Lecture about techniques, frameworks and tools to automate the testing for your Android App and how to use Testdroid, one of the available device farms, to test your App in the cloud and overcome fragmentation issues.
ROMAN PALKIN
Backed up with real examples, this talk reviews the capabilities of widely-used frameworks TensorFlow and PyTorch for creating and spreading malicious software as well as implementing covert data communication channels. The purpose of this presentation is to draw attention of the community to the danger posed by careless use of Machine Learning models from unreliable sources.
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
This document discusses security chaos engineering as a new approach to continuously learning about and validating security controls. It provides examples of how Cardinal Health and UnitedHealth Group use security chaos engineering. Cardinal Health conducts experiments to identify security gaps and partners to remediate issues before exploitation. UnitedHealth Group tests hypotheses about how the system should respond to events like misconfigured ports. The document encourages organizations to start with low-impact experiments and create a business case to expand the practice over time. It concludes that security chaos engineering can improve security resilience by proactively testing systems.
The landscape for software testing has never been so broad. Applications today interact with other applications through APIs. And in return they leverage legacy systems, while they grow in complexity from one day to the next in a nonlinear fashion. So what does that mean for analysts, developers, and testers?
The 2016-17 World Quality Report suggests that AI will help. “We believe that the most important solution to overcome increasing QA and Testing Challenges will be the emerging introduction of machine-based intelligence,” the report states.
We have witnessed the mobile and computer revolution — now similarly — artificial intelligence (AI) is revealing its potential; not only by the way we live, but also within the majority of industries,. And software testing is no exception.
Facebook and Google aren’t the only companies applying AI techniques. In this session, we will explore how software testers can leverage AI and how tools may need to evolve. For instance, Helix ALM accelerates the development-to-release process, catches bugs earlier, and supports the transition to new development techniques.
In this webinar, we will also discuss three key elements that will significantly change software development with the evolution of “Artificial Intelligence”.
Using security to drive chaos engineeringDinis Cruz
This document discusses chaos engineering and how it relates to security testing. Some key points:
- Chaos engineering involves experimenting on systems by introducing variables like server crashes or network failures to test how systems respond to turbulent conditions. This helps build confidence in systems' availability.
- Security testing can be viewed as a form of chaos engineering, as security tests intentionally introduce "changes" like vulnerabilities to verify systems' security and resilience.
- To test systems effectively, experiments should be run continuously in production environments and introduce real-world events while minimizing impact. This helps validate that systems can withstand attacks and changes in production.
- Properties of resilient, secure systems include availability, ability to handle failures, validating all
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
Scott Crawford, Research Director of Information Security at 451 Research, shares:
Why having a Vulnerability Disclosure Policy is now “table stakes”
The what, how and why of Vulnerability Disclosure Policy documentation
Tangible benefits and tradeoffs of incorporating bug bounties into software development
How bug bounties make for a more secure software development lifecycle
This document provides an overview of a session on security chaos engineering. The session will cover combating complexity in software, chaos engineering, resilience engineering and security, security chaos engineering, open source chaos tools, and a product demo from Verica.
The presenters from Verica will be Casey Rosenthal, CEO and founder, and Aaron Rinehart, CTO and founder. Casey Rosenthal helped create the discipline of chaos engineering at Netflix and built their chaos automation platform. Aaron Rinehart has experience leading security engineering strategies and pioneered the area of security chaos engineering.
Chaos engineering involves experimenting on distributed systems to build confidence in their ability to withstand turbulent conditions. It is used to combat the increasing complexity
Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended.
Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
The industry has traditionally put emphasis on the importance of preventative security control measures and defense-in-depth where-as our mission is to drive new knowledge and perspective into the attack surface by delivering proactively through detective experimentation. With so much focus on the preventative mechanisms we never attempt beyond one-time or annual pen testing requirements to actually validate whether or not those controls actually are performing as designed.
Our mission is to address security weaknesses proactively, going beyond the reactive processes that currently dominate traditional security models.
ROMAN PALKIN
Backed up with real examples, this talk reviews the capabilities of widely-used frameworks TensorFlow and PyTorch for creating and spreading malicious software as well as implementing covert data communication channels. The purpose of this presentation is to draw attention of the community to the danger posed by careless use of Machine Learning models from unreliable sources.
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
This document discusses security chaos engineering as a new approach to continuously learning about and validating security controls. It provides examples of how Cardinal Health and UnitedHealth Group use security chaos engineering. Cardinal Health conducts experiments to identify security gaps and partners to remediate issues before exploitation. UnitedHealth Group tests hypotheses about how the system should respond to events like misconfigured ports. The document encourages organizations to start with low-impact experiments and create a business case to expand the practice over time. It concludes that security chaos engineering can improve security resilience by proactively testing systems.
The landscape for software testing has never been so broad. Applications today interact with other applications through APIs. And in return they leverage legacy systems, while they grow in complexity from one day to the next in a nonlinear fashion. So what does that mean for analysts, developers, and testers?
