Testing Docker Images Security -NcN
En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
Currently XSM is very limited and restrictive in its functionality .
1) one single big policy controlling all domains,
2) reloading new policy requires host reboot.
3) multiple domains performing similar functions to be grouped under same security label and type.
Anshul Makkar, is going to present a talk to discuss about the ongoing work to overcome the above limitations. Some of the security aspect that he will cover
Some of the security features that I will cover.
1) Interdomain communication
2) Creating secure stub domains.
3) Securing and segregating introspection domains.
Testing Docker Images Security -NcN
En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.
Docker Security - Secure Container Deployment on LinuxMichael Boelen
How to securely deploy your containers, by the author of rkhunter and auditing tool Lynis.
Many introductory talks about Docker and its container technology, have been given. This attention to the subject is not surprising, seeing the amount of people "doing DevOps" now.
With container technology being fairly new on the Linux platform, the security aspects of containers are often being overlooked. While Linux containers do still not fully contain from a security point of view, we can definitely improve the security level of them.
In this talk, we have a look at the underlying Linux security measures, followed by the features Docker itself has to offer. The goal is to get an understanding how we can deploy containers in a secure way. After all, Docker is no longer just a toy, and our precious data is involved.
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
Currently XSM is very limited and restrictive in its functionality .
1) one single big policy controlling all domains,
2) reloading new policy requires host reboot.
3) multiple domains performing similar functions to be grouped under same security label and type.
Anshul Makkar, is going to present a talk to discuss about the ongoing work to overcome the above limitations. Some of the security aspect that he will cover
Some of the security features that I will cover.
1) Interdomain communication
2) Creating secure stub domains.
3) Securing and segregating introspection domains.
Distrowatch.com currently list over 300 publicly available Linux distributions. Volunteers make most of them. How it’s possible that they don’t explode into our faces on a regular basis? I had pleasure to share some of my thoughts on the topic during Testwarez 2018.
There are slides (probably with little fixes) from this conference. Please note that some of them won't make sense without context (presentation itself).
Docker Security and Orchestration for DevSecOps winsSharath Kumar
Dockers have literally transformed product deployment across the software industry. It makes traditional deployments a lot easier and supplements paradigms like Virtual Machines and Hypervisors.
While Dockers make packaging and deployments relatively simple, securing them continues to be a challenge especially when faced with Docker specific security threats such as Dockerization daemon, shared kernel and other shared resources like network and the filesystem.
Securing Dockerized deployments and orchestrating them IS, and WILL remain a key challenge for several Security practitioners and DevOps engineers.
MR201404 building secure linux application with privilege separationFFRI, Inc.
• Privilege separation limits incursion into your application
• Show key technology of privilege separation as follows:
– Process dividing
– Process sandboxing
– Inter-process communications
• Seccomp Mode 2 is state-of-the-art of Linux sandboxing
• Some security-critical open source software has been armed process diving and sandboxing
• Privilege separation increases security, but a development cost increase again
Introducing containers and docker, answering questions like: What are software containers? What is Docker? Who and why should I use Docker?
Slides also discuss the role of dev-ops and Docker and walk you through some examples.
By Aram Yegenian — System Administrator
Introduction to Containers - From Docker to Kubernetes and everything in betweenAll Things Open
Presented at: Open Source 101 2020 - Columbia, SC
Presented by: Brent Laster, SAS
Abstract: In this workshop, students will get a quick overview of what containers are and why they form the basis for many of the key technologies that we use today in cloud environments.
We’ll explore what makes up a container and how they are managed and leveraged in key industry tooling including Docker, Kubernetes, Helm, and Istio. You’ll also learn the basics of these technologies, what they are used for, and see some simple examples of how to use them.
This workshop will include hands-on labs where you will get experience:
- Building container images, running them as containers, and tagging and pushing them into a Docker repository.
- Creating deployments, services, and pods for containers and instantiating and running those in Kubernetes.
- Working with Helm to leverage templates for Kubernetes objects and managing releases in Kubernetes.
- Working with Istio to do traffic shaping between multiple versions of your app, fault and delay injection for testing and validation in Kubernetes.
We’ll also briefly cover GitOps – the recommend Git-based way to manage infrastructure like your Kubernetes cluster.
