This document discusses security mindset and practices around social learning and the Blackboard Cloud. It defines security mindset as evaluating systems from an attacker's perspective to identify vulnerabilities and implement appropriate countermeasures. The document outlines security assessments including threat modeling, which identifies assets, actors, and threats. It provides examples of threat modeling APIs, social media, and cloud integration. It also explains enabling the Blackboard Cloud in stages and the data usage transparency of social media integrations.
We first look at the difference between threats and attacks using intuitive examples (no rigorous definitions as we think simple explanations are the best way to get the message across. Then we look at threat modeling vs. attack modeling. We give a high level process of each of these modeling approaches.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
Threat simulation and modeling training shows you the different sorts of threat modeling procedures and encourages you to apply threat modeling as a propelled preventive type of security. TONEX as a pioneer in security industry for over 15 years is presently declaring the threat simulation and modeling training which encourages you to perceive procedures, apparatuses and contextual investigations of effective threat modeling method.
Threat Simulation and Modeling Training course covers a variety of topics in cybersecurity area such as:
Process for attack simulation and threat analysis (PASTA)
PASTA steps
Common attack patter enumeration and classification (CAPEC)
Threat modeling with SDLC and existing threat modeling approaches.
Moreover, you will be introduced to threat analysis, weakens
and vulnerability analysis, attack modeling and simulation,
and residual risk analysis and management.
Learn About:
PASTA, objectives of risk analysis, risk centric threat modeling, and weakness and vulnerability analysis basics.
Common attack pattern enumeration such as: HTTP response splitting, SQL injection, XSS strings, phishing, buffer overflow, authentication protocol attacks or even cache poisoning.
Threat analysis approaches and principles to give you the step by step straight forward methodology to conduct the threat modeling and analysis. Moreover, a detailed introduction of existing threat modeling approaches are included in the course. Examples of such approaches can be: CVSS, CERT, DREAD, and SDL threat modeling.
Who Can Benefit from Threat Simulation and Modeling Training ?
If you are an IT professional who specialize in computer security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of threat simulation and modeling training and will prepare yourself for your career.
Threat Simulation and Modeling Training Features :
Threat simulation and modeling training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related computer threat challenges.
Our instructors at TONEX will help you to understand the step by step procedure for attack simulation and modeling such as enumerating the attack vector, assessing the probability of attacks, attack driven security tests or attack library update
Learn more about course audience, course objectives, course outline, workshop pricing, etc.
Threat Simulation and Modeling Training
https://www.tonex.com/training-courses/threat-simulation-and-modeling-training/
We first look at the difference between threats and attacks using intuitive examples (no rigorous definitions as we think simple explanations are the best way to get the message across. Then we look at threat modeling vs. attack modeling. We give a high level process of each of these modeling approaches.
This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I covered the significance and all related theory of Threat modeling and analysis.This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.
Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this slide deck, Robert Hurlbut provides practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.
Threat simulation and modeling training shows you the different sorts of threat modeling procedures and encourages you to apply threat modeling as a propelled preventive type of security. TONEX as a pioneer in security industry for over 15 years is presently declaring the threat simulation and modeling training which encourages you to perceive procedures, apparatuses and contextual investigations of effective threat modeling method.
Threat Simulation and Modeling Training course covers a variety of topics in cybersecurity area such as:
Process for attack simulation and threat analysis (PASTA)
PASTA steps
Common attack patter enumeration and classification (CAPEC)
Threat modeling with SDLC and existing threat modeling approaches.
Moreover, you will be introduced to threat analysis, weakens
and vulnerability analysis, attack modeling and simulation,
and residual risk analysis and management.
Learn About:
PASTA, objectives of risk analysis, risk centric threat modeling, and weakness and vulnerability analysis basics.
Common attack pattern enumeration such as: HTTP response splitting, SQL injection, XSS strings, phishing, buffer overflow, authentication protocol attacks or even cache poisoning.
Threat analysis approaches and principles to give you the step by step straight forward methodology to conduct the threat modeling and analysis. Moreover, a detailed introduction of existing threat modeling approaches are included in the course. Examples of such approaches can be: CVSS, CERT, DREAD, and SDL threat modeling.
Who Can Benefit from Threat Simulation and Modeling Training ?
