Security is now important to all of us, not just people who work at Facebook. Most developers think about security in terms of security technologies that they want to apply to their systems, and then ask how secure the system is. From a secure systems perspective, this is the wrong way around. To build a secure system, you need to start from the things that need to be protected and the threats to those resources.
In this session, Eoin dives into the fundamentals of system security to introduce the topics we need to understand in order to decide how to secure our systems.
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
With more and more services becoming internet-facing, web application security is now a problem for most of us. In response to this, the OWASP security community have been working for years to catalogue, understand and prioritise common web application vulnerabilities, published as the “OWASP Top 10 List”.
In this session, Eoin will review the OWASP Top 10 list to understand the vulnerabilities and dig into the implementation details of some of the more important of them to identify practical mitigations for them in our own applications.
A talk given at IEEE Software Experts Summit, October 2015 in Beijing, exploring how software architecture is likely to change in the future as a result of software defined platforms and on-demand analytics, and the implications of this.
Getting Your System to Production and Keeping it ThereEoin Woods
It can be dispiriting to find that a well-designed system that has been carefully implemented runs into problems as soon as it hits production, but such things do happen. This session explores why this happens and discusses why good software development practice is important but ultimately isn't sufficient to create a reliable and effective enterprise system. We'll discuss what being "production ready" really means in order to allow us to understand the principles, patterns and practices that we need to be aware of and apply in order to get our systems into production safely and keep them there.
Talk given at London Java Community on 1st December 2016.
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them.
This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Today’s mainstream acceptance of Agile+DevOps as the preferred way of working once again raises questions of what architecture work is and who does it. It simultaneously challenges much of our previously accepted wisdom, preferring architecture to be a “shared commons” across the development organisation, while demanding a sophisticated level of software architecture practice to deliver on the promises of Agile+DevOps.
One way of describing this situation is the need to “democratise” software architecture so it becomes a shared responsibility rather than a centralised impediment to rapid delivery. In this talk we’ll examine the challenges of software architecture in today’s modern distributed teams and ask how we might make the architecture of their systems a shared responsibility to allow them to achieve the software architecture that they need at the speed that they need it.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Common WebApp Vulnerabilities and What to Do About ThemEoin Woods
With more and more services becoming internet-facing, web application security is now a problem for most of us. In response to this, the OWASP security community have been working for years to catalogue, understand and prioritise common web application vulnerabilities, published as the “OWASP Top 10 List”.
In this session, Eoin will review the OWASP Top 10 list to understand the vulnerabilities and dig into the implementation details of some of the more important of them to identify practical mitigations for them in our own applications.
A talk given at IEEE Software Experts Summit, October 2015 in Beijing, exploring how software architecture is likely to change in the future as a result of software defined platforms and on-demand analytics, and the implications of this.
Getting Your System to Production and Keeping it ThereEoin Woods
It can be dispiriting to find that a well-designed system that has been carefully implemented runs into problems as soon as it hits production, but such things do happen. This session explores why this happens and discusses why good software development practice is important but ultimately isn't sufficient to create a reliable and effective enterprise system. We'll discuss what being "production ready" really means in order to allow us to understand the principles, patterns and practices that we need to be aware of and apply in order to get our systems into production safely and keep them there.
Talk given at London Java Community on 1st December 2016.
Secure by Design - Security Design Principles for the Working ArchitectEoin Woods
As our world becomes digital, the systems we build must be secure by design. The security community has developed a well-understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers. And when the principles are explained, they are often shrouded in the jargon of the security engineering community, so mainstream developers struggle to understand and apply them.
This talk explains why secure design matters and introduces 10 of the most important proven principles for designing secure systems, distilled from the wisdom of the security engineering community.
Keynote on why you should make Infosec a board level strategic item, how you should raise it to this level and how to approach Information Security strategically
Today’s mainstream acceptance of Agile+DevOps as the preferred way of working once again raises questions of what architecture work is and who does it. It simultaneously challenges much of our previously accepted wisdom, preferring architecture to be a “shared commons” across the development organisation, while demanding a sophisticated level of software architecture practice to deliver on the promises of Agile+DevOps.
One way of describing this situation is the need to “democratise” software architecture so it becomes a shared responsibility rather than a centralised impediment to rapid delivery. In this talk we’ll examine the challenges of software architecture in today’s modern distributed teams and ask how we might make the architecture of their systems a shared responsibility to allow them to achieve the software architecture that they need at the speed that they need it.