Docker and Containers are proven solutions, but are they ready to replace your current deployment? And more importantly, are you aware of the changes you'll have to make to accommodate them? Are there any risks involved? This talk will answer these questions and talk about how to plan, automate, build, deploy, and orchestrate the whole process.
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best practice
про Docker, лучшие практики в написании Dockerfile, проблемы большого количества слоев (Layers) в images и подходы по оптимизации Layers в images, функционал multi-stage builds, подходы к безопастности контейнеров и Hosts системе, подходы дебагинга и мониторинга.
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsElasTest Project
In this workshop the basics about container use in the development environment are presented. Then we go further by describing how to leverage containers in the CI server, using Jenkins and Pipelines.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
DCSF 19 Building Your Development Pipeline Docker, Inc.
Oliver Pomeroy, Docker & Laura Tacho, Cloudbees
Enterprises often want to provide automation and standardisation on top of their container platform, using a pipeline to build and deploy their containerized applications. However this opens up new challenges; Do I have to build a new CI/CD Stack? Can I build my CI/CD pipeline with Kubernetes orchestration? What should my build agents look like? How do I integrate my pipeline into my enterprise container registry? In this session full of examples and how-to's, Olly and Laura will guide you through common situations and decisions related to your pipelines. We'll cover building minimal images, scanning and signing images, and give examples on how to enforce compliance standards and best practices across your teams.
Distrowatch.com currently list over 300 publicly available Linux distributions. Volunteers make most of them. How it’s possible that they don’t explode into our faces on a regular basis? I had pleasure to share some of my thoughts on the topic during Testwarez 2018.
There are slides (probably with little fixes) from this conference. Please note that some of them won't make sense without context (presentation itself).
Docker Security and Orchestration for DevSecOps winsSharath Kumar
Dockers have literally transformed product deployment across the software industry. It makes traditional deployments a lot easier and supplements paradigms like Virtual Machines and Hypervisors.
While Dockers make packaging and deployments relatively simple, securing them continues to be a challenge especially when faced with Docker specific security threats such as Dockerization daemon, shared kernel and other shared resources like network and the filesystem.
Securing Dockerized deployments and orchestrating them IS, and WILL remain a key challenge for several Security practitioners and DevOps engineers.
MR201404 building secure linux application with privilege separationFFRI, Inc.
• Privilege separation limits incursion into your application
• Show key technology of privilege separation as follows:
– Process dividing
– Process sandboxing
– Inter-process communications
• Seccomp Mode 2 is state-of-the-art of Linux sandboxing
• Some security-critical open source software has been armed process diving and sandboxing
• Privilege separation increases security, but a development cost increase again
Introducing containers and docker, answering questions like: What are software containers? What is Docker? Who and why should I use Docker?
Slides also discuss the role of dev-ops and Docker and walk you through some examples.
By Aram Yegenian — System Administrator
Introduction to Containers - From Docker to Kubernetes and everything in betweenAll Things Open
Presented at: Open Source 101 2020 - Columbia, SC
Presented by: Brent Laster, SAS
Abstract: In this workshop, students will get a quick overview of what containers are and why they form the basis for many of the key technologies that we use today in cloud environments.
We’ll explore what makes up a container and how they are managed and leveraged in key industry tooling including Docker, Kubernetes, Helm, and Istio. You’ll also learn the basics of these technologies, what they are used for, and see some simple examples of how to use them.
This workshop will include hands-on labs where you will get experience:
- Building container images, running them as containers, and tagging and pushing them into a Docker repository.
- Creating deployments, services, and pods for containers and instantiating and running those in Kubernetes.
- Working with Helm to leverage templates for Kubernetes objects and managing releases in Kubernetes.
- Working with Istio to do traffic shaping between multiple versions of your app, fault and delay injection for testing and validation in Kubernetes.
We’ll also briefly cover GitOps – the recommend Git-based way to manage infrastructure like your Kubernetes cluster.
Docker and Containers are proven solutions, but are they ready to replace your current deployment? And more importantly, are you aware of the changes you'll have to make to accommodate them? Are there any risks involved? This talk will answer these questions and talk about how to plan, automate, build, deploy, and orchestrate the whole process.
"Docker best practice", Станислав Коленкин (senior devops, DataArt)DataArt
Docker best practice
про Docker, лучшие практики в написании Dockerfile, проблемы большого количества слоев (Layers) в images и подходы по оптимизации Layers в images, функционал multi-stage builds, подходы к безопастности контейнеров и Hosts системе, подходы дебагинга и мониторинга.
