This document provides an overview of fuzz testing, including:
- Fuzz testing involves automated software testing using unexpected or malformed input data to identify vulnerabilities. It is useful for finding bugs and making software more reliable.
- The main types of fuzzing are blackbox, whitebox, and greybox testing, depending on the level of input and system knowledge. Common fuzzing tools include AFL, Peach Fuzzer, KLEE, and SAGE.
- Real world examples of fuzzing include projects by Google, Microsoft, and independent researchers that have found thousands of bugs through automated fuzz testing of software.
6 Traits of a Successful Test Automation ArchitectureErdem YILDIRIM
The sector demands that software development life cycle to be delivered faster and cheaper with increasing quality and reliability. TLC (testing life cycle) is a crucuel part of the time, cost and quality level for AUT (Application Under Test). Market got to point that all long ornate talks can be summed up in one word: EFFICIENCY. In quality aspect, automating testing activities had already been came forward to reduce development cycle times, cost, resources allocated with traditional test along past years. It's OK that automation increased the efficiency of the test process, so what about the efficiency of automation itself? Why most of the test automation projects fail (even if you're not aware of it is actually failing)? Because, automating without good test architecture may result in a lot of activity, but little value (if you are lucky). We will talk about following 6 main traits to build a successful test automation architecture; selection/implementation of test levels to be automated, design principles/patterns, locater strategy, tools / framework selection (aside from SeWD / Java), methodology (E2E Testing, TDD, BDD, Continuous Testing) and OOP pillars.
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
Test Automation, Programming Automation, Automated Execution. This presentations contains some high level models, abstractions and approaches for effective, non-flakey and maintainable automation.
https://www.eviltester.com
One of the best experiences you might have as a developer is when you are running your continuous delivery pipeline and one of the test failed because it has found a bug. At this point you see that thanks of your tests you are producing a less buggy software. This should be the normal case, in green field projects, but unlikely to happen when running legacy code with a lot of untested code.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
6 Traits of a Successful Test Automation ArchitectureErdem YILDIRIM
The sector demands that software development life cycle to be delivered faster and cheaper with increasing quality and reliability. TLC (testing life cycle) is a crucuel part of the time, cost and quality level for AUT (Application Under Test). Market got to point that all long ornate talks can be summed up in one word: EFFICIENCY. In quality aspect, automating testing activities had already been came forward to reduce development cycle times, cost, resources allocated with traditional test along past years. It's OK that automation increased the efficiency of the test process, so what about the efficiency of automation itself? Why most of the test automation projects fail (even if you're not aware of it is actually failing)? Because, automating without good test architecture may result in a lot of activity, but little value (if you are lucky). We will talk about following 6 main traits to build a successful test automation architecture; selection/implementation of test levels to be automated, design principles/patterns, locater strategy, tools / framework selection (aside from SeWD / Java), methodology (E2E Testing, TDD, BDD, Continuous Testing) and OOP pillars.
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
Test Automation, Programming Automation, Automated Execution. This presentations contains some high level models, abstractions and approaches for effective, non-flakey and maintainable automation.
https://www.eviltester.com
One of the best experiences you might have as a developer is when you are running your continuous delivery pipeline and one of the test failed because it has found a bug. At this point you see that thanks of your tests you are producing a less buggy software. This should be the normal case, in green field projects, but unlikely to happen when running legacy code with a lot of untested code.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
Unit Testing like a Pro - The Circle of PurityVictor Rentea
Best practices on designing unit tests, designing testable production code, a glimpse of TDD, using mocks and isolating pure functions for easy testing. Talk distilled from http://victorrentea.ro/#unit-testing
Held at VoxxedDays Bucharest in March 2019.
Dimitrios Stergiou, CISO @ NetEnt addressed a number of traditional approaches to Application Security and discussed their shortcomings at Netlight Edge X breakfast seminar. Edge X breakfast seminars at Netlight are recurring events and talks, held by external speakers as well as employees of Netlight, within topics such as trends, challenges and opportunities within IT and management. He also discussed how the Agile methodology can be combined with an Application Security approach that has been proven to offer the most benefits. He also discussed how the DevOps culture can improve security and some do’s and don’ts when deciding to go down the DevOps path.
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
Slides from Defcon IoT Village Workshop
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!
Hackers & Attackers Exposed! There are those that know they have been hacked and those that don't know it yet. National Cyber Security Awareness Month. Improve your personal security by being aware of the threats.
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
Derbycon 2015 (Unity) - Ever wondered how people get shells via hooking up to chips or pins on a board? Orhow to dump the firmware off a device you own at home?How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? Practical hardware attacks against SOHO Routers & IoT — is focused on showing folks how to use hardware attacks to get initial access IoT Devices for security research. The talk is designed for people new to hardware hacking, looking to have fun exploiting SOHO routers and the Internet of (broken) Things.