The 2016-17 World Quality Report suggests that AI will help. “We believe that the most important solution to overcome increasing QA and Testing Challenges will be the emerging introduction of machine-based intelligence,” the report states.
We have witnessed the mobile and computer revolution — now similarly — artificial intelligence (AI) is revealing its potential; not only by the way we live, but also within the majority of industries,. And software testing is no exception.
Facebook and Google aren’t the only companies applying AI techniques. In this session, we will explore how software testers can leverage AI and how tools may need to evolve. For instance, Helix ALM accelerates the development-to-release process, catches bugs earlier, and supports the transition to new development techniques.
In this webinar, we will also discuss three key elements that will significantly change software development with the evolution of “Artificial Intelligence”.
Using security to drive chaos engineeringDinis Cruz
This document discusses chaos engineering and how it relates to security testing. Some key points:
- Chaos engineering involves experimenting on systems by introducing variables like server crashes or network failures to test how systems respond to turbulent conditions. This helps build confidence in systems' availability.
- Security testing can be viewed as a form of chaos engineering, as security tests intentionally introduce "changes" like vulnerabilities to verify systems' security and resilience.
- To test systems effectively, experiments should be run continuously in production environments and introduce real-world events while minimizing impact. This helps validate that systems can withstand attacks and changes in production.
- Properties of resilient, secure systems include availability, ability to handle failures, validating all
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
Scott Crawford, Research Director of Information Security at 451 Research, shares:
Why having a Vulnerability Disclosure Policy is now “table stakes”
The what, how and why of Vulnerability Disclosure Policy documentation
Tangible benefits and tradeoffs of incorporating bug bounties into software development
How bug bounties make for a more secure software development lifecycle
This document provides an overview of a session on security chaos engineering. The session will cover combating complexity in software, chaos engineering, resilience engineering and security, security chaos engineering, open source chaos tools, and a product demo from Verica.
The presenters from Verica will be Casey Rosenthal, CEO and founder, and Aaron Rinehart, CTO and founder. Casey Rosenthal helped create the discipline of chaos engineering at Netflix and built their chaos automation platform. Aaron Rinehart has experience leading security engineering strategies and pioneered the area of security chaos engineering.
Chaos engineering involves experimenting on distributed systems to build confidence in their ability to withstand turbulent conditions. It is used to combat the increasing complexity
Tired of having users email you that your web application is broken? Turns out that building reliable web applications is hard and requires a lot of testing. You can write unit tests but quite often these all pass and the application is still broken. Why? Because they test parts of the application in isolation. But for a reliable application we need more. We need to make sure that all parts work together as intended.
Cypress is a great tool to achieve this. It will test you complete web application in the browser and use it like a real user would. In this session Maurice will show you how to use Cypress during development and on the CI server. He will share tips and tricks to make your tests more resilient and more like how an actual end user would behave.
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
The industry has traditionally put emphasis on the importance of preventative security control measures and defense-in-depth where-as our mission is to drive new knowledge and perspective into the attack surface by delivering proactively through detective experimentation. With so much focus on the preventative mechanisms we never attempt beyond one-time or annual pen testing requirements to actually validate whether or not those controls actually are performing as designed.
Our mission is to address security weaknesses proactively, going beyond the reactive processes that currently dominate traditional security models.
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
Security today is customarily a reactive and chaotic exercise.
In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
DevSecOps & Security Chaos Engineering - "Knowing the Unknown" -
"Resilience is the story of the outage that didn’t happen". - John Allspaw
Our systems are becoming more and more distributed, ephemeral, and immutable in how they function in today’s ever-evolving landscape of contemporary engineering practices. Not only are we becoming more complex but the rate of velocity in which our systems are now interacting, and evolving is making the work more challenging for us humans. In this shifted paradigm, it is becoming problematic to comprehend the operational state, health and safety of our systems.
In this session Aaron will uncover what Chaos Engineering is, why we need it, and how it can be used as a tool for building more performant, safe and secure systems. We will uncover the importance of using Chaos Engineering in developing a learning culture through system experimentation. Lastly, we will walk through how to get started using Chaos Engineering as well as dive into how it can be applied to cyber security and other important engineering domains.
Security incident response is a reactive and chaotic exercise. What if it were possible to flip the scenario on its head? Security focused chaos engineering takes the approach of advancing the security incident response apparatus by reversing the postmortem and preparation phases. Contrary to Purple Team or Red Team game days, Security Chaos Engineering does not use threat actor tactics, techniques and procedures. It develops teams through unique configuration, cyber threat and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones.
Security Chaos Engineering allows incident response and product teams to derive new information about the state of security within their distributed systems that was previously unknown. Within this new paradigm of instrumentation where we proactively conduct “Pre-Incident” vs. “Post-Incident” reviews we are now able to more accurately measure how effective our security incident response teams, tools, skills, and procedures are during the manic of the Incident Response function.