ExpoQA 2017 Using docker to build and test in your laptop and JenkinsElasTest Project
In this workshop the basics about container use in the development environment are presented. Then we go further by describing how to leverage containers in the CI server, using Jenkins and Pipelines.
Agenda:
An in depth review of various security mechanisms in the kernel like those added by PAX and grsecurity.
Speaker:
Yehontan Biton, senior kernel developer and computer science researcher for Ben Gurion University of the Negev.
DCSF 19 Building Your Development Pipeline Docker, Inc.
Oliver Pomeroy, Docker & Laura Tacho, Cloudbees
Enterprises often want to provide automation and standardisation on top of their container platform, using a pipeline to build and deploy their containerized applications. However this opens up new challenges; Do I have to build a new CI/CD Stack? Can I build my CI/CD pipeline with Kubernetes orchestration? What should my build agents look like? How do I integrate my pipeline into my enterprise container registry? In this session full of examples and how-to's, Olly and Laura will guide you through common situations and decisions related to your pipelines. We'll cover building minimal images, scanning and signing images, and give examples on how to enforce compliance standards and best practices across your teams.
The continued adoption of containers for deployments has introduced a new path for security issues. In this talk, we will cover the most common areas of vulnerabilities, the challenges in securing your containers, some good practices to help overcome these issues and how to run container security scanning as part of your deployment pipeline.
Introduction to Docker and Monitoring with InfluxDataInfluxData
In this webinar, Gary Forgheti, Technical Alliance Engineer at Docker, and Gunnar Aasen, Partner Engineering, provide an introduction to Docker and InfluxData. From there, they will show you how to use the two together to setup and monitor your containers and microservices to properly manage your infrastructure and track key metrics (CPU, RAM, storage, network utilization), as well as the availability of your application endpoints.
This presentation gives a brief understanding of docker architecture, explains what docker is not, followed by a description of basic commands and explains CD/CI as an application of docker.
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
Andy has made mistakes. He's seen even more. And in this talk he details the best and the worst of the container and Kubernetes security problems he's experienced, exploited, and remediated.
This talk details low level exploitable issues with container and Kubernetes deployments. We focus on lessons learned, and show attendees how to ensure that they do not fall victim to avoidable attacks.
See how to bypass security controls and exploit insecure defaults in this technical appraisal of the container and cluster security landscape.
This session provides a quick introduction of Docker containers on Linux, and how to configure it on Ubuntu running on a POWER8 processor-based system. We discuss requisites, steps, repositories and use cases. We also make a comparison between Docker and AIX Workload Partitions. During the presentation we demonstrate how to deploy and use containers, and how to manager Docker containers on Power.
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaci...Jose Manuel Ortega Candel
Los benchmarks son programas que permiten evaluar el rendimiento de un sistema, componente o proceso en comparación con otros sistemas similares. Son herramientas esenciales para medir y comparar el rendimiento de hardware, software y sistemas en diferentes áreas. El objetivo es dar a conocer las principales herramientas de benchmark que disponemos hoy en día para medir el rendimiento.
Entre los puntos a tratar podemos destacar:
-Introducción a Benchmarks: Definición y propósito de los benchmarks en la medición del rendimiento
-Tipos de Benchmarks: Benchmarks sintéticos vs. Benchmarks del mundo real.Benchmarks específicos para CPU, memoria, almacenamiento, y gráficos
-Selección de Benchmarks: Consideraciones al elegir benchmarks según el tipo de aplicación y los objetivos de evaluación
En el mundo actual, las APIs juegan un papel importante en la creación de aplicaciones y servicios robustos y flexibles. Sin embargo, con la expansión de las APIs, también surge la necesidad de abordar los desafíos de seguridad asociados.
En esta charla, exploraremos en detalle el OWASP Top 10 de Seguridad en APIs, una lista de las principales vulnerabilidades que los desarrolladores y equipos de seguridad deben tener en cuenta al diseñar, desarrollar y asegurar sus APIs. Por último, comentaremos las mejores prácticas para mitigar los riesgos y garantizar la seguridad de tus APIs. Entre los puntos a tratar podemos destacar:
1.Introducir el concepto de seguridad en las APIs
2.OWASP Top 10 y su importancia para la seguridad en APIs
3.Actualización del OWASP Top 10 security en 2023
4.Herramientas para evaluar y mejorar la seguridad de tus APIs.