If you are an IT professional who specialize in computer security, you will benefit the presentations, examples, case studies, discussions, and individual activities upon the completion of threat simulation and modeling training and will prepare yourself for your career.
Threat Simulation and Modeling Training Features :
Threat simulation and modeling training will introduce a set of labs, workshops and group activities of real world case studies in order to prepare you to tackle all the related computer threat challenges.
Our instructors at TONEX will help you to understand the step by step procedure for attack simulation and modeling such as enumerating the attack vector, assessing the probability of attacks, attack driven security tests or attack library update
Learn more about course audience, course objectives, course outline, workshop pricing, etc.
Threat Simulation and Modeling Training
https://www.tonex.com/training-courses/threat-simulation-and-modeling-training/
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
• About threat analysis support tool
• Examples of tools
• Analysis target system
• Analysis result
– How to read result
– Overview of threats
• Effective usage
– About template
– Additional definition of threat information
• Conclusions
• References
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
6 Most Popular Threat Modeling MethodologiesEC-Council
Threat modeling is one of the most effective preventive security measures, empowering cybersec professionals to put a robust cybersecurity strategy in place. So, let’s learn more about threat modeling in this SlideShare.
If you are keen to learn effective threat modeling after going through the SlideShare, click here: https://www.eccouncil.org/programs/threat-intelligence-training/
This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
• About threat analysis support tool
• Examples of tools
• Analysis target system
• Analysis result
– How to read result
– Overview of threats
• Effective usage
– About template
– Additional definition of threat information
• Conclusions
• References
As delusions of effective risk management for application environments continue to spread, companies continue to bleed large amounts of security spending without truly knowing if the amount is warranted, effective, or even elevating security at all. In parallel, hybrid, thought-provoking security strategies are moving beyond conceptual ideas to practical applications within ripe environments. Application Threat Modeling is one of those areas that, beyond the hype, provides practical and sensible security strategy that leverages already existing security efforts for an improved threat model of what is lurking in the shadows.
Tony UcedaVelez, Managing Director
An experienced security management professional, Tony has more than 10 years of hands-on security and technology experience and is a vocal advocate of security process engineering – a term that describes the design and development of secure processes and controls working symbiotically to create a unique business workflow. Tony currently serves as Managing Director for an Atlanta based risk advisory firm that focuses on security strategy and delivering effective means for risk mitigation and security process engineering. He has worked and consulted for the Fortune 500, as well as federal agencies in the U.S. on the topic of application security and security process engineering.
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls.
Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page.
This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.
Threat modeling is an approach for analyzing the security of an application.
It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application
Threat modeling is not an approach to reviewing code, but it does complement the security code review process.
The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning.
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Most organizations require threat models. The industry has recommended threat modeling for years. What holds us back? Master security architect, author and teacher Brook Schoenfield will take participants through a threat model experience based upon years of teaching. Expect a kick start. Practitioners will increase understanding. Experts will gain insight for teaching and programs.
(Source : RSA Conference USA 2017)
Threat modeling is a process used by cybersecurity professionals to identify the application, system, network, or business process security vulnerabilities and to develop effective measures to prevent or mitigate threats. It consists of a structured process with these objectives: identify security threats and potential vulnerabilities, define threat and vulnerability criticality, and prioritize remediation methods.
What is the process of Vulnerability Assessment and Penetration Testing.pdfElanusTechnologies
Elanus Technologies is the Best Vulnerability Assessment and Penetration Testing Company in India providing intelligent cyber security and VAPT services on Web, Mobile, Network and Thick Client.
https://www.elanustechnologies.com/vapt.php
For Business's Sake, Let's focus on AppSecLalit Kale
Slide-Deck for session on Application Security at Limerick DotNet-Azure User Group on 15th Feb, 2018
Event URL: https://www.meetup.com/Limerick-DotNet/events/hzctdpyxdbtb/
Application Threat Modeling In Risk ManagementMel Drews
How to perform threat modeling of software to protect your business, critical assets and communicate your message to your boss and the Board of Directors
1. While watching the video I observed Merideth’s automatic though.docxcroysierkathey
1. While watching the video I observed Merideth’s automatic thoughts on herself. Some of the things she discussed herself were that she was shy, she doesn’t feel like she could tell cool stories but has told good stories in the past. She sees herself as invisible. She thinks if she does something embarrassing she will end up alone. Merideth is very careful about conclusions about herself.
