Authentication is evolving. Customers are expecting much more from the user management experience in applications they are using today. Join us virtually for our upcoming "User Management - the next-gen of Authentication" meetup to learn about the secrets of building user management the right way, the secure way.
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
Collaboration often drives how we work especially when our workforce is mobile, when it is working off premises and serving clients in the field. Our employees adopt cloud solutions to communicate, exchange ideas and files, and to collaborate without our knowledge…this approach keeps security officers sleepless not only in Seattle but also in Columbus…
This presentation is an overview of Office 365 functionality, security and compliance (reporting) capabilities to manage information privacy, security and compliance risks, and related documentation. Office 365 email security and management, SharePoint collaboration platform and Azure Active Directory reporting will be reviewed. This is a business/technical (not in depth technical) presentation to help business / technical audience understand the security and functionality of Office 365 solution when considering cloud solutions adoption.
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
From this presentation you will learn:
· A brief history of encryption
· How encryption is now deployed in the enterprise
· Encryption and key management best practices to keep data safe
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
Doug Meier, Director of Security and Compliance at Pandora, shares how Pandora defines and handles “shadow IT”, assesses and onboards vendors, all while keeping pace with the company’s must-do business in the cloud. He covers hot topics such as single sign-on, identity management, and active directory integration.
Read how Synoptek has proven to be an excellent partner for the companies looking to minimize security risk levels and has helped them take preventive and protective measures.
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
Zero Trust Architecture rethinks strategies to secure corporate assets. ZTA may allow us to create more enduring security architectures, with less entropy vs. today's security architectures. However, lack of enabling standards is causing confusion about what ZTA is and vendor hype isn't helping either. This session will describe the current state of ZTA, and standards initiatives that may help bring clarity and reduce barriers to adoption.
In an ever-changing technology landscape, SD-WAN has emerged as a leading technology to drive IT efficiency. Innovation, market convergence, and a noisy product landscape have made the marketplace more complex than it needs to be. Learn why a managed approach makes things easier and is considered a best practice by many.
Securing and automating your application infrastructure meetup 23112021 blior mazor
Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
Collaboration often drives how we work especially when our workforce is mobile, when it is working off premises and serving clients in the field. Our employees adopt cloud solutions to communicate, exchange ideas and files, and to collaborate without our knowledge…this approach keeps security officers sleepless not only in Seattle but also in Columbus…
This presentation is an overview of Office 365 functionality, security and compliance (reporting) capabilities to manage information privacy, security and compliance risks, and related documentation. Office 365 email security and management, SharePoint collaboration platform and Azure Active Directory reporting will be reviewed. This is a business/technical (not in depth technical) presentation to help business / technical audience understand the security and functionality of Office 365 solution when considering cloud solutions adoption.
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
From this presentation you will learn:
· A brief history of encryption
· How encryption is now deployed in the enterprise
· Encryption and key management best practices to keep data safe
Securing The Reality of Multiple Cloud Apps: Pandora's StoryCloudLock
Doug Meier, Director of Security and Compliance at Pandora, shares how Pandora defines and handles “shadow IT”, assesses and onboards vendors, all while keeping pace with the company’s must-do business in the cloud. He covers hot topics such as single sign-on, identity management, and active directory integration.
Read how Synoptek has proven to be an excellent partner for the companies looking to minimize security risk levels and has helped them take preventive and protective measures.
(SACON) Jim Hietala - Zero Trust Architecture: From Hype to RealityPriyanka Aash
Zero Trust Architecture rethinks strategies to secure corporate assets. ZTA may allow us to create more enduring security architectures, with less entropy vs. today's security architectures. However, lack of enabling standards is causing confusion about what ZTA is and vendor hype isn't helping either. This session will describe the current state of ZTA, and standards initiatives that may help bring clarity and reduce barriers to adoption.
In an ever-changing technology landscape, SD-WAN has emerged as a leading technology to drive IT efficiency. Innovation, market convergence, and a noisy product landscape have made the marketplace more complex than it needs to be. Learn why a managed approach makes things easier and is considered a best practice by many.
With all the hype around Cloud and SDN, business decision makers are finding themselves trying to navigate through many new concepts and consequently needing to change the way they have traditionally selected their IT infrastructure. Technologies are now becoming more integrated and it is more important than ever to help your business be agile enough to keep up with the demands of your users and your customers. Come hear from Lisa Guess to learn how organizations can embrace Cloud technologies such as automation, SDN and Orchestration platforms to help you build next-generation networks.
As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
Global regulations are driving the needs for businesses in all sectors to have cybersecurity programs that are designed to fit the organizations risk profile. At the same time, there is a lack of clarity on how much one should spend on managing these risks and the sophistication and number of risk mitigants that are required to manage these risks.
