c0c0n 2015 Presentation. This talk discussed about the impact of using components with known vulnerabilities along with various tips and tools for software developer or administrator to facilitate identification of vulnerable components.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Description : Organizations have spent massive amounts of money to protect the perimeter of their networks, but if your business exists on the internet, there really is no perimeter. In this presentation, we'll discuss Digital Footprints in understanding your company’s external attack surface. We will discuss social, mobile, web attacks and analyze and review lessons learned recently publicized attacks (Polish banking institutions, Apache Struts Vulnerability or WannaCry ransomware. The speed of business and cybercrime isn't slowing down, so how can you be prepared to address and defend against these types of threats? Attend our session to find out how.
Reducing Your Digital Attack Surface and Mitigating External Threats - What, Why, How:
What is a Digital Footprint?
Breakdown of External Threats (Social, Mobile, Web)
What are blended attacks?
What is actually being targeting at your company?
How are your brands, customers, and employees being attack outside of your company?
How to become proactive in threat monitoring on the internet?
Considerations in External Threat solutions
Threat correspondence tracking considerations
Is legal cease and desist letters adequate in stopping attacks?
Examination of a phishing attack campaign
How phishing kits work
Analysis and lesson learned from recent published attacks
What are the most important capability in a digital risk monitoring solution?
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Introduction to Microsoft Security Development Lifecycle.
1. What is Microsoft Security Development Lifecycle (SDL)?
2. Understanding various phases of SDL
3. Threat Modeling
4. Security & Privacy Bugs
5. SDL Training
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
Introduction to Microsoft Security Development Lifecycle.
1. What is Microsoft Security Development Lifecycle (SDL)?
2. Understanding various phases of SDL
3. Threat Modeling
4. Security & Privacy Bugs
5. SDL Training
Présentation de la suite ELK dans un contexte SIEM et zoom sur Wazuh (OSSEC) , IDS open source
Venez découvrir comment être proactif face aux problèmes de cyber sécurité en analysant les données fournies par vos équipements et applications critiques.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
Originally given at the project showcase at Global AppSec DC 2019, this talk covered what DefectDojo is, what's new and why you should be using it in your security program.
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
A beginner level presentation made for c0c0n 2013 to talk about some basic modules of python which can be used in routine penetration testing exercises.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
This presentation is part of a series focused on OWASP Mobile Top 10 : We discussed about what is data leakage, places where data could be leaked. sample /examples of data leakage and how it differes from M2: Insecure data storage.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
While a lot of attention is devoted to the mitigation of previously unknown attack methods ("0 days"), many of today's high-profile breaches are caused by "Known Vulnerabilities" in the application's components, also referred to as "vulnerabilities in third-party components." Attackers are quickly moving to exploit applications built with vulnerable components and are inflicting serious data loss and/or hijacking entire servers in the process. The rising popularity of third-party components in application development enables attackers to quickly and repeatedly locate and exploit vulnerabilities in application components - making these attacks widespread and extremely hazardous. This presentation will: (1) explore the recent growth of "Known Vulnerabilities" and examine the scope of the problem (2) examine how attackers are able to quickly "weaponize" these vulnerabilities for immediate profit (3) reveal techniques for limiting the damage resulting from "Known Vulnerabilities" exploitation.
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
How to automate your DevSecOps successfullyManuel Pistner
Service based apps using open source components and containers for continuous deployment in DevOp teams need to react fast and deploy often. With increasing complexity of software systems and the need for agility and flexibility the demand for security increases. These slides show an approach for DevSecOp automation and present the results of a survey about the current status of security automation in software development companies.
If you want to see the resulting concept which was developed during the study, please contact me on linked in.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn'tSonatype
A thought-provoking look at heartbleed, which without leaving a trace, enables adversaries to steal usernames and passwords, instant messages, emails, business critical documents and communications. What happened and how can it be prevented?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
This presentation was given by Ryan Berg, Sonatype CSO, at the All Things Open conference in Raleigh, NC.