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices: gadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without flaws, although that's another story we are already aware of. A surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact, provided on higher "application" (GATT protocol) layer of the data exchanged between the "master" (usually mobile phone) and peripheral device. The connection from "master" in such cases is initiated by scanning to a specific broadcast signal, which by design can be trivially spoofed. And guess what - the device GATT internals (so-called "services" and "characteristics") can also be easily cloned.
Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes interesting - just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions - which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks. Ladies and gentlemen - I give you the BLE MITM proxy. A free open-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging. Run it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the code.
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
Penetration Testing has become a part of every security program to some degree over the last several years. Additionally, many standards and regulations require them for compliance as do contractual obligations and pen testing is a well-known best practice for the IT security industry. One of the main issues with Penetration Testing is that very few entities have the knowledge, resources or time to address this in-house. As a result, this task is often outsourced to a third party, who employ “white-hat” hackers with the supposed expertise to complete the task in order to meet business and regulatory needs.
The question is “How do you tell the difference between a seasoned group of pen-testing professionals and a low-rent firm whose simply handing over the reports from a canned tool?” In this presentation, Jason Broz and Tom Eston from SecureState will address the following issues:
• Pitfalls of pen-testing clients
• Games that some firms may play
• What to look for in a quality pen test firm
• Provide the audience with a checklist of questions to ask when choosing a pen-test firm.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
An introduction to mocking frameworks and using FakeItEasy to help make .Net developers write better code through better unit tests. The goal of this session is understand unit testing basics, using fakes and then leveraging a mocking framework to get the most out of unit testing. This session is geared toward the novice unit tester and framework addicts.
Unit Testing like a Pro - The Circle of PurityVictor Rentea
Best practices on designing unit tests, designing testable production code, a glimpse of TDD, using mocks and isolating pure functions for easy testing. Talk distilled from http://victorrentea.ro/#unit-testing
Held at VoxxedDays Bucharest in March 2019.
Dimitrios Stergiou, CISO @ NetEnt addressed a number of traditional approaches to Application Security and discussed their shortcomings at Netlight Edge X breakfast seminar. Edge X breakfast seminars at Netlight are recurring events and talks, held by external speakers as well as employees of Netlight, within topics such as trends, challenges and opportunities within IT and management. He also discussed how the Agile methodology can be combined with an Application Security approach that has been proven to offer the most benefits. He also discussed how the DevOps culture can improve security and some do’s and don’ts when deciding to go down the DevOps path.
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
Slides from Defcon IoT Village Workshop
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!
Hackers & Attackers Exposed! There are those that know they have been hacked and those that don't know it yet. National Cyber Security Awareness Month. Improve your personal security by being aware of the threats.
How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
Derbycon 2015 (Unity) - Ever wondered how people get shells via hooking up to chips or pins on a board? Orhow to dump the firmware off a device you own at home?How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? Practical hardware attacks against SOHO Routers & IoT — is focused on showing folks how to use hardware attacks to get initial access IoT Devices for security research. The talk is designed for people new to hardware hacking, looking to have fun exploiting SOHO routers and the Internet of (broken) Things.
Gattacking Bluetooth Smart devices - introducing new BLE MITM proxy toolSlawomir Jasek
Bluetooth Low Energy is probably the most thriving technology implemented recently in all kinds of IoT devices: gadgets, wearables, smart homes, medical equipment and even banking tokens. The BLE specification assures secure connections through link-layer encryption, device whitelisting and bonding - a mechanisms not without flaws, although that's another story we are already aware of. A surprising number of devices do not (or simply cannot - because of the use scenario) utilize these mechanisms. The security (like authentication) is, in fact, provided on higher "application" (GATT protocol) layer of the data exchanged between the "master" (usually mobile phone) and peripheral device. The connection from "master" in such cases is initiated by scanning to a specific broadcast signal, which by design can be trivially spoofed. And guess what - the device GATT internals (so-called "services" and "characteristics") can also be easily cloned.
Using a few simple tricks, we can assure the victim will connect to our impersonator device instead of the original one, and then just proxy the traffic - without consent of the mobile app or device. And here it finally becomes interesting - just imagine how many attacks you might be able to perform with the possibility to actively intercept the BLE communication! Basing on several examples, I will demonstrate common flaws possible to exploit, including improper authentication, static passwords, not-so-random PRNG, excessive services, bad assumptions - which allow you to take over control of smart locks, disrupt smart home, and even get a free lunch. I will also suggest best practices to mitigate the attacks. Ladies and gentlemen - I give you the BLE MITM proxy. A free open-source tool which opens a whole new chapter for your IoT device exploitation, reversing and debugging. Run it on a portable Raspberry Pi, carry around BLE-packed premises, share your experience and contribute to the code.