Company executives and board of directors are held personally liable for having the appropriate oversight and management of these controls and are looking for their CISO and CIROs to provide them assurance that these controls are in place and operating effectively. An attempt to balance the requirements and the expectations is a delicate balance. This presentation will look at the regulatory landscape and how this landscape is affecting client, executive, and board-level expectations for cybersecurity risk management. It will also provide some recommendations on how to approach the development of a cybersecurity risk management program.
[Round table] zeroing in on zero trust architectureDenise Bailey
Idea of Zero Trust
Frameworks e.g. NIST framework
Building a Zero Trust Architecture
Building Tech stack for transition to Zero Trust Architecture
Building Tech stack for directly implementing Zero Trust Architecture
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon Priyanka Aash
Just like in the case of Security, building Privacy at the design stage itself ensures privacy gets baked into the specific application/ process/ initiative. There is a formal Privacy By Design (PbD) framework available and it has been incorporated into several laws & regulations as well. To actually implement PbD into specific applications needs the translation and application of this framework and its principles into specific, detailed, step by step guidelines/ standards. This Hackathon endeavours to do exactly that
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
IT Security Initiatives create strategic and operational value to all enterprises; however, many IT professionals do not know how to economically quantify and forecast the benefits of IT security. Additionally, the new digital business ecosystem is resulting in rapid business cycles, which require faster speed and agility in all IT areas and IT services. The new ecosystem, largely caused by the Internet-of-Things, mobility and the Cloud, create a challenge for selecting and prioritizing IT security tools and projects. This session will present an overview of principles, models, trends and best practices, which can have been adopted by individuals and organizations to get right IT security initiatives approved.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
How Zero Trust Changes Identity & AccessIvan Dwyer
Presentation given at the BeyondCorp SF Meetup organized by ScaleFT on Mar 9th 2017.
Learn more about BeyondCorp at: www.beyondcorp.com.
Learn more about ScaleFT at: www.scaleft.com
The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.
This Deck, gives you an overview of the zero trust security posture, considerations you should have while looking to adopt that posture, and the advantages of doing so.
Zero Trust: the idea that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check. A core concept for Okta.
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...Micro Focus
‘Data violators’ have outpaced data defenders. But security and identity analytics can level the playing field. Learn how identity, access and security disciplines can benefit from:
Risk-based authentication
Data exfiltration identification
Malicious insider activity disruption
Adaptive access certification
Presenter: Adam Evans, Solutions Consulting
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
Understanding and managing identity is behind effective Information security. It enables control of internal and external threats. Our solutions can help you understand and better manage these threats. Find out how. Presenter: Dave Mount, UK Solutions Consulting Director
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
Rising network complexity and increased demands on business agility are rapidly hindering the traditional approach to managing security policies. The Security policy management maturity model can help you better understand your current network environment and provide you with a roadmap for improving both your security AND agility. Learn:
- The four stages of the maturity model
- How to compare your environment to the different stages
- Tips for orchestrating security policy management
- Real-life examples of benefits achieved by "moving up the curve"
Understand the concepts of the NIST Zero Trust Architecture (ZTA). We will use a parenting analogy and show how it applies to protecting file as an enterprise resource.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
With all the hype around Cloud and SDN, business decision makers are finding themselves trying to navigate through many new concepts and consequently needing to change the way they have traditionally selected their IT infrastructure. Technologies are now becoming more integrated and it is more important than ever to help your business be agile enough to keep up with the demands of your users and your customers. Come hear from Lisa Guess to learn how organizations can embrace Cloud technologies such as automation, SDN and Orchestration platforms to help you build next-generation networks.
As public and private cloud adoption skyrockets, the number of attacks against cloud infrastructure is also increasing dramatically. Now more than ever, it is crucial to secure your cloud assets and data against advanced threats.
We’ll dig into what it means to be successful in the cloud and what successful organizations do more of (and less of) than their less successful peers. We’ll look across technologies adopted, organizational and operational practices, and vendors embraced.
Recorded webinar: https://youtu.be/Og1-xcc7JNs
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
Global regulations are driving the needs for businesses in all sectors to have cybersecurity programs that are designed to fit the organizations risk profile. At the same time, there is a lack of clarity on how much one should spend on managing these risks and the sophistication and number of risk mitigants that are required to manage these risks.
Company executives and board of directors are held personally liable for having the appropriate oversight and management of these controls and are looking for their CISO and CIROs to provide them assurance that these controls are in place and operating effectively. An attempt to balance the requirements and the expectations is a delicate balance. This presentation will look at the regulatory landscape and how this landscape is affecting client, executive, and board-level expectations for cybersecurity risk management. It will also provide some recommendations on how to approach the development of a cybersecurity risk management program.