I believe that Merideth is using labeling and mislabeling, which involves portraying one’s identity on the basis of imperfections and mistakes of the past. ( Corey,2018) She is using the ideas of imperfections and mistakes from past experiences to form the opinions of herself and her reality of her future. She feels people will judge her too harshly if she embarrasses herself. I think multi-column is a good way to chart the client's feelings about themselves and it also helps with their conclusions of how they feel about themselves.
2. I think that Cognitive theory is a great way to help the client determine their realization of their feelings about themselves. This is a way that the client can express their opinions about themselves and work with the therapist to develop ways to handle their insecurities. It does involve primary emotions and behaviors that can be used in the mental process. It encourages a hands-on approach and a deeper understanding of their behaviors.
I personally like a more effective and direct approach. One that breaks down the issues into simple theories. It helps the client develop a sense of their surroundings and I feel it has a more lasting effect on the client.
Corey, G. (2018). Theory and Practice of Counseling and Psychotherapy. Boston, MA: Cengage Learning.
University of the Cumberlands
School of Computer & Information Sciences
ISOL-536 - Security Architecture & Design
Chapter 2: The Art of Security Assessment
Spring 2020
Dr. Errol Waithe
Chapter 2: The Art of Security Assessment
• 2.1 Why Art and Not Engineering?
• 2.2 Introducing “The Process”
• 2.3 Necessary Ingredients
• 2.4 The Threat Landscape
• 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System?
• 2.5 How Much Risk to Tolerate?
• 2.6 Getting Started
2.1 Why Art and Not Engineering?
The branch of science and technology concerned with the design, building, and use of
engines, machines, and structures.
Definition of “engineering”:
• In contrast, a security architect must use her or his understanding of the
currently active threat agents in order to apply these appropriately to a
particular system. Whether a particular threat agent will aim at a
particular system is as much a matter of understanding, knowledge, and
experience as it is cold hard fact. Applying threat agents and their
capabilities to any particular system is an essential activity within the art
of threat modeling. Hence, a security assessment of an architecture is
an act of craft.
2.2 Introducing “The Process”
• Because we security architect.
1. While watching the video I observed Merideth’s automatic though.docxjeremylockett77
1. While watching the video I observed Merideth’s automatic thoughts on herself. Some of the things she discussed herself were that she was shy, she doesn’t feel like she could tell cool stories but has told good stories in the past. She sees herself as invisible. She thinks if she does something embarrassing she will end up alone. Merideth is very careful about conclusions about herself.
I believe that Merideth is using labeling and mislabeling, which involves portraying one’s identity on the basis of imperfections and mistakes of the past. ( Corey,2018) She is using the ideas of imperfections and mistakes from past experiences to form the opinions of herself and her reality of her future. She feels people will judge her too harshly if she embarrasses herself. I think multi-column is a good way to chart the client's feelings about themselves and it also helps with their conclusions of how they feel about themselves.
2. I think that Cognitive theory is a great way to help the client determine their realization of their feelings about themselves. This is a way that the client can express their opinions about themselves and work with the therapist to develop ways to handle their insecurities. It does involve primary emotions and behaviors that can be used in the mental process. It encourages a hands-on approach and a deeper understanding of their behaviors.
I personally like a more effective and direct approach. One that breaks down the issues into simple theories. It helps the client develop a sense of their surroundings and I feel it has a more lasting effect on the client.
Corey, G. (2018). Theory and Practice of Counseling and Psychotherapy. Boston, MA: Cengage Learning.
University of the Cumberlands
School of Computer & Information Sciences
ISOL-536 - Security Architecture & Design
Chapter 2: The Art of Security Assessment
Spring 2020
Dr. Errol Waithe
Chapter 2: The Art of Security Assessment
• 2.1 Why Art and Not Engineering?
• 2.2 Introducing “The Process”
• 2.3 Necessary Ingredients
• 2.4 The Threat Landscape
• 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System?
• 2.5 How Much Risk to Tolerate?
• 2.6 Getting Started
2.1 Why Art and Not Engineering?
The branch of science and technology concerned with the design, building, and use of
engines, machines, and structures.
Definition of “engineering”:
• In contrast, a security architect must use her or his understanding of the
currently active threat agents in order to apply these appropriately to a
particular system. Whether a particular threat agent will aim at a
particular system is as much a matter of understanding, knowledge, and
experience as it is cold hard fact. Applying threat agents and their
capabilities to any particular system is an essential activity within the art
of threat modeling. Hence, a security assessment of an architecture is
an act of craft.