At a time when some say users pose the biggest threat, new tools are emerging that give users more freedom than ever.
451 Analyst, Adrian Sanabria speaks on this bold new approach to application control in our latest webinar.
KEY TOPICS
1. Learn from the past: valuing User Experience, IT workload & business/IT relations.
2. Take off the training wheels: it’s possible to trust users to make the right choices, but still have options if they don”t.
3. Drop unreasonable goals: more restrictions ≠ more security.
Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
The more your organization knows about potential threats, the safer your critical assets will be, but are traditional solutions, such as monthly scans and haphazard patching enough? What your scanner isn’t telling you are the critical vulnerabilities that should be fixed first.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Outpost24 webinar - A day in the life of an information security professional Outpost24
Get more information about security challenges and pitfalls you might face throughout the vulnerability management cycle, including internal obstacles thanks to these slides
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for
decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack
has been, for decades, far easier than cyber defense.
What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
25 Quotes That Will Make You a Better Freelancercontently
We talk to a lot of smart people here at The Freelancer. Over the years, we've interviewed Pulitzer Prize winners, entrepreneurs, and even famous journalists like Glenn Greenwald.
So we decided to gather the 25 best quotes we could find—on topics ranging from writing, negotiation, and managing clients—and put them on a SlideShare for easy browsing. The hope is that freelancers of all levels will find the advice invaluable.
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Monty McDougal, Cyber Engineering Fellow, Intelligence, Information and Services, Raytheon
Kid Proofing the Internet of Things
This presentation is intended to address the unique challenges parents face in securing their home networks both against their kids and in order to protect their kids from the evils of the Internet. It is particularly focused on the problems the Internet of Things brings to us as parents.
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
Our Red Teaming expert Hugo van den Toorn explains the key elements of a red team operations, what companies can expect from the assessment and how to benefit from the ‘moment of truth’
The more your organization knows about potential threats, the safer your critical assets will be, but are traditional solutions, such as monthly scans and haphazard patching enough? What your scanner isn’t telling you are the critical vulnerabilities that should be fixed first.
Managing Next Generation Threats to Cyber SecurityPriyanka Aash
The emergence of next generation technology into the cyber security space has added complications and challenges on several levels. When we talk about next generation technologies we should mean those associated directly with artificial intelligence (AI) and associated components such as machine learning (ML). Unfortunately, many organizations opt to hype current generation products as next gen. In this workshop we will begin by exploring what we need to know about AI and its components. We will dispense with the marketing hype and get down to the facts. Then we will look in detail at a few available tools that truly are next gen - and what makes them next gen - followed by a discussion of where the adversary is going with AI, ML and other next gen technologies. We will wrap up with research from my upcoming book which discusses the collision between the law and cyber science. In this section we also will address some governance issues that you need to know
Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Outpost24 webinar - A day in the life of an information security professional Outpost24
Get more information about security challenges and pitfalls you might face throughout the vulnerability management cycle, including internal obstacles thanks to these slides
Cloud, DevOps and the New Security PractitionerAdrian Sanabria
First presented at Cloud Security World in Boston on June 15th, 2016.
Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?
How do we separate hype from useful information in Cyber Security? As Congress is debating a National privacy law, and several states have privacy and breach reporting laws, how will that impact our workload? Privacy starts with good cyber-hygiene. We will look at how we can leverage the focus on Privacy to address standards for:
Firewall and network Configs,
Cloud security
Protocols and ports that need attention
Authentication best practices
Server and network rights
Password rules
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred.
Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program.
This talk will outline strategies for:
• Prioritizing the alerts and events that really matter
• Identifying parts of the investigation workflow that can be automated
• Building a detection methodology that creates confidence and continuously improves defenses
This talk provides a brief history of how DevOps has enabled tech companies to become unicorns. Furthermore, is Security in DevOps important, who is responsible and what can teams do make security a competitive advantage.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for
decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack
has been, for decades, far easier than cyber defense.
What do you remember about the Equifax? Something about someone forgetting to patch Struts, and then the bad guys were able to get in and steal all the data? What actually happened was much more nuanced, and there's much to learn by diving into the details.