[Round table] zeroing in on zero trust architectureDenise Bailey
Idea of Zero Trust
Frameworks e.g. NIST framework
Building a Zero Trust Architecture
Building Tech stack for transition to Zero Trust Architecture
Building Tech stack for directly implementing Zero Trust Architecture
(SACON) Sameer anja - Privacy in Technology: Kickstart of the Hackathon Priyanka Aash
Just like in the case of Security, building Privacy at the design stage itself ensures privacy gets baked into the specific application/ process/ initiative. There is a formal Privacy By Design (PbD) framework available and it has been incorporated into several laws & regulations as well. To actually implement PbD into specific applications needs the translation and application of this framework and its principles into specific, detailed, step by step guidelines/ standards. This Hackathon endeavours to do exactly that
Ruben Melendez - Economically Justifying IT Security Initiativescentralohioissa
IT Security Initiatives create strategic and operational value to all enterprises; however, many IT professionals do not know how to economically quantify and forecast the benefits of IT security. Additionally, the new digital business ecosystem is resulting in rapid business cycles, which require faster speed and agility in all IT areas and IT services. The new ecosystem, largely caused by the Internet-of-Things, mobility and the Cloud, create a challenge for selecting and prioritizing IT security tools and projects. This session will present an overview of principles, models, trends and best practices, which can have been adopted by individuals and organizations to get right IT security initiatives approved.
Bil Harmer - Myths of Cloud Security Debunked!centralohioissa
Despite the meteoric rise of cloud based applications and services, as well as its subsequent adoption by a significant number of enterprises, security still remains a major concern for many organizations. The elephant in the room is the misconception that the cloud is less secure than on-premise capabilities. Gartner eloquently describes this as “more of a trust issue than based on any reasonable analysis of actual security capabilities”.
A recent global study by BT revealed that 76% of large organizations cited security as their main concern for using cloud-based services. 49% admitted being “very” or “extremely anxious” about the security complications of these services. However according to Gartner, the reality is “most breaches continue to involve on-premises data center environments”
Where do you stand on this issue?
In this talk. we will debunk the top myths of cloud security, including:
Myth 1: We don’t really use the cloud
Myth 2: I lose control of my data when it goes to the cloud
Myth 3: Cloud is less secure than on-premise solutions
Myth 4: I’m at the mercy of cloud vendors for patching
Myth 5: Appliances provide greater control over
scalability/performance
Myth 6: Cloud security is more difficult to manage
Myth 7: Cloud resources are more exposed to attack
Myth 8: Multi-Tenant Clouds Expose Privacy Concerns
Myth 9: Cloud vendors lack transparency
Myth 9: Cloud vendors lack transparency
Myth 10: Appliances are more reliable than the cloud
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
How Zero Trust Changes Identity & AccessIvan Dwyer
Presentation given at the BeyondCorp SF Meetup organized by ScaleFT on Mar 9th 2017.
Learn more about BeyondCorp at: www.beyondcorp.com.
Learn more about ScaleFT at: www.scaleft.com
The cloud offers simplified application development and delivery by providing infrastructure, platform and software services that are ready to use immediately. However, the major inhibitor for businesses has been concerns around security. IBM has simplified the typical method for approaching this problem. Whether you’re looking to employ infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or software-as-a-service (SaaS), use the framework below when designing your solution. Each platform comes with certain built-in security qualities and lets you use add-ons on top of the platform to secure each workload.
This Deck, gives you an overview of the zero trust security posture, considerations you should have while looking to adopt that posture, and the advantages of doing so.
Zero Trust: the idea that all access to corporate resources should be restricted until the user has proven their identity and access permissions, and the device has passed a security profile check. A core concept for Okta.
#MFSummit2016 Secure: How Security and Identity Analytics can Drive Adaptive ...Micro Focus
‘Data violators’ have outpaced data defenders. But security and identity analytics can level the playing field. Learn how identity, access and security disciplines can benefit from:
Risk-based authentication
Data exfiltration identification
Malicious insider activity disruption
Adaptive access certification
Presenter: Adam Evans, Solutions Consulting
#MFSummit2016 Secure: Introduction to identity, access and securityMicro Focus
Understanding and managing identity is behind effective Information security. It enables control of internal and external threats. Our solutions can help you understand and better manage these threats. Find out how. Presenter: Dave Mount, UK Solutions Consulting Director
The 1st Step to Zero Trust: Asset Management for Cybersecuritynathan-axonius
Eight years after former Forrester analyst John Kindervag introduced the Zero Trust model, the concept has hit the mainstream. As current Forrester analyst Chase Cunningham says, 85% of his calls involve zero trust. With the amount of interest in the concept, many organizations are rushing to understand how to implement the zero-trust model. In this guide, we’ll look at the first step to implementing zero trust: asset management.
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
Rising network complexity and increased demands on business agility are rapidly hindering the traditional approach to managing security policies. The Security policy management maturity model can help you better understand your current network environment and provide you with a roadmap for improving both your security AND agility. Learn:
- The four stages of the maturity model
- How to compare your environment to the different stages
- Tips for orchestrating security policy management
- Real-life examples of benefits achieved by "moving up the curve"
Understand the concepts of the NIST Zero Trust Architecture (ZTA). We will use a parenting analogy and show how it applies to protecting file as an enterprise resource.