5.Estrategias y mejores prácticas para garantizar la seguridad de tus APIs.
La seguridad en aplicaciones web es un aspecto fundamental para garantizar la protección de los datos y la confidencialidad de los usuarios. Si nuestro objetivo es aprender como Django gestiona la seguridad, PyGoat es una aplicación desarrollada con Django vulnerable de forma intencionada que puede ser utilizada para aprender a asegurar nuestras aplicaciones Django.
En esta charla, analizamos como Django gestiona la seguridad utilizando la aplicación vulnerable Pygoat, identificando los problemas de seguridad subyacentes. Aprenderemos sobre vulnerabilidades de seguridad comunes como las que aparecen en el OWASP Top 10 en aplicaciones Django y cómo solucionarlas para que podamos mantener nuestras aplicaciones a salvo de atacantes.
Entre los puntos a tratar podemos destacar:
Introducción a la seguridad en aplicaciones Django
Pygoat como ejemplo de aplicación vulnerable
Vulnerabilidades OWASP top 10 y mitigación
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Jose Manuel Ortega Candel
En la actualidad, la tecnología blockchain y los smart contracts están revolucionando la forma en que interactuamos con la información y realizamos transacciones. Sin embargo, esta innovación no está exenta de desafíos en cuanto a la ciberseguridad se refiere. En esta charla, exploraremos los desafíos desde el punto de vista de la ciberseguridad en blockchain y smart contracts, así como las soluciones y enfoques para mitigar los riesgos asociados. A medida que continuamos adoptando estas tecnologías disruptivas, es fundamental comprender y abordar adecuadamente los aspectos de seguridad para minimizar los posibles riesgos. Entre los puntos a tratar podemos destacar:
1. Fundamentos de Blockchain y Smart Contracts 2. Desafíos de Seguridad en Blockchain 3. Seguridad en Smart Contracts 4. Auditorías y Pruebas de Seguridad en smart contracts
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
-Introduction to security strategies in K8s environments
-Pod Security Admission(PSA) vs Open Policy Agent (OPA)
-Combination of different security strategies together
-Access to resources in privileged and non-privileged mode
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts (securityContext) allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
*Introduction to security strategies in K8s environments
*Pod Security Admission(PSA) vs Open Policy Agent (OPA)
*Combination of different security strategies together
*Access to resources in privileged and non-privileged mode
No production system is complete without a way to monitor it. In software, we define observability as the ability to understand how our system is performing. This talk dives into capabilities and tools that are recommended for implementing observability when running K8s in production as the main platform today for deploying and maintaining containers with cloud-native solutions.
We start by introducing the concept of observability in the context of distributed systems such as K8s and the difference with monitoring. We continue by reviewing the observability stack in K8s and the main functionalities. Finally, we will review the tools K8s provides for monitoring and logging, and get metrics from applications and infrastructure.
Between the points to be discussed we can highlight:
-Introducing the concept of observability
-Observability stack in K8s
-Tools and apps for implementing Kubernetes observability
-Integrating Prometheus with OpenMetrics
La computación distribuída es un nuevo modelo de computación que surgió con el objetivo de resolver problemas de computación masiva donde diferentes máquinas trabajan en paralelo formando un clúster de computación.
En los últimos años han surgido diferentes frameworks como Apache Hadoop, Apache Spark y Apache Flink que permiten resolver este tipo de problemas donde tenemos datos masivos desde diferentes fuentes de datos.
Dentro del ecosistema de Python podemos destacar las librerías de Pyspark y Dask de código abierto que permiten la ejecución de tareas de forma paralela y distribuida en Python.
Entre los puntos a tratar podemos destacar:
Introducción a la computación distribuida
Comparando tecnologías de computación distribuida
Frameworks y módulos en Python para computación distribuida
Casos de uso en proyectos Big Data
En los últimos años, las arquitecturas cloud han evolucionado a un modelo serverless que trae como principales ventajas la posibilidad de ejecutar código sin aprovisionar ni administrar servidores. Este tipo de arquitecturas permite ejecutar el código en una infraestructura con alta disponibilidad y escalado automático, así como capacidades de monitorización de forma automática. Sin embargo, estos tipos de arquitecturas introducen un conjunto completamente nuevo de implicaciones de seguridad que deben tenerse en cuenta al crear sus aplicaciones.