2.2 Introducing “The Process”
• Because we security architect ...
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
2. ABOUT ME
Franco Antico
Software Architect
Blackboard
franco.antico@blackboard.com
I am a software architect on the Bb Learn
security team.
3. WHAT WE ARE GOING
TO LEARN TODAY
Security mindset, approaches and best
practices
Bb security operations around Social
Learning and the Blackboard Cloud
Enable the Blackboard Cloud with
confidence
4. SECURITY MINDSET
What is the security mindset?
Why does it matter?
What practices are the most effective at
securing applications and services we
use daily?
5. SECURITY MINDSET:
A PERSPECTIVE
The security mindset is a way of looking
at the operation of a system.
It’s a matter of perspective that starts by
asking and answering security questions:
How does an attacker see our
system/service/processes/etc.? What do they
see? (attack surface)
How do we secure our system in response?
6. SECURITY MINDSET:
A PERSPECTIVE
Security issues don’t tend to be random.
Both an attacker’s intent and opportunity
shape the most likely exploits.
The safeguards and protections we
implement shouldn’t be random either.
These Countermeasures should match
the real threat level.
7. SECURITY MINDSET:
WHY IT MATTERS
The world waits for no one. What was secure
today may not be secure tomorrow.
Technology changes, some of this is
trendy, some is here to stay and represents a
new model, a new way of doing things;
e.g., Social Media
A process that promotes continual
evaluation, learning and evolution of the
security posture is the best bet to manage this
change.
8. SECURITY MINDSET:
APPROACHES
How can we apply the security mindset in practice?
Security Assessments provide a great vehicle to
evaluate the security of a system in a comprehensive
way fueled by the security mindset. Each assessment
is a project with defined triggers, inputs, deliverables
and is part of the SDLC.
The assessment’s goal is to provide actionable
security recommendations based on sound and
consistent analysis.
9. SECURITY
ASSESSMENTS
Establish the scope of the assessment
Selection of Evaluation Level
• Basic: Lower Risk
• Moderate: Medium Risk
• Rigorous: High Risk (e.g., new integrations)
Evaluation Level drives scope and
deliverables
10. SECURITY
ASSESSMENTS
Security Assessments have two main components:
• Analytic Reviews (Design and Code)
• Penetration Testing and Static Analysis
The assessment can proceed with a high degree of
parallelism. Each component breaks down to largely
independent tasks.
We will focus today on the Analytic items
11. SECURITY
ASSESSMENTS
Threat Modeling is the central analytic process of
the assessment.
Threat Modeling provides an effective means to
identify, measure and manage security risk. The threat
modeling process pairs identified threats with
countermeasure recommendations.
The countermeasure aspect is what closes the loop
on threat-vulnerability pair and makes the threat
model actionable.
12. THREAT MODELING
Purpose: To analyze the security risks for a
given system or entity from a number of
perspectives.
Threat Model: An Analytic Flow
• Identify Assets and Actors
• Modeling Methodologies: MS STRIDE, DREAD
• Modeling Knowledge Bases: OWASP, CSA, ENISA, NIST
• Identify Key Architecture Characteristics (e.g., APIs)
• Attack Surface Analysis (e.g., System Integration Points)
• Technology Specific Considerations (e.g., OAuth)
13. THREAT MODELING
Threat Model: (continued)
• Diagrams
• Data Flow Diagram
• Attack Tree
• Threat Library
• Categorization vs. Scoring (Threat vs. Vulnerability)
• STRIDE
• DREAD
• CWE (Common Weakness Enumeration)
• CVSS (Common Vulnerability Scoring System)
14. THREAT MODELING:
ASSETS AND ACTORS
Identify Assets and Actors
What are the actors' motivations?
What risks do well motivated actors pose to our
system?
15. THREAT MODELING:
ASSETS AND ACTORS
Asset Description
Data Any data associated with the system
(e.g., student grade data.)
Reputation Reputation with customers and
communities.
Infrastructure The architectural components of the
system. These can be services,
systems and may impact both
software and hardware.