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
IT infrastructure is changing and needs controls for mobile, cloud, and big data
Guardium is the leader in database and big data security
Heterogeneous support is a great asset to leverage across the infrastructure to reduce risk
Supports separation of duties
Integration with other security products
No additional training for multiple products
Safeguard digital assets with leading Data Loss Prevention tools. Discover features & reviews, and choose the best data loss prevention software for robust cybersecurity.
Security and Compliance with SharePoint and Office 365Richard Harbridge
Whether you’re new to security and compliance in Office 365 or a seasoned veteran, we’ll have something for you in this session. Hear about Microsoft’s overall security story from Microsoft MVP Richard Harbridge, and better understand how it relates to SharePoint services, catch up on new developments over the past year, and learn about the new capabilities Microsoft provides. From advanced security management and threat intelligence to sensitive content encryption, governance and sharing there is plenty to discuss.
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
ShmooCon 2020
You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
Data security is rapidly gaining importance as the volume of data companies collect, analyze and monetize grows exponentially. New data processing tools and platforms are emerging at an increasing rate, as are the ways in which an organization consumes data. In this presentation Mukund Sarma and Feni Chawla talk about the unique technical and cultural challenges of running a data security program and share some practical solutions that have worked well at our company.
These slides were presented at the BSides Seattle 2024 conference.
Security Architecture Best Practices for SaaS ApplicationsTechcello
Gartner has predicted 18-20% growth in SaaS market, and expects it to hit US $22.1 billion by the year 2015. They have also measured that SaaS adoption rate has increased many fold in the last few years (almost 71% of enterprises use SaaS solutions).
Your database holds your company's most sensitive and important assets- your data. All those customers' personal details, credit card numbers, social security numbers- you can't afford leaving them vulnerable to any- outside or inside- breaches.
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
For firms in the financial industry, especially within regulated organizations such as credit card processors and banks, PCI DSS compliance has become a business and operational necessity. Although the blueprint of a PCI-compliant architecture varies from organization to organization, the mixture of modern Hadoop-based data lakes and legacy systems are a common theme.
In this talk, we will discuss recent updates to PCI DSS and how significant portions of PCI DSS compliance controls can be achieved using open source Hadoop security stack and technologies for the Hadoop ecosystem. We will provide a broad overview of implementing key aspects of PCI DSS standards at WorldPay such as encryption management, data protection with anonymization, separation of duties, and deployment considerations regarding securing the Hadoop clusters at the network layer from a practitioner’s perspective. The talk will provide patterns and practices map current Hadoop security capabilities to security controls that a PCI-compliant environment requires.
Speaker
David Walker, Enterprise Data Platform Programme Director, Worldpay
Srikanth Venkat, Senior Director Product Management, Hortonworks
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
A presentation from the Data Works conference in 2018 that looks how Worldpay, a major payments provider, deployed a secure Hadoop cluster in order to meet business requirements and in the process became on e of the few fully certified PCI compliance clusters in the world
Making the Case for Stronger Endpoint Data Visibilitydianadvo
As security practitioners, we often get caught up worrying about protecting against the latest threat or patching the latest zero-day, however we should spend at least an equal amount of time understanding the data risks of our users and how to offer both better visibility into endpoint data usage, as well as guidance into good data protection practices.
There are a number of different products and vendors that touch on these aspects, but there is no one-stop shop for data protection, and likely never will be. DLP, or Data Loss Prevention, can look at known content types for matches and take protective actions. However, most DLP deployments never moved beyond monitoring due to over-blocking or false positive concerns. Endpoint employee monitoring can take good forensic information, even screenshots to recreate evidence of either inappropriate data usage, or other significant events, though these types of technology are often cumbersome, hard to realize the value and present some serious privacy and ethical concerns. EDR or Endpoint Detection and Response is very threat-focused, with a severe limit on data visibility, and often does little more than capture a checksum of a file, with no content inspection or awareness. UEBA, or User and Entity Behavior Analytics, can often be deployed in conjunction with SIEM or log management capabilities to get a better contextual view of your organization, however, you must first have some semblance of “normal” or a baseline before you can uncover abnormal.
Organizations should begin building the case for stronger endpoint data visibility. This improved data visibility must be easy to use, fast to provide actionable answers, not impede other endpoint security capabilities, and most importantly provide the financial impact of endpoint data and the decisions that users make with that data.
Protecting endpoints from targeted attacksAppSense
On this AppSense webinar, guest speaker Chris Sherman, Forrester Research analyst, shared five principles for an effective endpoint security strategy. Anti-virus software isn't enough anymore.
Dan O'Farrell, Sr. Director of Product Marketing for Cloud Computing at Dell, shared how highly-regulated industries have embraced VDI to increase security and reduce costs.