In this provocative and sometimes irreverent presentation, retired Brigadier General Greg Touhill, the United States government's first federal Chief Information Security Officer, will discuss why the legacy perimeter defense model has been overwhelmed and made obsolete by the advent of modern mobility and cloud computing. He'll demonstrate how to make the business case that the shift to the Zero Trust security strategy is now essential for businesses to survive and thrive in today's highly contested global digital economy.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
25 Quotes That Will Make You a Better Freelancercontently
We talk to a lot of smart people here at The Freelancer. Over the years, we've interviewed Pulitzer Prize winners, entrepreneurs, and even famous journalists like Glenn Greenwald.
So we decided to gather the 25 best quotes we could find—on topics ranging from writing, negotiation, and managing clients—and put them on a SlideShare for easy browsing. The hope is that freelancers of all levels will find the advice invaluable.
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
The goal of information security governance is to establish and maintain a framework to provide assurance that information security strategies are aligned with the business objectives and consistent with applicable laws and regulations.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
This publication covers two important aspects of information security governance: determining the security strategy approach and the strategy development process.
This slide provide various details regarding Information security. The Database its Advantage, Regarding DBMS, RDBMS, IS Design conderations. Various Cyber crime Techniques. Element of Information i.e Integrity, Availability , Classification of Threats. Information Security Risk Assessment. Four Stages of Risk Management. NIST Definition. Risk Assessment Methodologies. Security Risk Assessment Approach. Risk Mitigation Options. Categories of controls. Technical Controls etc.
Infrastructure as code: running microservices on AWS using Docker, Terraform,...Yevgeniy Brikman
This is a talk about managing your software and infrastructure-as-code that walks through a real-world example of deploying microservices on AWS using Docker, Terraform, and ECS.
Learn about threat modeling from our CTO and co-creator of the DREAD threat modeling classification, Jason Taylor. Understand more about what threat modeling is, dive into real life examples, and use techniques you can leverage at every phase of the SDLC.
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
chap-1 : Vulnerabilities in Information SystemsKashfUlHuda1
Introduction to Cyber Security. Chapter #1. Vulnerabilities in Information Systems. What is a vulnerability?
Cyberspace: From terra incognita to terra nullius.
Cyberspace performance expectations. Measuring vulnerabilities. CVSS XCCDF OVAL
Avoiding vulnerabilities through secure coding
When you work with a lot of companies scrutinizing their security, you get to see some amazing things. One of the joys of being a commercial security consultant working for big name firms, is that you get to see a lot of innovation and interesting approaches to common problems.
However, as great as this is, the discrete projects you work on are usually a small representation of the overall company. When you look at the company in its entirety, a familiar pattern of weakness begins to reveal itself. While some companies are obviously better than others, the majority of companies are actually weak in remarkably similar ways.
My work in the attacker modeled pentest and enterprise risk assessment realms focuses on looking at a company as a whole. The premise is that, this is what an attacker would do. They won’t just try to attack your quarterly code reviewed main web site, or consumer mobile app. They won’t directly attack your PCI relevant systems to get to customer credit card data. They won’t limit their attacks to those purely against your IT infrastructure. Instead – they’ll look at your entire company, and they will play dirty.
In this session, I’ll focus on the things that plague us all (well most of us), and I’ll offer some simple advice for how to try and tackle each of these areas:
– Weaknesses in Physical Security
– Susceptibility to Phishing
– Vulnerability Management Immaturity
– Weaknesses in Authentication
– Poor Network Segmentation
– Loose Data Access Control
– Terrible Host / Network Visibility
– Unwise Procurement & Security Spending Decisions
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
Guest lecture on web application security, presented to students at the Indianapolis campus of The Iron Yard on November 9, 2016. This presentation was a basic overview/introduction to security, discussed the CIA Triad, why security is difficult, what happens if we don't do security right, what developers can do to enhance security, and included a brief overview of the OWASP Top Ten.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
There is a need to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
These slides are from our webinar covering topics like:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Similar to System Security Beyond the Libraries (20)
API Vulnerabilties and What to Do About ThemEoin Woods
In this talk we will review the current security landscape, particularly as it relates to API-based applications, and explore the OWASP API Security Top 10 vulnerabilities in order to understand the top security threats to our APIs, which ones we might have missed in our systems, and what practical mitigations we can use to address them when we get back to work.