16. THREAT MODELING:
ASSETS AND ACTORS
Actor Description
Attacker External entity with no direct
connection to the system. The
attacker may be a human (individual
or organized group) or some
autonomous entity (bot, script.)
Malicious
User
Registered user attempting to violate
terms of use or perform other
inappropriate actions.
Malicious
Insider
A person who has special access to
the system.
17. MODELING
METHODOLOGIES
Microsoft STRIDE – Categorizing
S – Spoofing identity
T – Tampering with data
R – Repudiation (deny action taken)
I – Information disclosure
D – Denial of service
E – Elevation of privilege
18. MODELING
METHODOLOGIES
DREAD– Scoring (Categorizing)
D – Damage
R – Reproducibility (involvement)
E – Exploitability (required skill)
A – Affected users
D – Discoverability
Each component scored [Low, Med, High]. Higher scores
are bad. Final score is average of the components.
19. MODELING
KNOWLEDGE BASES
OWASP
• Open Web Application Security Project
• Countermeasure guidelines and frameworks (ESAPI)
• Top 10 List (2013 List recently released)
NIST
• National Institute of Standards and Technology
• Cryptographic recommendations
CSA and ENISA
• Cloud Security Alliance and European Network and
Information Security Agency
• Cloud security
22. THREAT MODEL IN
ACTION
The following threat model items
represent general threats facing
social media and cloud
integrations. These are the kinds
of threats that we consider during
development and test.
23. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation
An attacker alters an API message
either at the source, en-route or at
the destination.
Attack Vectors Countermeasures
1. Message intercepted in transit.
1. API level message signature, hashing or MAC protection. Each
tier that processes an API message, including routing, should add to
the signature envelope. SSL alone will not guarantee message
integrity for all cases: non-SSL scenarios, message tampering after
SSL termination.
A.1.1 API Message Integrity
24. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Tampering, Repudiation, Denial of
Service
An attacker intercepts an API message and retransmits (replays) the
message at a later time to compromise the system.
Attack Vectors Countermeasures
1. Message intercepted and replayed. Attacker captures a wall
post message and replays the message in an effort to crash the
system or impair performance.
1. Include a one-time nonce with
each API message. Note, the nonce
can be included in the API signature
referenced in A.1.1.
A.1.2 API Message Misuse
25. THREAT MODELING IN
ACTION:
APIS
API Threats (from Threat Library):
Threats Description
Repudiation, Denial of Service
An attacker or malicious executes a well timed Denial of Service
attack in an attempt to compromise a given user's profile.
Attack Vectors Countermeasures
1. Attacker launches large scale flood of API messages targeting
the API infrastructure, user's profile left in unknown state,
potentially locking user out of profile.
1. Ensure API message resilience
where the system can recover from
messages lost in transit.
A.1.5 API Resilience
26. THREAT MODELING IN
ACTION:
SOCIAL MEDIA
Social Media Threats (from Threat Library):
Threats Description
Spoofing, Information Disclosure
An external attacker compromises a user's Twitter/FB account and
subsequently launches an attack attempting to exploit social learn
users.
Attack Vectors Countermeasures
An external attacker adds malicious JavaScript to a user's Twitter
description by exploiting a vulnerability in Twitter. The attacker
then launches a CSRF attack against other users in the
compromised user's follower (or potential follower) list.
Any data coming from an external
applications must be sanitized before
processing. Moreover, as a final
fallback measure, the system should
escape any data (externally sourced
or not) prior to display.
EI.1.2 Data Input Validation
27. THREAT MODELING IN
ACTION:
SOCIAL MEDIA
Threats Description
Spoofing, Information Disclosure, Denial
of Service
1. A malicious user attempts to perform a denial of service attack on the
system through an avatar upload.
2. An external attacker gains access to a student's avatar image despite
the student's privacy social learn settings.
Attack Vectors Countermeasures
1. A malicious user attempts to compromise the service by uploading a
100MB avatar image either through the file upload or external social
network, e.g. Twitter (assume this vector is possible via a
vulnerability in Twitter.) A variation of this vector could be embedding
malicious code in a standard sized avatar with the goal of distributing
the attack through the browser's rendering of the image. Potential
attacks include attempting to exploit jpeg buffer overflow or ICC
profile corruption vulnerabilities.
1. Implement a server-side check on the avatar
size: reject any avatar image that is
suspiciously large. Also, to address a
potential "evil" avatar image, use a security
vetted image toolkit to load and validate the
avatar.