We all know that Open Source brings speed, innovation, cost savings and more to our development efforts. It also brings risk. Bash, Heartbleed, Struts – anyone? Join this session to hear the latest research on the most risky open source component types – the alien invaders hiding in your software. And learn best practices to manage your risk based on the 11,000 people who shared their experiences in the 4 year industry-wide study on open source development and application security. Among the surprising results…
- 1-in-3 organizations had or suspected an open source breach in the last 12 months
- Only 16% of participants must prove they are not using components with known vulnerabilities
- 64% don’t track changes in open source vulnerability data
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
Building secure software starts from the very beginning of the development process. Trying to fix security at the end of the development cycle is much harder. And even if it is impossible to build systems that would be totally secure from every breach attempt and that have no flaws, you can build systems that cyber attackers will find extremely hard to breach. Find out more how to build secure systems from the webinar recording in the following link and the presentation slides.
https://business.f-secure.com/how-to-build-systems-that-resist-attacks/
CSS LESSON Application software or App is a program or group of programs designed for end-users. This contrasts with system software, which is mainly involved with running the computer. Some examples of these applications are spreadsheet, word processor, web browser, accounting application, email client, media player, file viewer, simulators, console game, a photo editor. Applications may be classified as proprietary, open-source, or projects and may be bundled with the computer and its system software or published separately. Apps built for mobile platforms are called mobile apps.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The installation file will then be saved to your computer in .exe (pronounced dot e-x-e) format, this is the standard extension for installation files on Windows computers.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The installation file will then be saved to your computer in .exe (pronounced dot e-x-e) format, this is the standard extension for installation files on Windows computers.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The installation file will then be saved to your computer in .exe (pronounced dot e-x-e) format, this is the standard extension for installation files on Windows computers.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The installation file will then be saved to your computer in .exe (pronounced dot e-x-e) format, this is the standard extension for installation files on Windows computers.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The installation file will then be saved to your computer in .exe (pronounced dot e-x-e) format, this is the standard extension for installation files on Windows computers.
Nowadays, the most common way to get new software is to download it from the Internet like Microsoft Office and Adobe Photoshop. You can also install free software like Google Chrome web browser by visiting download sites and clicking the Download button. The
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
In this webinar, GitLab’s Product Manager, Victor Wu, dives into how GitLab helps you ship secure code, the tools they use, and a few industry best practices they follow to protect data and secrets. Then, GitLab Security Lead, Brian Neel, will explain how they leverage their community using HackerOne to spot and prioritize security issues quickly.
How temenos manages open source use, the easy way combinedWhiteSource
The extensive use of open source in commercial software requires engineering executives to set processes and measures that will enable their organization and their customers to make the most of what open source can offer without assuming the accompanying risks.
See how Temenos manages their open source components.
Squashing bugs: Introduction to Bug Bounties ISSA Dehradun ChapterAvi Sharma
Introduction to Bug Bounties
How to find bugs hands-on
How to use popular bug bounty programs
Case evaluation: Facebook page takeover bug
Conclusions and surprises
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docxeugeniadean34240
1RUNNING HEAD: MANAGING HOST BASED SECURITY IN WINDOWS 8.1
Lab Deliverable for Lab 2
a. Procedure to Manage Windows Defender
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Description:
This window configuration project will require the sytem admin permission so as to access the programs and get to know how it is commanded to the action it should peform. Also, to use a virtual box one should have knowledge in how to operate the virtual box and explore the virtual programs
Notes, Warnings and Restrictions:
1. Windows Defender come with windows 8.1 software and are found in the control panel.
2. The application is used only when you login your system as an administarator or have permitted to act as the administrator.
3. For windows defender to run in the system it should be turned on and no other antivirus should be active
4. Scanning the system with windows defender deletes infected files. Also ensure you do the required scanning
5. If a different anti virus has been previously deleted, then windows defender needs to be turned off and to be restarted
Resources (Futher Reading):
Firewalls. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/cc700820.aspx
Microsoft Baseline Security Analyzer. (2011). Retrieved from https://dougvitale.wordpress.com/2011/11/18/microsoft-baseline-security-analyzer/
CloudFlare. (n.d.). Retrieved from https://www.winhelp.us/configure-windows-defender-in-windows-8.html
Procedures:
Windows defender
Window defender protects a computer system against any form of malware by running in the background of the computer system and gives notification if any suspicious item is found in the syatem for the user to take action. It can also be used by a computer to scan the system if the system has issues e.g becomes slow, switches off when not commanded to, hanging among other things. Windows defender should be updated over time so that it is not outdated and also to improve its performance.
Windows defender is found in the control panel icon, steps of opening are
i. Open control panel and select “windows defender”
ii. While you click on windows defender, the following page appears
a) To update the system click on “update”
b) Real time scanning
c) For the full scan results it will appear in the table as shown below
d) For quick results check the button just before you click on scan. Then the results will appear as shown below.
e) To scan removable device, select “setting” and click on advance
Then check the box just before removing any removable drivers and click save
b. Procedure to configure Windows Firewall for Windows 8.1
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Descriptions:
Windows firewall is a protection application that protects against suspicious items, It helps in blocking suspicious programs .