A fast paced review of blockchain technology, applications, architectural characteristics and programming, using Ethereum as the main example.
Presented at the JAX London 2017 conference.
Models, Sketches and Everything In BetweenEoin Woods
ust the mention of the word “modeling” brings back horrible memories of analysis paralysis for many software developers. As a result of the conventional wisdom around Agile development that modeling is usually waste, countless software teams have completely abandoned modeling their systems. The problem is that there is a lot of design information that isn’t in the code, and without any models this information can get lost. Over time, the team ends up with a “big ball of mud.”
In this talk we explain what modeling brings to the development process and its value in different situations, discussing the different levels of formality available, from models to sketches and everything in between. Along the way, we share real-world advice on how a little well-chosen modeling can help avoid chaos.
Serverless Computing for the Inquiring MindEoin Woods
Overview of "serverless" computing including interactive exercise for thinking through its implications. Presented at the SPA2017 conference (www.spaconference.org).
Using Software Architecture Principles in PracticeEoin Woods
Architects have to balance providing clear guidance for important decisions with the need to let people get on and build their aspects of the system without interference. In this talk Eoin Woods explores how architecture principles can help achieve this by making constraints and priorities clear without being unnecessarily prescriptive about how they are to be implemented.
Presented at O'Reilly Software Architecture Conference in London during October 2016.
Secure by Design - Security Design Principles for the Rest of UsEoin Woods
Security is an ever more important topic for system designers. As our world becomes digital, today’s safely-hidden back office system is tomorrow’s public API, open to anyone on the Internet with a hacking tool and time on their hands. So the days of hoping that security is someone else’s problem are over.
The security community has developed a well understood set of principles used to build systems that are secure (or at least securable) by design, but this topic often isn’t included in the training of software developers, assuming that it’s only relevant to security specialists.
In this talk, we will briefly discuss why security needs to be addressed as part of architecture work and then introduce a set of proven principles for the architecture of secure systems, explaining each in the context of mainstream system design, rather than in the specialised language of security engineering.
This version of the talk was presented at GOTO London in October 2016.
Software Architecture as Systems DissolveEoin Woods
The way we build systems is changing. From our history of monolithic systems, then distributed systems, to Internet connected systems, we are now entering the era of cloud-hosted, microservice based, pay-for-usage system development. What does the history of software architecture tell us about the challenges of this new environment? And how does our approach to software architecture need to evolve in order to meet them?
Software architecture has been a mainstream discipline since the 1990s and in that time has become a recognised, widely researched and often valued part of the software engineering process. However architecture approaches must reflect the technologies and priorities of the systems we are building and in this regard its future has never looked more uncertain or more exciting. From our history of monolithic compile time architecture, to many tiered distributed systems, to Internet connected services, we are now entering the era of cloud-hosted, microservice-based, pay-for-usage systems development. In this new world the boundaries of “my” system are no longer so clear and our systems are dissolving into complex webs of independently owned and evolved services, with nothing more in common than a shared credit card for billing and an agreement on the format of network requests. What can the history of software architecture tell us about the likely challenges in this environment? And how must it develop in order to meet them?
This version of the talk was presented at GOTO London in October 2016.
A recent concept borrowed from Lean thinking is that of the “last responsible moment” for a decision to be made. The idea is a simple one, in that having more information should result in a better decision. However, these moments often seem to loom up earlier than we would like them to. In this session, Eoin will review the idea of the last responsible moment and how that point is identified. We will then identify some design tactics we can use to defer the last responsible moment, illustrating each with some practical examples.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
3. Introduction
• Security is a difficult thing to achieve
• becoming more important all the time
• Development teams often start with technologies
• “SSL” “Spring Security” “SSO” “Roles” “OAuth”
• “FindBugs” “FxCop” “Fortify” “Tripwire”
• This is completely the wrong way around
• need to understand your risks before finding solutions
• technology is only part of the solution
• In this talk we discuss how to base security on risks
3
4. Caveats
• This talk is introductory in nature
• some things aren’t talked about at all
• some things are just introduced
• Talk is for system developers not security engineers
• there are many subtleties that are skipped over
• some things are simplified to their essentials
• you still probably need a security specialist
• Don’t talk much technologies or coding practice
• these fundamentals need to be in place first
4
6. The Need for Security
• We need systems that are dependable in spite of
• Malice
• Error and
• Mischance
• People are sometimes bad, stupid or just unlucky
• System security attempts to mitigate these situations
• Anything of value may attract unwelcome attention
• Theft, Fraud, Destruction, Disruption
6
7. The Need for Security
• Why do we care about these factors?