And Bassam Khan discussed how AppSense offers privilege management with just-in-time self-elevation and application control through trusted ownership. This allows you to manage and secure your endpoints while providing a great user experience. And our latest product, AppSense Insight, offers endpoint analytics. Contact us to request a demo at iwanttoknowmore@appsense.com.
Webinar - Compliance with the Microsoft Cloud- 2017-04-19TechSoup
Everyone throws around the word compliance but how do you actually achieve that? In this free, 60-minute webinar Sam Chenkin from Tech Impact discusses achievable goals for the nonprofit community to keep their data safe with the Microsoft Cloud. We explore account security like two-factor authentication, data security like encryption, and how to make sure only compliant devices can access your data.
Migrating Critical Applications to the Cloud - isaca seattle - sanitizedUnifyCloud
The magnitude of the migration effort to the Cloud, the complexity of both customized apps and Cloud environments, and the requirement for ongoing app-level monitoring suggests the need for what Gartner calls a “programmable security infrastructure capable of supporting security policy ‘toolchains’.”
Stay safe, grab a drink and join us virtually for our upcoming "GenAI Risks & Security" Meetup to
hear about how to uncover critical GenAI risks and vulnerabilities, AI security considerations in every company, and how a CISO should navigate
through GenAI Risks.
The Power of Malware Analysis and Development.pdflior mazor
Malware is a persistent threat in today's digital landscape, evolving continuously to evade detection and wreak havoc on systems. In this presentation, we delve into the intricacies of Malware Analysis and Development, exploring its fundamental concepts and real-world applications.
What you will learn in the workshop:
1. What is Malware Analysis:
We begin by demystifying Malware Analysis, a crucial process for understanding the behavior, functionality, and impact of malicious software. From static analysis to dynamic analysis techniques, we uncover the tools and methodologies used to dissect and analyze malware samples effectively.
2. What is Malware Development:
Next, we shift focus to Malware Development, shedding light on the techniques and tactics employed by threat actors to create sophisticated malware. By understanding the inner workings of malware creation, we gain insights into how to combat these threats effectively.
3. The Malware Development Life Cycle:
We explore the Malware Development Life Cycle, from initial reconnaissance and planning to deployment and post-exploitation activities. By mapping out this cycle, we gain a holistic view of how malware is conceived, developed, and utilized in cyber attacks.
4. Why it's important for Red Teamers and Blue Teamers:
We emphasize the importance of Malware Analysis and Development for both Red Teamers and Blue Teamers. For Red Teamers, it provides invaluable insights into crafting realistic attack scenarios and testing defenses. For Blue Teamers, it equips them with the knowledge to detect, analyze, and mitigate malware threats effectively.
5. Practical Malware Reverse Engineering and Development Examples:
Finally, we dive into practical examples of malware reverse engineering and development. Through hands-on demonstrations and case studies, we showcase the process of dissecting malware, understanding its functionality, and even developing defensive measures to thwart future attacks.
join us virtually for our upcoming "Malware Development" Workshop to learn the world of Malware Analysis and Development, where we unravel the complexities of malware and empower defenders with the tools and knowledge to combat cyber threats effectively.
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
Join us virtually for our upcoming meetup to learn:
- Why adopt a fresh approach and redefine how you view critical risks within your software supply chain?
- How can we deal with the paradox of enhancing protection for expanding attack surfaces and the dynamic nature of threat actors, especially in the world of the Generative Code AI amidst budget constraints?
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Reveal the Security Risks in the Software Development Lifecycle" Meetup to learn how to find application security threats, issues in software development life cycle, build mature application security incident response processes and implement application security posture management.
Agenda:
17:00 - 17:05 - 'Opening words' - by Gary Berman (Cyber Heroes Network)
17:05 - 17:35 - 'Why securing the SDLC fails at scale' - by Liav Caspi (Co-Founder & CTO at Legit Security)
17:35 - 18:05 - 'The Real AppSec Issues' - by Josh Grossman (CTO at BounceSecurity)
18:05 - 18:35 - 'Application security and IR process' - by Vitaly Davidoff (Application Security Lead at JFrog)
18:35 - 19:00 - 'The ASPM way - a new approach' - by Liav Caspi (Co-Founder & CTO at Legit Security)
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - A Road to Post Exploitation" meetup
to learn how hackers can compromise the software supply chain, advanced data protection methods on WebLogic Server and
how to use AI in order to protect your software.
Agenda:
17:00 - 17:10 - 'Opening words' - by Gidi Farkash (CISO at Pipl Security)
17:10 - 17:40 - 'Tracking Attackers in Open Source Supply Chain - Lessons Learned' - by Jossef Harush Kadouri (Head of Software Supply Chain Security at Checkmarx)
17:40 - 18:20 - 'WebLogic - The Road to Post Exploitation' - by Amit German (Cyber Security Researcher at Pentera)
18:20 - 19:00 - 'AI In The Hands of Application Security' - by Brit Glazer (Head of Information Security at Unit)
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
Nowadays data-driven products in the cloud are delivered faster, IT resources become more responsive and productive with lower costs and higher performance for data operations.