In this session Aaron Rinehart, the mind behind the first Open Source Security Chaos Engineering tool ChaoSlingr, will introduce how Security Chaos Engineering can be applied to create highly secure, performant, and resilient distributed systems.
If you work with or at a Telco, Financial Institution or a Government entity, you probably already know about compliance and the various acronyms and headaches it can bring.
How can we make this less of a painful process?
Well, if you think about it: compliance is a set of rules that someone has given you to enforce and prove that they're being enforced. What is Puppet? A series of rules for systems that need to be enforced. So compliance is the perfect use-case for configuration management.
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
Fraser and Nick debate the relationship between DevOps and security. Nick argues security is too complex for DevOps approaches, while Fraser argues DevOps and security ultimately have the same goals of reducing risk and increasing value. They propose defining a "risk budget" to measure and manage risk like an "error budget", allowing more frequent deployments if risk is reduced through practices like testing and security engagement. Ultimately they agree DevOps and security need cooperation rather than separation, with security helping scale out practices while DevOps takes security responsibilities.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
Aun las amenazas básicas pueden ser múltiples y complejas, y la visibilidad limitada de tus datos de seguridad simplemente no es suficiente. Ya sea que realices investigaciones o busques amenazas, necesitas todo el contexto relevante para la seguridad. Aprende las prácticas clave en la recopilación y normalización de datos y ve cómo puedes usar Elastic Security para clasificar, verificar y abordar problemas de forma rápida y precisa.
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The document summarizes security issues in healthcare and discusses how Siemens Healthineers secures their products. It notes that healthcare applications are mission critical and errors can be fatal. It provides examples of real security attacks on hospitals and medical devices. Reasons the healthcare industry is targeted include the resale value of patient data. The document describes tools and methods Siemens uses to secure their products like virus scanning and authentication. It acknowledges security is an ongoing challenge and discusses the need for adaptive strategies like contextual security going forward.
This document discusses Android security. It covers system and kernel level security features like process sandboxing and memory protection. It also discusses user security features such as device encryption, password hashing, and screen locks. Additionally, it examines Android application security mechanisms like permissions and Play Store verification. Finally, it analyzes recent Android security problems involving SMS vulnerabilities and processor exploits.
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
This document summarizes Matt Carroll's talk on making security patching of system packages less tedious for engineers. It discusses how automating work distribution and feedback through tools like JIRA, establishing clear deadlines, and streamlining documentation can increase agency and motivation. The overall goal is to reduce pain points and uncertainty to encourage proactive security practices rather than treating it as an "arcane ritual".
The document discusses the new features and changes in Android M, including a new runtime permissions system, app linking improvements, an Assist API to allow voice interactions, auto backup for app data, and enhanced controls for corporate devices. It provides instructions on downloading the SDK and setting up a development environment to build and test apps for Android M.
OWASP AppSec Global 2019 Security & Chaos EngineeringAaron Rinehart
Security today is customarily a reactive and chaotic exercise.
In this session, we will introduce a new concept known as Security Chaos Engineering and how it can be applied to create highly secure, performant, and resilient distributed systems.
Chaos engineering for cloud native securityKennedy
Human errors and misconfiguration-based vulnerabilities have become a major cause of data breaches and other forms of security attacks in cloud-native infrastructure (CNI). The dynamic and complex nature of CNI and the underlying distributed systems further complicate these challenges. Hence, novel security mechanisms are imperative to overcome these challenges. Such mechanisms must be customer-centric, continuous, not focused on traditional security paradigms like intrusion detection. We tackle these security challenges via Risk-driven Fault Injection (RDFI), a novel application of cyber security to chaos engineering. Chaos engineering concepts (e.g. Netflix’s Chaos Monkey) have become popular since they increase confidence in distributed systems by injecting non-malicious faults (essentially addressing availability concerns) via experimentation techniques. RDFI goes further by adopting security-focused approaches by injecting security faults that trigger security failures which impact on integrity, confidentiality, and availability. Safety measures are also employed such that impacted environments can be reversed to secure states. Therefore, RDFI improves security and resilience drastically, in a continuous and efficient manner and extends the benefts of chaos engineering to cyber security. We have researched and implemented a proof-of-concept for RDFI that targets multi-cloud enterprise environments deployed on AWS and Google cloud platform.
Adversary Driven Defense in the Real WorldJames Wickett
Talk by Shannon Lietz and James Wickett at DevOps Enterprise Summit 2018, Las Vegas.
Talk covers finding real world adversaries and balancing your effort and defenses to adjust for them.
DevSecOps & Security Chaos Engineering - "Knowing the Unknown" -
"Resilience is the story of the outage that didn’t happen". - John Allspaw
Our systems are becoming more and more distributed, ephemeral, and immutable in how they function in today’s ever-evolving landscape of contemporary engineering practices. Not only are we becoming more complex but the rate of velocity in which our systems are now interacting, and evolving is making the work more challenging for us humans. In this shifted paradigm, it is becoming problematic to comprehend the operational state, health and safety of our systems.