• Each of them implies a loss of some sort
• Time
• Money
• Privacy
• Reputation
• Advantage
7
8. What is Security?
• Security is the business of managing risks
• Security is a type of insurance
• Balances cost and effort against risk of loss
• Some basic terminology
• resources - things of value that (may) need protection
• actors - people (“entities”) interacting with the system
• policies - the rules to control access to the resources
• threats - the reason that the rules may be broken
8
9. What is Security?
• Security is multi-dimensional
• People
• Users, administrators, security experts (and … attackers)
• Process
• Design, operation, control, monitoring, …
• Technology
• What to apply, how to use it, how to integrate it
Security is not a product -- it's a process
Bruce Schneier
You’re only as strong as your weakest link!
9
10. Risks, Threats and Attacks
• Vulnerability = a weakness in a security mechanism
• Threat = Vulnerability + Attacker + Motivation
• Attack = when the attacker puts a plan into action
• Risk = threat x likelihood x impact
10
Source: OWASP
11. Key Security Requirements
• Confidentiality (or Privacy)
• Prevent unauthorised access to information
• Integrity
• Prevent tampering or destruction
• Availability
• Prevent disruption to users of systems
• Accountability (or “non-repudiation”)
• Know who does what, when
11
14. Modelling the System and Environment
Understand
System Context
System Architecture
15. Resources - Identify Value
• What is valuable is often self-evident
• client information … damaging if lost
• what is of value for an external attacker?
• configuration files … reveal network topologies
• Operations as well as data
• viewing a payment might be fine
… releasing a payment is another question!
• May require fine-grained consideration
• HR data - work phone numbers vs home address
15
Analyse
16. Policy - Define the Required Controls
• Security policy is a security specification
• controls and guarantees needed in the system
• WHO will use the system? (principals)
• WHAT will they work on? (resource types)
• and WHAT may they do? (actions on resources)
16
Analyse
17. Security Policy
Clients Orders
Refunds
<= £100
Refunds
> £100
Onshore
Service Agents
Create, View,
Modify
(Un)Suspend
All
Create, View,
Authorise
View
Offshore
Service Agents
View,
(Un)Suspend
View, Cancel View View
Supervisors All All All
Create, View,
Cancel
Finance View View
View,
Authorise
All
Analyse
18. Threat Modelling
• Threat is a possible breach in security policy
• System/process/people may (will) have vulnerabilities
• Attackers have motivation and goals
• Threat is an attacker exploiting a vulnerability
• Identifying threats is a key part of security design
• threats are where you focus your security effort
• threat modelling is the key activity
18
Analyse
19. Threat Modelling
A procedure for optimizing security by identifying
objectives and vulnerabilities, and then defining
countermeasures to prevent, or mitigate the effects
of, threats to the system — OWASP
• Identify the real risks to focus security effort
• A technique all developers should be familiar with
19
Analyse
20. Threat Modelling
• Who might attack your system?
• What is their goal?
• Which vulnerabilities might they exploit?
20
Alice
Bob
Eve
Attacker: opportunist insider
Goal: secret document
Vulnerability: unprotected key
Analyse
21. Finding Threats - STRIDE
Spoofing Pretending to be someone that you’re not
Tampering Changing information you shouldn’t
Repudiation Being able to deny performing an action
Information Disclosure Getting access to information illicitly
Denial of Service Preventing a service being offered
Elevation of Privilege Gaining privileges you shouldn’t have
Analyse
22. Capture Threat Model
Analyse
ID 25 26
Threat Type Tampering Spoofing
Component WebUI WebUI
Threat
Javascript tampering in
browser, altering order data
WebUI user spoofing session
ID for other user account
Mitigation
OPR-5543 - Add validation
and unit tests for incoming
order
OPR-5547 - Regenerate
session ID and recheck on
every request
23. Exploring Attacks - The Attack Tree
Attacker: Professional hacker
Goal: Obtain customer credit card details
Attack: Extract details from the system database.