El OWASP Serverless Top 10 es una excelente referencia para conocer los posibles riesgos de seguridad y las consecuencias de implementar una arquitectura serverless, así como también cómo mitigarlos.
En esta charla se analizará el estado actual de la seguridad en arquitecturas serverless, los principales riesgos y cómo podríamos mitigarlos de una forma sencilla. Entre los puntos a tratar podemos destacar:
-Introducción a las arquitecturas serverless
-Seguridad en arquitecturas serverless y OWASP Serverless Top 10
-Pentesting sobre aplicaciones serverless
-Mejoras prácticas de seguridad al trabajar en entornos cloud
La adopción de arquitecturas basadas en microservicios ha crecido de manera exponencial en los últimos años. Cuando se trata de obtener la máxima seguridad utilizamos lo que se denomina arquitecturas de “confianza cero” (zero trust architecture). Las arquitecturas de este tipo establecen mecanismos de autenticación y autorización entre nuestros propios microservicios, aumentando de esta manera la seguridad en entornos altamente regulados.
El objetivo de esta charla es dar a conocer los principios básicos para construir aplicaciones utilizando arquitecturas zero trust y algunas herramientas para realizar auditorías de seguridad en entornos cloud. Entre los puntos a tratar podemos destacar:
Introducción a DevSecOps y modelado de amenazas
Modelo de confianza cero(zero trust) en la nube
Mejoras prácticas a nivel de permisos y estrategias de seguridad al trabajar en entornos cloud
Herramientas de análisis orientadas al pentesting en entornos cloud
Python has become the most widely used language for machine learning and data science projects due to its simplicity and versatility.
Furthermore, developers get to put all their effort into solving an Machine Learning or data science problem instead of focusing on the technical aspects of the language.
For this purpose, Python provides access to great libraries and frameworks for AI and machine learning (ML), flexibility and platform independence
In this talk I will try to get a selection of libraries and frameworks that can help us introduce in the Machine Learning world and answer the question that all people is doing, What makes Python the best programming language for machine learning?
In this talk I will show how to save secret keys in Docker containers and K8s in production and best practices for saving and securing distribution of secrets. With Docker and k8s secrets we can manage information related to keys that are needed at runtime but cannot be exposed in the Docker image or source code repository. These could be the main talking points:
1.Challenges of security and secret keys in containers
2.Best practices for saving and securing distribution of secrets in Docker Containers
3.Managing secrets in Kubernetes using volumes and sealed-secrets
4.Other tools for distributing secrets in containers like Hashicorp Vault and KeyWhiz
One of the best practices from a security point of view is to introduce the management of the certificates that we are going to use to support protocols such as SSL / TLS. In this talk we will explain cert-manager and his implementation in K8s as a native Kubernetes certificate management controller that allows us to manage connection certificates and secure communications through SSL/TLS protocols. Later I will explain the main functionalities and advantages that cert-manager provides, for example it allows us to validate that the certificates we are using in different environments are correct. Finally, some use cases are studied in which to use cert-manager and the integration with other services such as Let's Encrypt or HashiCorp Vault.
Python se ha convertido en el lenguaje más usado para desarrollar herramientas dentro del ámbito de la seguridad. Esta charla se centrará en las diferentes formas en que un analista puede aprovechar el lenguaje de programación Python tanto desde el punto de vista defensivo como ofensivo.
Desde el punto de vista defensivo Python es una de las mejores opciones como herramienta de pentesting por la gran cantidad de módulos que nos pueden ayudar a desarrollar nuestras propias herramientas con el objetivo de realizar un análisis de nuestro objetivo.
Desde el punto de vista ofensivo podemos utilizar Python para recolección de información de nuestro objetivo de forma pasiva y activa. El objetivo final es obtener el máximo conocimiento posible en el contexto que estamos auditando. Entre los principales puntos a tratar podemos destacar:
1.Introducción a Python para proyectos de ciberseguridad(5 min)
2.Herramientas de pentesting(10 min)
3.Herramientas Python desde el punto de vista defensivo(10 min)
4.Herramientas Python desde el punto de vista ofensivo(10 min)
Python se ha convertido en el lenguaje más usado para desarrollar herramientas dentro del ámbito de la seguridad. Esta charla se centrará en las diferentes formas en que un analista puede aprovechar el lenguaje de programación Python tanto desde el punto de vista defensivo como ofensivo.