In this session Aaron will uncover what Chaos Engineering is, why we need it, and how it can be used as a tool for building more performant, safe and secure systems. We will uncover the importance of using Chaos Engineering in developing a learning culture through system experimentation. Lastly, we will walk through how to get started using Chaos Engineering as well as dive into how it can be applied to cyber security and other important engineering domains.
Security incident response is a reactive and chaotic exercise. What if it were possible to flip the scenario on its head? Security focused chaos engineering takes the approach of advancing the security incident response apparatus by reversing the postmortem and preparation phases. Contrary to Purple Team or Red Team game days, Security Chaos Engineering does not use threat actor tactics, techniques and procedures. It develops teams through unique configuration, cyber threat and user error scenarios that challenge responders to react to events outside their playbooks and comfort zones.
Security Chaos Engineering allows incident response and product teams to derive new information about the state of security within their distributed systems that was previously unknown. Within this new paradigm of instrumentation where we proactively conduct “Pre-Incident” vs. “Post-Incident” reviews we are now able to more accurately measure how effective our security incident response teams, tools, skills, and procedures are during the manic of the Incident Response function.
In this session Aaron Rinehart, the mind behind the first Open Source Security Chaos Engineering tool ChaoSlingr, will introduce how Security Chaos Engineering can be applied to create highly secure, performant, and resilient distributed systems.
If you work with or at a Telco, Financial Institution or a Government entity, you probably already know about compliance and the various acronyms and headaches it can bring.
How can we make this less of a painful process?
Well, if you think about it: compliance is a set of rules that someone has given you to enforce and prove that they're being enforced. What is Puppet? A series of rules for systems that need to be enforced. So compliance is the perfect use-case for configuration management.
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
Fraser and Nick debate the relationship between DevOps and security. Nick argues security is too complex for DevOps approaches, while Fraser argues DevOps and security ultimately have the same goals of reducing risk and increasing value. They propose defining a "risk budget" to measure and manage risk like an "error budget", allowing more frequent deployments if risk is reduced through practices like testing and security engagement. Ultimately they agree DevOps and security need cooperation rather than separation, with security helping scale out practices while DevOps takes security responsibilities.
In this session Aaron will uncover the importance of using Chaos Engineering in developing a learning culture in a DevSecOps world. Aaron will walk us through how to get started with Chaos Engineering for security and how it can be practically applied to enhance system performance, resilience and security.
Security focused Chaos Engineering allows engineering teams to derive new information about the state of security within their distributed systems that was previously unknown. This new technique of instrumentation attempts to proactively inject security turbulent conditions or faults into our systems to determine the conditions by which our security will fail so that we can fix it before it causes customer pain.
During this session we will cover some key concepts in Safety & Resilience Engineering and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive.
Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018
Obtén visibilidad completa y encuentra problemas de seguridad ocultosElasticsearch
Aun las amenazas básicas pueden ser múltiples y complejas, y la visibilidad limitada de tus datos de seguridad simplemente no es suficiente. Ya sea que realices investigaciones o busques amenazas, necesitas todo el contexto relevante para la seguridad. Aprende las prácticas clave en la recopilación y normalización de datos y ve cómo puedes usar Elastic Security para clasificar, verificar y abordar problemas de forma rápida y precisa.
RSA Conference APJ 2019 DevSecOps Days Security Chaos EngineeringAaron Rinehart
Distributed systems at scale have unpredictable and complex outcomes that are costly when security incidents occur. The speed, scale, and complex operations within microservice architectures make them tremendously difficult for humans to mentally model their behavior. If the latter is even remotely true how is it possible to adequately secure services that are not even fully comprehended by the engineering teams that built them. How do we realign the actual state of operational security measures to maintain an acceptable level of confidence that our security actually works. Security Chaos Engineering allows teams to proactively, safely discover system weakness before they disrupt business outcomes.
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"Aaron Rinehart
This document provides an overview of a presentation on chaos engineering and security chaos engineering. The presentation covers United Health Group's journey to rugged DevOps, combating complexity in software, and approaches to chaos engineering and security chaos engineering. Specific topics discussed include automated security configuration and validation using Chef and Inspec, using Gauntlt for automated vulnerability scanning, lessons learned from DevOps transformations, and examples of chaos engineering experiments and game days.
The Rise of DevSecOps - Fabian Lim - DevSecOpsSgDevSecOpsSg
DevOps is a cultural shift for more and more organisations, bringing speed and innovation benefits that surpass other SDLC methods. But some of the principles of DevOps aren’t quite aligned with how companies of all sizes will need to incorporate and embed security into this shift. DevSecOps provides a path forward for the transformation and helps companies to shift security to the left so that everyone can take responsibility for it. While automating security testing is an obvious answer to secure applications in the code pipeline, that does not provide 100% coverage until security risks are fully mitigated. Fabian will talk about his journey in making DevSecOps a reality in an organisation. This talk will focus some of the lessons learnt - which includes implementing open source tools to help security team do their jobs better, hacking the culture, whitelisting services, reporting security defects. and also doing Red Team activities.