1. Access the database directly
1.1. Crack/guess database passwords
1.2. Crack/guess OS passwords to bypass db security
1.3. Exploit a known vulnerability in the database software
2. Access the details via a DBA
2.1. Bribe a database administrator (DBA)
2.2. Social engineering to trick DBA into revealing details
3. …
23
Analyse
24. Comparing Threats - DREAD Model
• Risk = Damage (1..10) +
Reproducibility (1..10) +
Exploitability (1..10) +
Affected Users (1..10) +
Discoverability (1..10)
• Sum values and divide by 5 for the DREAD rating
https://www.owasp.org/index.php/Threat_Risk_Modeling
• Can be criticised for lack of consistency
• Still a useful process - but sanity check results
24
Analyse
25. DREAD Model Example
• Suppose a threat where …
• damage limited to individual users => 5/10
• is reproducible with a browser => 10/10
• needs malware for the exploit => 5/10
• affects many but not all users => 5/10
• and can be discovered easily => 10/10
• DREAD value = (5+10+5+5+10)/5 = 7/10
a useful process … but thinking is still required!
25
Analyse
26. Libraries for Known Problems
• OWASP Top 10 list
• https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project
• WASC threat classification
• http://projects.webappsec.org/f/WASC-TC-v2_0.pdf
• Mitre’s CAPEC & CWE
• Common Attack Pattern Enumeration & Classification
• Common Weaknesses Enumeration
26
Analyse
27. Security Abuse Cases
User Logs In
Search Catalogue
Order Items
Customer Attacker
Steal Auth
Token
Spoof
Authorisation
«threatens»
«threatens»
«depends»
Analyse
28. Abuse Case Example
Abuse Case: Spoofing Authorisation via Valid Authentication
Threat:
The misuser steals an authorisation token and attempts to use it
via a valid (other) authenticated identity
Preconditions:
1) The misuser has a valid means of user authentication
(e.g. username/password).
2) The misuser has a stolen user authorisation token.
Actions:
1. The system shall request the user’s identity and authentication.
2. The misuser authenticates himself correctly.
3. The system shall identify and authenticate the user.
4. The misuser attempts to authorise using the stolen token.
5. The system rejects the authorisation attempt, audits the event,
terminates the session and locks the user account.
Postconditions:
1. The system shall have identified and authenticated the misuser
2. The system shall have prevented the misuser from stealing
another user’s means of authorisation.
Analyse
29. Minimise the Attack Surface
• The attack surface is the set of potentially
vulnerable ways into the system (“attack vectors”)
• smaller attack surface = less to attack and secure
• OWASP definition:
• all channels into and out of the system
• the code securing those channels
• data of value within the application (security & domain)
• the code securing this data
• Reduce interfaces, protocols, services, …
• conflict with other goals!
29
Mitigate
30. Security Countermeasures
• Once risks prioritised then implement mitigations
• Some are well known and relatively straightforward
• e.g. use of role based access control
• Some are more complex but well known
• e.g. XSS or SQL injection require input validation
• Some need custom solutions
• e.g. attacks based on organisation structure
• Remember people, process and technology!
30
Mitigate
31. Incident Response
• Despite security a system may breached
• Need a plan for what you do when it happens
• an incident response plan
• a standing incident response team
• Broader than technical mitigation
• technical, management, legal & communications
• A plan allowing a clear, logical, risk driven response
• analysis, mitigation, evidence, communication, lessons
• Practice your response
31
Mitigate
32. Secure Implementation
• Secure design is useless if implemented insecurely
• secure implementation outside the scope of this talk
• Secure implementation can be complicated
• requires knowledge and care
• relatively specialist today
• Static analysis and expert code review
• FxCop, FindBugs, CodeAnalysis, Coverity, Fortify, …
• OWASP code review guidelines
• Oracle Java security guidelines
32
Mitigate
33. Top Application Security Coding Errors
• Not thoroughly validating input
• Injection attack vulnerabilities
• Insecure randomness
• Using custom cryptography
• Insecure logging
• Careless exception handling
• Lack of security testing
33
… this topic needs another session
Mitigate
34. Testing and Verification
• As a software quality security needs to be tested
• security testing largely outside the scope of this talk
• Wide range of security validation activities:
• static analysis of code
• functional testing of security features
• penetration / known vulnerability / fuzz testing
• manual system security review
• threat mitigation tests
• Risk driven approach needed to maximise RoI
• Consider third party assistance
34
Validate
36. Summary
• We’ve looked how to improve system security
• we need to be risk and principle driven
• Security requires: People, Process and Technology
• the weakest of the three is your security level
• Security needs to be designed in
• its very difficult and expensive to add later
• Be guided by risks not security technologies
• threat risk models (STRIDE and DREAD); attack trees
• Get the experts involved for significant risks
• and never invent your own security technology!