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
Penetration Testing has become a part of every security program to some degree over the last several years. Additionally, many standards and regulations require them for compliance as do contractual obligations and pen testing is a well-known best practice for the IT security industry. One of the main issues with Penetration Testing is that very few entities have the knowledge, resources or time to address this in-house. As a result, this task is often outsourced to a third party, who employ “white-hat” hackers with the supposed expertise to complete the task in order to meet business and regulatory needs.
The question is “How do you tell the difference between a seasoned group of pen-testing professionals and a low-rent firm whose simply handing over the reports from a canned tool?” In this presentation, Jason Broz and Tom Eston from SecureState will address the following issues:
• Pitfalls of pen-testing clients
• Games that some firms may play
• What to look for in a quality pen test firm
• Provide the audience with a checklist of questions to ask when choosing a pen-test firm.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018Codemotion
Creating a quality web application is hard. It’s hard to gain customers, it’s hard to build your reputation and it’s hard to keep the costs low. Nevertheless, security is often an afterthought. However… Have you considered the cost of fixing security issues later? What about the reputational damage of a security breach? Are you worried about your customers’ data? We will talk about good security coding practices for web applications and how to apply them early on using some real world examples. We will also help you to think about your website’s vulnerabilities from the view of a hacker.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
2010 CodeEngn Conference 04
각종 논문 데이터나 기타 연구자료들을 살펴보면 키보드보안의 한계점에 대해 지목하고 그것에 대한 보완 대책을 논의하고 있는 내용이 많다. 물론 그러한 학문적인 접근도 중요하지만, 실제 키로깅을 하고 있는 해커의 입장에서는 어떤 식으로 키입력과 계정을 가져가는지 해커의 접근 방법을 살펴보는 것도 필요하다. 일반적으로 해커들은 커널 레벨이나 하드웨어 지식 베이스에 입각한 난해한 기법보다는, 보다 간편하며 실용적인 방법을 통해 계정을 가져간다. 그리고 그 같은 행위는 현재 키보드보안의 커버 범위를 뛰어넘는 새로운 기법을 보여주는 경우가 대다수이다. 이런 상황을 배경으로 실제 기업에서 발생하고 있는 사례나, 유저의 감염케이스를 리버스 엔지니어링으로 살펴보는 시간을 마련했다. 바이너리 해킹의 예술을 맛볼 수 있는 Art of Keylogging 발표에서 키 입력 탈취에 대한 새로운 트렌드를 소개한다.
http://codeengn.com/conference/04
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
An introduction to mocking frameworks and using FakeItEasy to help make .Net developers write better code through better unit tests. The goal of this session is understand unit testing basics, using fakes and then leveraging a mocking framework to get the most out of unit testing. This session is geared toward the novice unit tester and framework addicts.
Similar to The Mysterious Paradigm of Fuzzing by Rakesh Seal (20)
Talk on "Recon Resurgence: Level up your Recon skills for Maximum impact in Bug-Bounty" by "Agnibha Dutta" at null/OWASP Kolkata Meetup on 27 January 2024
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
4. Fuzzing vs Brute Forcing
Aspect Brute-Forcing (🔓) Fuzzing (🪲)
Purpose To guess correct data To find vulnerabilities in software.
Method
Tries every possible combination
systematically.
Inputs random or malformed data.
Target Authentication systems, encryption keys. Software applications, systems, protocols
5. Types of Fuzzing
BlackBox
● No Input Knowledge
● High Level Testing
● Large Target
Peach Fuzzer
WhiteBox GreyBox
● In Depth Knowledge
● Low Level Testing
● Specific Target
KLEE, SAGE
● Limited Knowledge
● Balanced Testing
● Focused Broad Target
AFL, ClusterFuzz
7. Enough Talk, Show me some Action !!
https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/INSTALL.md
https://github.com/mykter/afl-training
https://github.com/antonio-morales/Fuzzing101
8. Where Do I use This Knowledge?
● web form
● API
● Authentication
Webapps
❏ ZAPP
❏ WFuzz
● System Tools
● Libraries
● Firmware
● Device Drivers
Binary
❏ AFL
❏ LibFuzzer
Network
❏ Scapy
❏ Sulley
Generic
❏ Peach
❏ Atheris
❏ go-fuzz
● TCP / IP
● L7 Protocols
● Communication
● Utility
● Scripts
● Backend Services
9. Real World Applications
Independent
Research
03
02
Google OSS-Fuzz
● 36,000+ bugs
● CVE-2016-5172 (Chrome),
● CVE-2017-3731 (OpenSSL),
● CVE-2018-20225 (LibreOffice)
01
Microsoft SLDC ● CVE-2020-0601 (Windows CryptoAPI)
● CVE-2019-0803 (Windows)
● CVE-2018-8174 (Internet Explorer)
● Heartbleed (CVE-2014-0160)
● Shellshock (CVE-2014-6271)
● BlueKeep (CVE-2019-0708)
● Linux Kernel (CVE-2014-0196)