Desde el punto de vista defensivo Python es una de las mejores opciones como herramienta de pentesting por la gran cantidad de módulos que nos pueden ayudar a desarrollar nuestras propias herramientas con el objetivo de realizar un análisis de nuestro objetivo.
Desde el punto de vista ofensivo podemos utilizar Python para recolección de información de nuestro objetivo de forma pasiva y activa. El objetivo final es obtener el máximo conocimiento posible en el contexto que estamos auditando. Entre los principales puntos a tratar podemos destacar:
1.Introducción a Python para proyectos de ciberseguridad(5 min)
2.Herramientas de pentesting(10 min)
3.Herramientas Python desde el punto de vista defensivo(10 min)
4.Herramientas Python desde el punto de vista ofensivo(10 min)
Shodan es una de las plataformas de hacking más utilizadas en todo el mundo que nos brinda un completo motor de búsqueda avanzado desde el que podemos encontrar cualquier dispositivo conectado a la red junto con sus servicios activos, puertos abiertos y posibles vulnerabilidades.
En esta charla mostraremos las principales herramientas que podemos utilizar para maximizar nuestras búsquedas en Shodan, así como desarrollar nuestros propios scripts con python para automatizar las búsquedas.
Entre los puntos a tratar podemos destacar:
-Filtros y búsquedas personalizadas en Shodan
-Detectando vulnerabilidades con Shodan
-Buscar bases de datos abiertas en Shodan
-Shodan desde lineas de comandos con ShodanCLI
La charla trataría sobre cómo usar el stack Elasticsearch, Logstash y Kibana (ELK) para respuestas ante incidentes, monitorización de logs y otras tareas relacionadas con los equipos blue team. Por ejemplo, podríamos analizar los registros basados en autenticación y eventos del sistema operativo.
Entre los puntos a tratar podemos destacar:
-Introducción al estándar ELK y cómo nos puede ayudar para crear nuestro laboratorio de análisis.
-Comentar las diferentes fuentes de datos que podríamos usar (eventos del sistema operativo, capturas de red).
-Indexación y búsqueda de datos en ElasticSearch.
-Recopilación y manipulación de datos con LogStash.
-Creación de dashboards con Kibana.
-Ejemplo de aplicación para alertar sobre eventos basados en la autenticación en el sistema operativo.
The world is advancing towards accelerated deployments using DevOps and cloud native technologies. In architectures based on microservices, container monitoring and management become even more important as we need to scale our application.
In this talk, I will show how to monitor and manage docker containers to manage the status of your applications. We will review how to monitor for security events using open source solutions to build an actionable monitoring system for Docker and Kubernetes.
Through a web interface, tools such as cadvisor, portainer and rancher give us a global overview of the containers you are running as well as facilitate their management.
These could be the main points to discuss:
Challenges in containers and architectures distributed from the point of view of monitoring and administration
Most important metrics that we can use to measure container performance.
Tools for monitoring and management of containers such as cadvisor, sysdig and portainer
Rancher as a platform for the administration of Kubernetes
In this talk I will try explain the memory internals of Python and discover how it handles memory management and object creation.
The idea is explain how objects are created and deleted in Python and how garbage collector(gc) functions to automatically release memory when the object taking the space is no longer in use.
I will review the main mechanims for memory allocation and how the garbage collector works in conjunction with the memory manager for reference counting of the python objects.
Finally, I will comment the best practices for memory managment such as writing efficient code in python scripts.
In this talk I will speak about main tips for integrating Security into DevOps. I will share my knowledge and experience and help people learn to focus more on DevOps Security. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code, requires the right tools for security development.
These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
3. Agenda
● Introduction to docker security
● Security best practices
● Tools for auditing docker images
4. Docker
● “Docker containers wrap up a piece of
software in a complete filesystem that
contains everything it needs to run: code,
runtime, system tools, system libraries –
anything you can install on a server. This
guarantees that it will always run the same,
regardless of the environment it is running in.”
5. Docker Security
● Docker provides an additional layer of isolation, making
your infrastructure safer by default.