36
37. Summary (ii)
Never stop asking “why?” and “what if?”
critically important info sec questions!
37
38. Resources
• OWASP - http://www.owasp.org
• Top 10, cookbooks, guides, sample apps, tutorials, …
• Microsoft SDL - http://www.microsoft.com/security/sdl
• complete security development lifecycle with resources
• Elevation of Privilege game- http://tinyurl.com/eopgame
• card game which helps to explain and drive threat modelling
• Trike - http://www.octotrike.org
• alternative threat modelling approach
• CAPEC, CWE - http://{capec,cwe}.mitre.org
• threat and vulnerability lists
38
39. Resources
• CPNI - http://www.cpni.gov.uk
• UK government support for cyber security
• US Government CERT - https://www.us-cert.gov
• CMU’s CERT - http://cert.org
• vulnerability monitoring and alerting
• WASC - http://www.webappsec.org
• similar organisation to OWASP
• SANS Institute - http://www.sans.org
• security research and education
39
43. Security Mechanisms and Attacks
• This talk is for system designers, not security
specialists
• Understanding mechanisms and attacks is hard
• people who like this sort of thing are security
engineers!
• This section overviews key mechanisms and some
of the more important types of attack
• this isn’t a detailed explanation of any of this
• make sure you consult a security expert when needed
• this is useful to understand the basics and the
43
44. Partial Summary of Security Mechanisms
Authentication
(“Who are you?)
Usernames & passwords, 2FA,
biometrics, certificates, …
Authorisation
(“What can you do?”)
Roles, access control lists, OAuth,
permissions, …
Confidentiality
(“Keeping stuff secret”)
Encryption, access control lists, …
Integrity
(“Stop tampering”)
Cryptographic hashing, checksums, …
Non-Repudiation
(“You did that”)
Cryptographic signing, audit trails, …
Auditing
(“What happened, when?”)
Secure record of who did what, when
45. Cryptography and its Uses
• Cryptography: the process of keeping information
private (typically) using a cypher and a key
• Two broad subfields:
• Symmetric Key - the same key to encrypt and decrypt
• Public Key - a pair of keys one to encrypt one to
decrypt
• Often used together for real applications
• Applications of cryptography: privacy (encryption),
integrity (signing) and non-repudiation (signing)
• Difficulties with cryptography include designing
45
47. Basic Public Key Cryptography
Alice Bob
Bob’s public key
Encrypt
Bob’s
private
key
Decrypt
Bob’s keypair
48. Comparing Symmetric and Public Key
48
Symmetric Key Public Key
Single shared key
A keypair needs to be generated with
public and private key
Single key needs to be shared
securely
Private key is kept secret, public key
can be freely shared
Efficient computationally Really slow (~100s times slower)
Classic attack is stealing keys
Classic attack is forging public keys,
so faking identity
Big challenge is passing keys around
Big challenge is chains of trust so
you know keys (certs) are valid
49. Example of Crypto in Practice: Key Exchange
Client Server
Client Hello
(“Hello - here are the options I know about ….”)
Server Hello
(“OK - here are the options we’ll use ….”)
Server Certificate
(“Here is my certificate (public key) ….”)
Client Key Exchange
(“Here is a symmetric key” encrypted with server public key)
Data Exchange
(encrypted with symmetric key)
51. Summary of Common Attacks
Social Engineering
(Attack the people)
Bluffing, bribery, coercion, …
Network Attacks
(Protocol exploits)
SYN floods, DDoS, DNS attacks, …
Application Attacks
(Flaws and bugs)
XSS, SQL injection, corrupted input
(fuzz), DLL attacks, CGI/SSI attacks …
Programming Attacks
(Abuse of a language)
Stack overflows, buffer overflows,
known bugs in libraries, …
Crypto Attacks
(Algorithms or design)
Known plain/cipher text, randomness,
cert forgery, man in the middle, traffic
analysis…