Maturing DevSecOps: From Easy to High ImpactSBWebinars
Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place.
So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are:
Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns
Securing DevOps methodologies - changing when and how security controls interact with the application and the development process
Adapting to a DevOps philosophy of shared ownership for security
In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.
This document discusses the concepts of DevSecOps at a high level. It begins with a brief history of development methodologies, from Waterfall to Agile, and how Ops became a bottleneck. This led to trends in Agile Operations and collaboration between Dev and Ops, known as DevOps. DevSecOps expands this to incorporate security. It discusses the importance of culture, processes, and technologies for effective communication, automation, and collaboration across Dev, Ops, and Security. The goal is to enable organizations to deliver inherently secure software at DevOps speed through a high-trust environment and automated security pipelines integrated into the software development lifecycle.
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at OWASP NoVA, Sept 25th, 2018
The document summarizes security issues in healthcare and discusses how Siemens Healthineers secures their products. It notes that healthcare applications are mission critical and errors can be fatal. It provides examples of real security attacks on hospitals and medical devices. Reasons the healthcare industry is targeted include the resale value of patient data. The document describes tools and methods Siemens uses to secure their products like virus scanning and authentication. It acknowledges security is an ongoing challenge and discusses the need for adaptive strategies like contextual security going forward.
This document discusses Android security. It covers system and kernel level security features like process sandboxing and memory protection. It also discusses user security features such as device encryption, password hashing, and screen locks. Additionally, it examines Android application security mechanisms like permissions and Play Store verification. Finally, it analyzes recent Android security problems involving SMS vulnerabilities and processor exploits.
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
This document summarizes Matt Carroll's talk on making security patching of system packages less tedious for engineers. It discusses how automating work distribution and feedback through tools like JIRA, establishing clear deadlines, and streamlining documentation can increase agency and motivation. The overall goal is to reduce pain points and uncertainty to encourage proactive security practices rather than treating it as an "arcane ritual".
The document discusses the new features and changes in Android M, including a new runtime permissions system, app linking improvements, an Assist API to allow voice interactions, auto backup for app data, and enhanced controls for corporate devices. It provides instructions on downloading the SDK and setting up a development environment to build and test apps for Android M.
The document discusses the benefits of exercise for both physical and mental health. It notes that regular exercise can reduce the risk of diseases like heart disease and diabetes, improve mood, and reduce feelings of stress and anxiety. Staying active also helps maintain a healthy weight and keeps muscles, bones, and joints healthy as we age.
The Android NDK is a set of tools that allows the integration of native code (C/C++) in your Android app. In this presentation get know interesting usages of NDK, advantages and disadvantages, and how to stat using it with Android Studio.
O documento discute a importância do mobile e da experiência do usuário (UX). Ele mostra estatísticas sobre o uso crescente de smartphones no Brasil e como o comportamento dos usuários está mudando para usar mais aplicativos móveis. Também discute como entender a jornada do usuário e fornecer experiências relevantes no contexto certo para cada usuário.
Palestra Apresentada na The Developers Conference SP 2016.
Todos concordam que o teste de aplicações e soluções é fundamental para garantir a qualidade do produto para o usuário. Já a automação dos testes e do processo de qualidade da aplicação é um sonho que muitos times e desenvolvedores gostariam de atingir, então por que é tão difícil? Nesta palestra exploraremos dicas, ferramentas e práticas para começar a automatizar os testes de sua aplicação Android. Se você sempre quis fazer isso e não sabia por onde começar esta é a hora!
O documento discute estratégias para automação de testes em aplicativos Android, incluindo como lidar com testes "flaky" e dependências externas através de mocks e isolamento. Ele também aborda diferentes camadas de testes e ferramentas como Espresso e UIAutomator para testes de interface do usuário.
Support slides for the test automation workshop realized at the iMasters Android DevConference 2015 at São Paulo. The workshop focus was around Unit Tests with JUnit, UI Tests with Espresso and UIAutomator and Testing your app in the cloud with Testdroid.
O documento apresenta uma introdução ao desenvolvimento para Android, abordando tópicos como:
1) A popularização de dispositivos móveis e o crescimento do Android;
2) Formas de ganhar dinheiro com aplicativos;
3) Etapas de desenvolvimento, desde a concepção até a publicação na Play Store.
Palestra apresentando os primeiros passos na utilização do JUnit, Espresso e UIAutomator para a automação de testes em Apps Android, além de como utilizar os testes criados em uma device farm na nuvem para execução dos testes.