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
Talk by Stephanie Vanroelen at NoNameCon 2019.
https://nonamecon.org
https://cfp.nonamecon.org/nnc2019/talk/ZFJFW8/
This talk is about top anti-virus apps on Mobile. An in depth look on how they work and what they do. Do they add to or break the security of the mobile OS?
This talk is about top anti-virus apps on Android. An in-depth look at how they work and what they do.
The focus will be on the top 5 android apps:
Kaspersky Mobile Antivirus
Avast Mobile Security
Norton Security & Antivirus
Sophos Mobile Security
Security Master
This talk will try to answer the following questions: Do they add to or break the security of the Android sandbox system? What type of information is being shared back to the company (if any)? Are these apps well built?
Finally, I will address the following: Do I recommend any of these apps and if so which one and why?
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Similar to Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities (20)
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
an introduction to Lamp stack and how it is beneficial for students, presented by anant shrivastava on behalf of linux academy http://academylinux.com and you can contact anant @ http://anantshri.info
a simple presentation with introduction on hacking, presented by anant shrivastava on behalf of linux academy at rkdf bhopal http://academylinux.com and contact anant at http://anantshri.info
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. ANANT SHRIVASTAVA
Information Security Consultant
Admin - Dev - Security
null + OWASP + G4H
and @anantshri
Trainer / Speaker : Blackhat USA, NullCon, g0s, c0c0n, Clubhack, RootConf
http://anantshri.info
3. WHAT IS A COMPONENT
Any piece of code that is reusable
Paid or OpenSource
Either by same developer or other developers
Its lot more then what you know
11. WHY COMPONENTS
Unix Philosophy : Do one thing and do it well
Code Reuse : "Less Development Overhead"
"Potentially" Combined and Faster evolution
Higher cost to develop from scratch
23. Libraries? : Blackhat USA 2015
MORE
Credits: Jake & Kymberlee : Stranger Danger! What Is The Risk From 3rd Party
Libraries? : Blackhat USA 2015
24.
25. REMEMBER
We rely on 3rd party to
1. patch
2. maintain security
3. accept security issues
4. in short "NOT SCREWUP"
26. WHAT ARE THE CONCERNS
1. Open Source Software
1. Developer has scratched his itch and will not want to work on it
2. Developer doesn't understand security implications and ignore reports
3. Developer is genuinely not in a position to work on project
2. Closed Source Software
1. Company shifted focus
2. Not enough money
28. PATCH PROCESS
1. Someone disclosed a vulnerability
2. 3rd party vendor fixes code
3. A public advisory is released informing about the update and hopefully security
issue
4. Developer has to update the dependencies in actual project (believe me when i
say its not easy task) (backword compatibility, regression, feature support etc)
5. Sysadmin / user has to update the software to receive the update
30. ANDROID OTA PROCESS
1. Google released PDK to Vendor for evaluation
2. Google Announces new version
3. Google send source code to Chipset manufacturer and Vendor
4. Chipset manufactures provides drivers and BSP or stops support
5. Vendor evaluates requirement for device if no driver then no update
6. Vendor updates its own softwares (SENSE, TouchWiz etc)
Cont.
31. ANDROID OTA PROCESS...
1. Vendor works with carrier for modification
2. Final build is submitted for Lab Entry and testing
3. If bug found patch and resubmit.
4. Take approvals from
1. Regulatory
2. Industry
3. Google
5. Prepare OTA for the Device
6. User Downloads OTA and updates the device
36. SYSADMIN / ENDUSER
Monitor your software feeds to ensure you do not miss security updates
never ignore update from shared library
Keep an eye on how shared resources are holding up
37. DEVELOPERS
(SOFTWARE AND 3RD PARTY)
1. Identify and catalogue your components
2. Never ignore pull requests and security issue bug report
3. Proactively test software and at-least if a fix is released publicly accept security
issue
43. IS THIS ENOUGH
1. Not yet
2. We still lack method to track it for every third party library
3. Manual tracking is still required
44. COMPONENT CODE DEVELOPER
1. Be clear about support status
2. If out of support, release and updated version clearly stating support status
3. Clearly accept the security issues and inform about fix
45.
46.
47. PENTESTER
1. Follow steps for Admin to identify all components
2. Cross reference with known disclosures (use dependency trackers)
3. Profit
48. REFERENCES
1. BlackHat 2015 : Stranger Danger! What Is The Risk From 3rd Party Libraries? :
DO CHECK VTEM
2. The Unfortunate Reality of Insecure Libraries: Jeff Williams,Arshan Dabirsiaghi :
March 2012
3.
4.
https://www.gov.uk/service-manual/making-software/dependency-
management.html
http://swreflections.blogspot.in/2013/10/dont-let-somebody-elses-technical-
debt.html