Causing Cyber Security risks involved in accessing sensitive data and regulatory compliance requirements.
Join us virtually for our upcoming "Why 2024 will become the Year of SaaS Security" Meetup to learn how to resolve SaaS security posture management with AI tools and how to secure your cloud attack surface.
Agenda:
17:00 - 17:10 - 'Opening Words' - by Gidi Farkash (Pipl Security)
17:10 - 17:50 - 'How to Resolve SaaS Security Posture Management with GEN AI' - by Ofer Klein (Reco)
17:50 - 18:20 - 'Foundation of Cloud Monitoring' - by Moshe Ferber (Cloud Security Alliance Israel)
18:20 - 19:00 - 'AI in the Hands of the Cyber Protectors' - by Tal Shapira, P.h.D (Reco)
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Vulnerability Alert Fatigue and Malicious Code Attacks" meetup to hear about How to Cover Known & Unknown Risks in your OSS,
Supply Chain Security Maturity model, known vulnerabilities in IAM and ways to incorporate security in the package update process.
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
Stay safe, grab a drink and join us virtually for our upcoming "The Hacking Game - Think Like a Hacker" meetup to learn how hackers can compromise applications, advanced data protection methods and how to focus on fixing your most critical vulnerabilities.
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
Stay safe, grab a drink and join us virtually for our upcoming "Sailing Through The Storm of Kubernetes CVEs" meetup to hear about ways to incorporate security into your software development process and how vulnerabilities make their way into your infrastructure via public images and the CVEs you should focus on fixing.
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be safe and secure. Join us virtually for our upcoming "Emphasizing Value of Prioritizing AppSec" Meetup to learn how to build a cost effective application security program, implement secure coding analysis and how to manage software security risks.
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxlior mazor
Our data and infrastructure were shifted to the cloud, and we are more and more relying on our DevOps engineering and Cloud Providers to keep us safe and secured. Join us virtually for our upcoming "The Hacking Games - Cloud Vulnerabilities" Meetup to learn how hackers can compromise cloud infrastructure, advanced data protection methods and how to survive a Ransomware on the cloud.
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
Nowadays data-driven products in the cloud are delivered faster, IT resources become more responsive and productive with lower costs and higher performance for data operations.
Causing Cyber Security risks involved in accessing sensitive data and regulatory compliance requirements.
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Open source vulnerabilities are in many applications. While finding them is critical, even more critical is remediating them as fast as possible.
Securing your software supply chain is absolutely critical as attackers are getting more sophisticated in their ability to infect software at all stages of the development lifecycle, as seen with Log4j and Solarwinds.
Hear from industry experts at our upcoming Meetup to to learn more about 3rd party vulnerabilities, threat research on real data, Red Teaming of your
software supply chain and CVE Identification and Contextual Analysis.
Application security meetup k8_s security with zero trust_29072021lior mazor
The "K8S security with Zero Trust" Meetup is about K8s posture Management and runtime protection, ways to secure your software supply chain, Managing Attack Surface reduction, and How to secure K8s with Zero-Trust.
Application security meetup - cloud security best practices 24062021lior mazor
"Cloud Security Best Practices" meetup, is about Secrets Management in the Cloud, Secure Cloud Architecture, Events Tracking in Microservices and How to Manage Secrets in K8S.
Application security meetup data privacy_27052021lior mazor
"Application Security Meetup - Data Privacy", hear about Data Protection and Privacy in Modern times, recent Cyber Fraud attacks and data theft, and practical methods of implementing Data Protection in the process development life cycle.
Join us virtually from your WFH Office on our upcoming "Application Security Meetup ", to hear about the latest cyber security breaches in the National Election process, how to protect Credit Cards in Containers, and advanced security tools and methods in an ongoing application development process.
Agenda:
17:00 - 17:10 - Opening words - by Lior Mazor (Organizer)
17:10 - 17:40 - 'PCI:DSS compliance in Containers' - Omer Donin (GRSee)
17:40 - 18:10 - ‘Owasp's DevSecOps Maturity Model’ - by Hemi Gur-Ary (VATA)
18:10 - 18:40 - 'Conducting Cyber Defense for National Election Process' - by Shahar NEVO (Deloitte IL)
18:40 - 19:10 - ‘How to get the most out of your Pentest’ - by Omer Donin (GRSee)
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
3. Sagi Rodin
● Developing since I was 15
● Managed R&D in startups
● Developed a high-scale modern
application platform @Check Point
● Founder of Frontegg
● Love smoking beef
About Me
20. What’s there to control?
Personal Security Settings
Organizational Security Policy (Passwords, MFA, Account Lockout)
Device Management
Enterprise SSO
Custom Roles and Permissions
API Token Management
Webhooks
Data privacy management
24. Build Abstract Level Roles Enforcement
Enforce permissions not roles
Enforce on frontend, backend and data layer
Don’t assume you know your customers
25. Create an Admin Portal Product Infrastructure
Allow teams to deploy
configuration screens
Allow customization of
Admin Portal
Allow roles enforcement on
Admin Portal
For Dev Team Convenience
26. What did we have so far?
Evolution in Products, Security and the Connection
between the two
How this is handled within modern apps
What do we want to expose
The three Rules of building a self-serve ready app
46. What will we cover today?
• Who is OWASP?