Para vídeos sobre o funcionamento do TestDroid verifique o canal deles no YouTube: https://www.youtube.com/user/BitbarChannel
Este documento describe diferentes tipos de sockets para procesadores de Intel y AMD a través de las generaciones. Proporciona detalles sobre el número de pines, voltajes compatibles, velocidades de bus y los microprocesadores compatibles con cada socket. Los sockets discutidos incluyen Socket 775, Socket 939, Socket AM2 y Socket 1155.
Utilizando expresso uiautomator na automacao de testes em apps androidtdc-globalcode
Executar testes é uma etapa importante do processo de desenvolvimento para garantir níveis de qualidade aceitáveis pelos usuários de sua aplicação. No entanto com o aumento do número de funcionalidades e as frequentes ondas de novos devices esta tarefa tem se tornado cada vez mais árdua, além de extremamente repetitiva, tediosa e sujeita à erros. No mundo Android algumas ferramentas podem lhe auxiliar a automatizar seu processo de testes, o Espresso e o UIAutomator são duas delas que recentemente foram adicionadas ao Android Testing Framework. Nesta palestra trataremos de como utilizar estes frameworks em seu projeto Android para automatizar e simular a interação do usuário com sua app e validar funcionalidades de sua aplicação no processo tornando o seu dia mais legal e produtivo.
Palestra apresentada na trilha de Testes dos TDCs Floripa, Sampa e Porto Alegre em 2015, discutindo sobre como soluções de nuvem podem ajudar a melhorar os testes de aplicações Android em um mundo fragmentado. Além disso introduzimos formas de automatizar os testes de sua aplicação para possibilidar o uso de device farms na nuvem com as ferramentas Espresso e UIAutomator.
Para vídeos sobre o funcionamento do TestDroid verifique o canal deles no YouTube: https://www.youtube.com/user/BitbarChannel
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Leveraging Artificial Intelligence Processing on Edge DevicesICS
The introduction of low-cost, high-performance embedded processors coupled with improvements in Neural Network model optimization lay the foundation for AI and Computer Vision at the edge. Moving intelligence from the cloud to the edge offers many advantages including the reduction of network traffic, predicable ML inference times, and data security to name a few. Challenges exist as many development teams do not have data scientist or AI development engineers. What is needed are practical AI solutions including ML development tools, optimized inference engines and reference platforms that will abstract out the development complexities to stream line prototyping and development.
In this joint webinar with Au-Zone Technologies we will discuss:
- Development challenges and solutions which can be use to enable AI/ML at the edge to implement object detection, classification and tracking for medical and industrial use-cases
- Visualization techniques for activity monitoring and object detection
Real time operating systems for safety-critical applicationsReza Ramezani
This document discusses and compares several real-time operating systems (RTOS) suitable for safety-critical applications. It outlines some key RTOS features like memory management, programming languages supported, certification standards compliance and example uses in avionics and automotive systems. Several RTOS are examined in more detail including Integrity/AdaMulti by Green Hills, VxWorks/Tornado II by WindRiver, QNX Neutrino and LynxOS, describing their architecture, development tools and safety certifications.
[Webinar] 10 Keys to Ensuring Success for Your Next Qt ProjectICS
The document provides 10 keys to ensuring success for Qt projects: use the right tools including Qt and other libraries; staff projects adequately and consult experts; focus on user experience with human-centered design; take an iterative and agile approach with frequent testing and delivery; structure code for testability; use Qt's layered design; keep QML simple as the visualization layer; always be delivering and reviewing code; don't be too agile by estimating large tasks early; and internationalize from the start.
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyHoneywell
This document provides a summary of a presentation given by Michael Coden and Pete MacLeod on October 7, 2014 about scaling industrial control system (ICS) cybersecurity. It discusses conducting an inventory of ICS assets at an oil and gas facility, comparing manual vs automated inventory methods. The presentation aims to illustrate how centralized OT cybersecurity automation can improve security, reduce time/costs for inventory and incident response, and help address skills shortages through centralization.
The document discusses technologies for automating software testing to improve IoT security and reliability. It describes challenges with software testing, including high complexity and costs of manual testing. It then introduces concolic testing as an automated testing technique that combines concrete and symbolic execution to generate test cases. Challenges with concolic testing include limitations with external calls, pointers, and arrays. The document proposes MAIST, a concolic testing tool that aims to address these challenges through techniques like task-oriented test generation to reduce false alarms, bitfield transformations to support symbolic bitfields, and static analysis to support symbolic function pointers. The goal of MAIST is to achieve high test coverage with reduced human effort for automotive software development.
Faster deep learning solutions from training to inference - Amitai Armon & Ni...Codemotion Tel Aviv
The document discusses Intel's Deep Learning SDK which aims to democratize deep learning by making it easily accessible and deployable. The SDK provides plug and train functionality through an easy installer, maximizes performance through optimized frameworks, and includes productivity tools. It allows for distributed multi-node training and deploys trained models across Intel hardware and systems through optimizations, compression, and quantization to accelerate deployment. The SDK addresses challenges in deep learning like limited labeled data, reinforcement learning tasks, and deployment at the edge with lower memory models.
IoT Software Testing Challenges: The IoT World Is Really DifferentTechWell
With billions of devices containing new software connected to the Internet, the Internet of Things (IoT) is poised to become the next growth area for software development and testing. Although many traditional test techniques and strategies remain viable, challenges in IoT testing include huge amounts of data, multiple communication channels, device protocols, resource limitations (battery or memory), addressing sensors and controllers, cloud-hardware-device integration, and security concerns. Jon Hagar says that for IoT testers to be successful, they must develop new knowledge and skills, and apply them based on real data and proven test design methods. Testing analytics should include raw test data, data relationships across software integration boundaries, and social media inputs, as well as a keen understanding of sociological and psychological factors. Jon shares insights into math-based testing, model-based testing, attack-based exploratory testing, and appropriate types of standards as basics of IoT testing. Take back a new holistic view for your IoT testing which considers the world environment, connected systems, local systems, and the IoT device itself.
A SURVEY OF VIRTUAL PROTOTYPING TECHNIQUES FOR SYSTEM DEVELOPMENT AND VALIDATIONIJCSES Journal
Recently, different kinds of computer systems like smart phones, embedded systems and cloud servers, are more and more widely used and the system development and validation is under great pressure. Hardware device, firmware and device driver development account for a significant portion of system development and validation effort. In traditional device, firmware and driver development largely has to wait until a stable version of the device becomes available. This dependency often leaves not enough time for software validation.
Effective Software Testing for Modern Software DevelopmentAlan Richardson
The document discusses modern software development and testing. It argues that testing is not a separate phase but rather a process that is customized and integrated into the overall development system to mitigate risks. Modern development processes build in safety controls like automated testing, but there are still risks to address like integration testing and exploring edge cases. The document advocates adapting methods to people and focusing testing on risks and uncertainties rather than definitions or roles.
As data science workloads grow, so does their need for infrastructure. But, is it fair to ask data scientists to also become infrastructure experts? If not the data scientists, then, who is responsible for spinning up and managing data science infrastructure? This talk will address the context in which ML infrastructure is emerging, walk through two examples of ML infrastructure tools for launching hyperparameter optimization jobs, and end with some thoughts for building better tools in the future.
Originally given as a talk at the PyData Ann Arbor meetup (https://www.meetup.com/PyData-Ann-Arbor/events/260380989/)
The document discusses how the speaker's team at Playtika tests their code at different levels, from unit to integration tests. Small unit tests are run quickly on continuous integration and aim to achieve high code quality. Medium tests are also run on CI and test services in slightly more depth. Large integration tests were improved to run faster without Docker and test end-to-end scenarios. The team aims to continue improving testing by running more tests automatically and gathering better test results.
IRJET- Real-Time Object Detection System using Caffe ModelIRJET Journal
This document discusses a real-time object detection system using the Caffe model. The authors used OpenCV, Caffe model, Python and NumPy to build a system that can detect objects like humans and vehicles in images and videos. It discusses how deep learning techniques like convolutional neural networks can be used for tasks like object localization, classification and feature extraction. Specifically, it explores using the Caffe framework to implement real-time object detection with OpenCV by accessing the webcam and applying detection to each frame.
Desarrollo y testing de apps móviles con Intel XDK y TestdroidSoftware Guru
1. The document discusses tools from Intel for developing and testing Android apps, including the Intel XDK for building HTML5 apps, Intel HAXM for speeding up Android emulation, and Intel Graphics Performance Analyzers for analyzing app performance.
2. It also mentions challenges in testing like automation and fragmentation, and testing services like AWS Device Farm, Google Cloud Test Lab, and Open STF.
3. The document recommends JUnit, UI Automator, and Android Testing Support Library for testing Android apps across devices.
1. The document discusses tools from Intel for developing and testing Android apps, including the Intel XDK for building HTML5 apps, Intel HAXM for speeding up Android emulation, and Intel Graphics Performance Analyzers for analyzing app performance.
2. It also mentions challenges in testing like automation and fragmentation, as well as services like AWS Device Farm, Google Cloud Test Lab, and Open STF that can be used for testing.
3. The document recommends tools like JUnit, UI Automator, and the Android Testing Support Library for testing Android apps.
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
Work-in-Progress!
IoT Cyber+Physical+Social Security
An encyclopedic compendium of tools, techniques, and practices to defend systems that sit at the intersection of the cyber and physical domains; chiefly building automation systems and the Internet of Things.
Só um appzinho aê!? - O guia de sobrevivência para o dev da ideia inovadora a...Eduardo Carrara de Araujo
O documento apresenta um guia de sobrevivência para desenvolvedores Android, cobrindo as áreas essenciais de concepção, construção, entrega e feedback de aplicativos. Inclui técnicas para validar hipóteses de negócio, ferramentas de desenvolvimento Android, dicas para resolução de problemas e automação do ciclo de lançamento.
Palestra apresentada no DevFest Centro Sul Fluminense realizado em Vassouras em Outubro de 2017.
O foco é o uso da linguagem Kotlin para o desenvolvimento de testes automatizados para aplicações Android.
O documento discute as práticas e benefícios da integração contínua (CI) para aplicativos Android, incluindo a importância de testes automatizados, builds curtas e rápidas, e ferramentas como Git Flow, Crashlytics Beta e Bitrise.io. O autor também fornece dicas sobre ambientes, APIs, dependências, Lint e testes para projetos Android.
O Android NDK é a ferramenta que permite a utilização de código nativo (C/C++) em sua aplicação Android. Nesta apresentação conheça alguns usos interessantes do NDK, as vantagens e desvantagens de utilizá-lo, além de como começar a usar esta ferramenta com o Android Studio.
Implementation of a Participatory Sensing Solution to Collect Data About Pave...Eduardo Carrara de Araujo
The focus of this work is the development of an alternative proposition to evaluate
the pavement conditions for a given city using a participatory sensing solution.
To substantiate the project the following areas had to be investigated: proposals
and standards in pavement management, how the pavement evaluation is done and
the effects of a bad quality pavement on the vehicle’s passengers. Research in the
areas of participatory sensing, tecnologies in mobility and software engineering were
done to ascertain how the relationship between these topics could collaborate in the
problem’s solution. With this elements in place it was possible to design, analysis and
develop a proof of concept as a software solution based in a client server architecture,
in which the client application collects data and the server application handles the
data storage and availability. The collected quantitative information analysis showed
that it is possible to determine the presence of defects and assess the pavement
quality even using simple collection devices like a smartphone, and also enable the
collection of qualitative information that could help measure the pavement quality
impact in the perspective of its users.
O relatório descreve as atividades e realizações do grupo Google Developers Group ABC em 2015, incluindo 16 encontros com 220 desenvolvedores e 19 sessões técnicas. Ele também discute os planos para 2016, como expandir para mais locais e horários, abordar diferentes tópicos e melhorar a diversidade e envolvimento da comunidade por meio de mais atividades práticas e projetos locais relevantes.
Lecture about Android Auto delivered at the Android Meetup #5 organized by the GDG ABC on 2015 January 31st at ABC Federal University at Santo André, Brazil.
Session about android debugging tools and techniques delivered at an Android Meetup organized by GDG ABC on October 25th 2014 at FATEC São Caetano do Sul, Brazil
5. Intel Information Technology 5
Sprint 1
• 5 Stories
• 1 Test Plan per Story
• 1 Hour per Test Plan
• 5h of Testing
Sprint 2
• +5 Stories
• +1 Test Plan per Story
• 1 Hour per Test Plan
• 5h of testing + 5h of regression test
Sprint 3
• +5 Stories
• +1 Test Plan per Story
• 1 Hour per Test Plan
• 5h of testing + 10h of regression test
7. Intel Information Technology
“I choose a lazy person to do a hard job. Because a lazy
person will find an easy way to do it.”
- Bill Gates
7
Image by Karla Vidal @ http://www.flickr.com/photos/63721650@N00/3661526274
Creative Commons cc-by-2.0
9. Intel Information Technology 9
public static String getFormattedMonthDay(String format, String dateString) {
String finalDateString = "";
SimpleDateFormat dbDateFormat = new SimpleDateFormat(Utility.DATE_FORMAT);
try {
Date inputDate = dbDateFormat.parse(dateString);
SimpleDateFormat requestedDateFormat = new SimpleDateFormat(format);
finalDateString = requestedDateFormat.format(inputDate);
} catch (ParseException e) {
e.printStackTrace();
} catch (NullPointerException npex) {
npex.printStackTrace();
}
return finalDateString;
}
10. Intel Information Technology 10
public void testGetFormattedMonthDayForBadInput() throws Exception {
String inputDateString = "";
final String expectedDateFormat = "yyyy, MMMM dd";
final String expectedResult = "";
String result = Utility.getFormattedMonthDay(expectedDateFormat,
inputDateString);
assertEquals("A wrong formatted input must return an empty String",
expectedResult, result);
}
public class UtilityTest extends TestCase {
…
…
}
11. Intel Information Technology 11
Image by Schlurcher @ http://en.wikipedia.org/wiki/Jigsaw_puzzle#/media/File:Puzzle_Krypt-2.jpg
Creative Commons cc-by-sa-2.0
It's hard enough to find an error in your code when you're looking for it; it's even harder
when you've assumed your code is error-free.
--Steve McConnell (from Code Complete)
22. Intel Information Technology
What is next?
22
• What about cross app testing? UIAutomator!
• Continuous Delivery and Integration of Android Apps
• Code Coverage