2. Provide authorization controls that guard
the delivery of the avatar. Tie the avatar ACL
to the profile privacy settings, i.e., only allow
an open avatar for public privacy scenarios.
The scope of public should address the
visibility of avatars and other data are public:
any legitimate user can view the avatar/data
vs. any one on the internet can view the
data.
EI.1.4 Avatar Security
28. THREAT MODELING IN
ACTION:
CLOUD
Cloud Threats (from Threat Library):
Threats Description
Spoofing, Repudiation, Information
Disclosure
An attacker or malicious user is able to impersonate a user through via
their session id even after logout.
Attack Vectors Countermeasures
1. Using the browser's history and attacker discovers a user's session
and gains access to the system as that user.
1. Ensure that logout invalidates all
relevant cross-system sessions in as
synchronous a manner as possible.
S.1.2 Cross System Logout
29. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
OAuth: a standard for granting authorization
across platforms and content delivery modalities
OAuth: protects passwords by providing an API for
authorizing API access
OAuth is a reality of social media. Developers
leverage OAuth because that is what the service
providers implement (FB, Twitter, etc.)
30. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
Key OAuth roles:
Resource Owner (or End User)
• Someone with a Facebook account (identity, credentials)
Resource Server
• Facebook service itself
Client
• Facebook App
31. SOCIAL MEDIA
TECHNOLOGY:
OAUTH
OAuth is flow based: Two-Legged vs. Three-Legged. Here
is diagram from Google Apps Marketplace that shows the
gist of an OAuth 2.0 Three-Legged flow that is most
applicable to social media:
http://www.google.com/support/enterprise/static/gapps/art/a
dmin/en/cpanel/3-legged-oauth-diagram.png
Resource Owner (End User) User
Resource Server Google
Client Web application
32. OAUTH TAKEAWAYS
What to look for:
• Transparency of data usage
• Support of opt-in model
• Ability to turn integrations on and off
33. BLACKBOARD CLOUD
Are folks familiar with the Blackboard
Cloud?
Anyone have the Bb Cloud enabled
currently?
34. BLACKBOARD CLOUD
What is the Blackboard cloud?
Why should I turn on the Cloud?
How do I turn on the Cloud?
35. WHAT IS THE
BLACKBOARD CLOUD
The Blackboard Cloud is a platform for
delivering new capabilities and
extensions to Learn.
Blackboard manages the Cloud.
The new cloud-based capabilities are
optional, and require activation by an
administrator.
36. WHAT IS THE
BLACKBOARD CLOUD
The Cloud consists of three feature sets:
Blackboard Cloud Services
• Software Updates, Inline Assignment Grading and
enhanced tools to foster Social Learning.
Cloud Profiles & Tools
• basic Profiles (called Profile Cards), the People tool,
and enhancements to the Posts tool
Social Profiles & Tools
• full Profiles, Spaces, Messages, and enhancements to
Profile Cards, People tool, and the Posts tool
37. WHY SHOULD I TURN
ON THE CLOUD?
• More Rapid Innovation & Responsiveness
• Scalability with Less Cost to You
• Future Cross-institution / Global capabilities
• Enhanced Educational Experience
• It’s Secure, provides Privacy Control (Cloud Profile
private by default) and Transparency of Data Usage
38. SOCIAL MEDIA DATA
USAGE
TRANSPARENCY
Bb Cloud usage of Twitter and Facebook user data:
Facebook/Twitter: profile picture (avatar), “about me”
text (description)
Facebook only: Facebook specific email address
https://help.blackboard.com/en-
us/Cloud/Cloud_Management/Administrator/Cloud_FA
Q
(Under Are there Facebook and Twitter integrations
with a user profile?)
39. HOW DO I TURN ON
THE CLOUD
Enabling the cloud goes in a certain order. This is like
activating different layers in an architecture. The feature
sets build on one another.
1.Blackboard Cloud Services
2.Cloud Profiles & Tools
3.Social Profiles & Tools
Cloud Profiles and Social Learning Tools are NOT
automatically enabled once the Blackboard Cloud is
enabled.
46. ENABLING SOCIAL
PROFILES AND TOOLS
With Cloud Profiles and Tools On, go Administrator
Panel, under Cloud Management, click Cloud Profiles
and Tools to find: