finding
www.subgraph.com
19. Vega Proxy
Intercepting proxy
SSL MITM, including CA signing cert
http://vega/ca.crt through the proxy
Edit requests, responses
Request replay
Response processing modules run on all responses
Modules written in Javascript
New for 1.0
Proxy scanning
Fuzzes pages in target scope when enabled
Finds lots of vulnerabilities
www.subgraph.com
25. Proxy Scanning
Gathers parameters and path information
observing client-server interaction
Sees things the crawler can’t see
RPC endpoints
Links in flash, Java, other active content
Very effective at finding vulnerabilities
To try it, configure the proxy, create a
proxy target scope, enable proxy scanning
www.subgraph.com
30. Extending Vega
Modules written in Javascript
In the Vega/scripts/ subdirectory tree
Well on OS X they’re in some weird place
Two kinds of modules:
Injection, AKA “Basic”
Send fuzzing requests, do stuff with the responses
Response processing
Pattern matching, regex, checking response
properties
www.subgraph.com
31. Extending Vega
Rich API
Check documentation at
https://support.subgraph.com
DOM Analysis with Jquery
E.g. file
upload, password input submitted
over HTTP..
Alerts based on XML templates
In the XML/ subdirectory
Freemarker Macro / CSS components
www.subgraph.com
32. Where are we at?
Feature complete for 1.0
Testing and fixing bugs
Additional module refinement and testing
Vega 1.0 release in November? Or early December
Visit my github (or github.com/brl) if you want what you
see here
Download link on our website is the beta..
Can provide builds for OS X, Windows users
Just ask me – email, irc (#subgraph / freenode), twitter, whatever
www.subgraph.com
33. What’s coming?
Even more improvements in detections
Fuzzer / brute forcer
Better reporting
Better encoding, decoding, representation and
manipulation of structured data
Headless scanner
HAR export
Scriptable proxy
We’re open to ideas and feedback!
www.subgraph.com
34. Thank you!
Web Try Vega / get the source
http://www.subgraph.com http://github.com/dma/Vega (newer,
less stable)
Twitter
http://github.com/subgraph/Vega
Us: @subgraph (more stable)
Me: @attractr
E-mail us
IRC info@subgraph.com
irc.freenode.org, #subgraph
www.subgraph.com