• What is OWASP Top 10?
• OWASP Top 10 – Overview and What's New
47. About Me
• >14 yr. in application security
• >9 yr. with Tufin – Lead Security Architect
• www.linkedin.com/in/furmanmichael/
• Blog https://ultimatesecurity.pro/
• Twitter @ultimatesecpro
• I like to travel, read books and listen to music
48. About
●Market Leader in Security Policy Automation
●Tufin is used by >2000 enterprises
To segment networks and connect applications
On-prem networks, firewalls, cloud and K8S
●We are the Security Policy Company!
49. Who is OWASP?
• Worldwide not-for-profit organization
• Founded in 2001
• OWASP - Open Web Application Security Project
• Mission is to make the software security visible.
50. OWASP Top 10
• Most successful OWASP Project
https://owasp.org/Top10/
• Ten most critical web application security flaws
• De facto application security standard
• Released every 3 - 4 years
• First released in 2004
• Current - 2021
51. OWASP Top 10 - 2021
• A01 Broken Access Control
• A02 Cryptographic Failures
• A03 Injection
• A04 Insecure Design
• A05 Security Misconfiguration
• A06 Vulnerable and Outdated Components
• A07 Identification and Authentication Failures
• A08 Software and Data Integrity Failures
• A09 Security Logging and Monitoring Failures
• A10 Server Side Request Forgery (SSRF)
52. OWASP Top 10 - 2017
• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring
53. What happened to …?
• Broken Access Control
• Cross-Site Scripting (XSS)
• XML External Entities (XXE)
• Insecure Deserialization
54. They are still here
• A03 Injection
• Cross-Site Scripting (XSS)
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
55. And even more …
• A03 Injection
• Cross-Site Scripting (XSS)
• A04 Insecure Design
• A05 Security Misconfiguration
• XML External Entities
• A08 Software and Data Integrity Failures
• Insecure Deserialization
• A10 Server Side Request Forgery (SSRF)
58. A01: Broken Access Control
• Moved up from fifth position
• Elevation of privilege or Privilege Escalation
• Acting as an admin when logged in as a user
• Acting as a user without being logged in
• Viewing or editing someone else's account
• IDOR - Insecure Direct Object References
• Cross-Origin Resource Sharing (CORS) misconfiguration
• Allows API access from unauthorized/untrusted origins
59. A01: Example 1
• Application provides the service:
• Attacker browses to target URLs:
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
https://example.com/app/getadminappInfo
60. A01: Example 2
• Unverified parameters to access:
• Attacker modifies the parameter:
pstmt.setString(1, request.getParameter(“account"));
ResultSet results = pstmt.executeQuery( );
https://example.com/app/accountInfo?account=notmyaccount
61. A01: How to Prevent
• Default behavior: deny access to resources
– Except for public resources
• Implement access control mechanisms
– On the server side
– All requests
• Minimize CORS usage
62. A01: Example 1
• Validate access on each request and prevent access for unauthorized users.
• Annotation example:
// implementation of getadminappInfo
if (“a user has admin access”) {
// return admin app Info
} else {
// authorization error
}
@PreAuthorize("hasPermision(‘admin’)")
// implementation of getadminappInfo
{
// return admin app Info
}
63. A01: Example 2
• Verify ownership / access:
pstmt.setString(1, request.getParameter("account"));
if (“a user has access to account”) {
ResultSet results = pstmt.executeQuery( );
} else {
// authorization error
}
64. A02: Cryptographic Failures
• Previously known as “A3 Sensitive Data Exposure”
– a broad symptom rather than a root cause
• Sensitive data is transmitted or stored in clear text
• Deprecated or weak cryptographic algorithms in use
• Default crypto keys in use
– proper key management or rotation missing
65. A02: How to Prevent
• Encrypt all sensitive data at rest
• Encrypt all data in transit
• Use TLS 1.2 or above
• Use HTTP Strict Transport Security (HSTS)
• Use up-to-date and strong standard algorithms and protocols
• Use proper key management
66. A03: Injection
• Slid down from first position
• Was the first one since OWASP Top Ten - 2010
• User input is not validated, filtered, or sanitized by the application
• User input is directly used or concatenated
• SQL injection
• OS Command Injection
67. A03: Example
• User input is directly used in the SQL call:
String query = "SELECT * FROM accounts
WHERE custID=‘” + request.getParameter("id") + "'";
68. A03: How to Prevent
• Do not pass user input directly to executable statements
• Prepared Statements
• Parameterized Queries
• Hibernate
69. A03: Example
• Use PreparedStatement:
String id = request.getParameter("id");
String query = "SELECT * FROM accounts WHERE custID = ? ";
PreparedStatement pstmt = connection.prepareStatement( id );
pstmt.setInt( 1, id);
ResultSet results = pstmt.executeQuery( );
70. A03: Don’t Forget About XSS
• Attackers can execute scripts in a victim’s browser
71. A03: How to Prevent XSS
• Input validation for user input
• Whitelist patterns
• Encode output
72. A04: Insecure Design
• A new category
• Pushing "shift-left“ approach
• A secure design can still have insecure implementation
• An insecure design cannot be fixed by an implementation
Implementation
Requirements Design Verification Release
73. A04: How to Implement
• Threat modeling
• Threat Modeling Manifesto
https://www.threatmodelingmanifesto.org/
• Secure Development Lifecycle (SDL)