● Makes the application lifecycle fast and easier,reducing
risks in your applications
6. Docker Security
● Docker uses several mechanisms for security:
○ Linux kernel namespaces
○ Linux Control Groups (cgroups)
○ The Docker daemon
○ Linux capabilities (libcap)
○ Linux security mechanisms like AppArmor or
SELinux
7. Docker Security
● Namespaces:provides an isolated view of the
system where processes cannot see other
processes in other containers
● Each container also gets its own network stack.
● A container doesn’t get privileged access to the
sockets or interfaces of another container.
8. Docker Security
● Cgroups: kernel feature that limits and isolates the
resource usage(CPU,memory,network) of a collection of
processes.
● Linux Capabilities: divides the privileges of root into
distinct units and smaller groups of privileges.
11. Docker images
● Images are extracted in a chrooted sub process, being the
first-step in a wider effort toward privilege separation.
● From Docker 1.10, all images are stored and accessed by
the cryptographic checksums of their contents, limiting
the possibility of an attacker causing a collision with an
existing image Docker Content Trust.
12. Docker Content Trust
● Protects against untrusted images
● Can enable signing checks on every managed host
● Signature verification transparent to users
● Guarantee integrity of your images when pulled
● Provides trust from publisher to consumer
● export DOCKER_CONTENT_TRUST=1
● ~/.docker/trust/trusted-certificates/
14. DockerFile Security
● Do not write secrets(users and passwords).
● Remove unnecessary setuid, setgid permissions
(Privilege escalation)
● Download packages securely using GPG and certificates
● Try to restrict an image or container to one service
15. Security best practices
● To disable setuid rights, add the following to the
Dockerfile of your image
16. Security best practices
● Don’t run containers with --privileged flag
● The --privileged flag gives all capabilities to the
container.
● docker run --privileged ...
● docker run --cap-drop=ALL --cap-add=CAP_NET_ADMIN
...
17. Security best practices capabilities
● How do we add/remove capabilities?
● Use cap-add and cap-drop with docker run/create
● Drop all capabilities which are not required
● docker run --cap-drop ALL --cap-add $CAP
18. Security best practices capabilities
● Manual management within the container:
docker run --cap-add ALL
● Restricted capabilities with root:
docker run --cap-drop ALL --cap-add $CAP
● No capabilities:
docker run --user
21. Security best practices
● We can verify the integrity of the image
● Checksum validation when pulling image from docker hub
● Pulling by digest to enforce consistent
23. Docker security is about
limiting and controlling the
attack surface on the kernel.
24. Docker least privileges
● Do not run processes in a container as root to avoid root
access from attackers.
● Enable User-namespace (disabled by default)
● Run filesystems as read-only so that attackers can not
overwrite data or save malicious scripts to the image.
● Cut down the kernel calls that a container can make to
reduce the potential attack surface.
● Limit the resources that a container can use (SELinux/AppArmor)
29. Docker images scanning
● You can scan your images for known vulnerabilities
● There are tools for that, like Docker Security Scanning,
Docker Bench Security and CoreOS Clair
● Find known vulnerable binaries
31. Docker Security Scanning
● Checks against CVE database for image layers
● Binary scanning of all components in the image
● Performs binary scan to pick up on statically linked binaries
● Analyses libraries statically compiled in the image
● Generates a reports that shows if there are CVE in the
libraries inside the image
37. Clair Use cases
● You've found an image by searching the internet and want
to determine if it's safe enough for you to use in production.
● You're regularly deploying into a containerized production
environment and want operations to alert or block
deployments on insecure software.
41. Docker bench security
● Open-source tool for running automated tests
● Inspired by the CIS Docker 1.11 benchmark
● Runs against containers currently running on same host
● Checks for AppArmor, read-only volumes, etc...
48. Other tools
● OpenSCAP Container Compliance
● Lynis
● Twistlock
● Dockscan
● Aqua Security
● Dagda
49. OpenScap Clair Lynis TwistLock DockScan
Images and
Containers
Images and
Containers
DockerFile Images,
containers,
packages.
Kubernetes
Mesos.
Docker
server
RedHat
/Fedora
/CentOS based
containers
Debian
/Ubuntu
/CentOS
based
containers
Linux and
Unix based
Systems
Linux and Unix
based Systems
Docker and
container
installations
50. Lynis
● Lynis is a Linux, Mac and Unix security auditing
and system hardening tool that includes a
module to audit Dockerfiles.
● lynis audit dockerfile <file>