https://ultimatesecurity.pro/post/sdl-meetup/
74. A05: Security Misconfiguration
• Missing security hardening
• Unnecessary features are enabled or installed
• Unnecessary ports
• Services
• Accounts
• Default accounts
• Default passwords
75. A05: How to Prevent
• Apply security hardening
• CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
• Close unnecessary ports
• Disable unnecessary services
• Remove default accounts
• Change default passwords
76. A05: What About XXE?
• Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML
document
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
77. A05: How to Prevent XXE
• Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet
'XXE Prevention’.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
• For additional details see the presentation:
https://ultimatesecurity.pro/post/xxe-meetup/
78. A06: Vulnerable and Outdated Components
• Software is vulnerable, unsupported, or out of date
• Apache Log4j (Log4Shell) Vulnerabilities
79. A06: How to Prevent
• Update software periodically
• Use Software Composition Analysis (SCA) tools
• Free or commercial tools
• OWASP Dependency-Check free tool
https://owasp.org/www-project-dependency-check/
80. A07: Identification and Authentication Failures
• Slid down from the second position
• Previously known as Broken Authentication
• Missing brute force protection
• Missing multi-factor authentication
• Using default, weak, or well-known passwords
• Password1 or "admin/admin"
• Reusing session identifier after successful login
• Exposing session identifier in the URL
81. A07: How to Prevent
• Implement brute force protection
• Implement multi-factor authentication
• Change default credentials
• Implement password complexity
• Rotate Session IDs after successful login
82. A08: Software and Data Integrity Failures
• New category
• Software and data integrity failures that does not protect against integrity violations
• SolarWinds 2020 Attack
83. A08: How to Prevent
• Use digital signatures to verify software
• Ensure you consume trusted repositories
84. A08: Remember Insecure Deserialization?
• Serialization is the process of translating data structures or object state into a format that can be stored or
transmitted and reconstructed later (deserialization)
• Insecure Deserialization - an attacker changes the object between serialization and deserialization
85. A08: How to Prevent Insecure Deserialization
• Don't accept serialized objects from untrusted sources
86. A09: Security Logging and Monitoring Failures
• Insufficient logging
• Logins
• Failed logins
• High-value transactions
• Logs are only stored locally
87. A09: How to Prevent
• Log important events with sufficient user context
• Username
• Client IP
• Time
88. A10: Server Side Request Forgery (SSRF)
• New category
• A web application is fetching a remote resource without validating the user-supplied URL
http://host/getImage?url=http://10.0.0.1 http://10.0.0.1
Response
Response from http://10.0.0.1
89. A10: Example 1
• Application provides the getImage service:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL URL = new URL(imageUrl);
InputStream is = url.openStream();
OutputStream os = response.getOutputStream();
// copy is to os and return a response
90. A10: SSRF CVEs
• CVE-2021-44224
• High Severity Apache HTTP Server CVE
• CVE-2021-26715
• Critical Severity MITREid OpenID Connect Server CVE
91. A10: How to Prevent
• Sanitize and validate all client-supplied input data
• Validate URL Components
• URL schema, port, and destination
• Do not send raw responses to clients
92. A10: Example 1
• Validate URL Components:
// getImage implementation
String imageUrl = request.getParameter(“url"));
URL url = new URL(imageUrl);
// validate URL schema, port, and destination
104. “Is the act of proving an assertion, such as the identity of
a computer system user. In contrast with identification, the
act of indicating a person or thing's identity, authentication
is the process of verifying that identity.It might involve
validating personal identity documents, verifying the
authenticity of a website with a digital certificate,
determining the age of an artifact by carbon dating, or
ensuring that a product or document is not counterfeit.”
What is authentication
wikipedia
105. Let me know who you
are first!
Trying to access
a resource?
108. Broken: session management
Exposes session identifier in the URL.
Reuse session identifier after successful login.
Does not correctly invalidate Session IDs.
110. Fixing session management
Use a server-side, secure, built-in session manager
Session identifier should not be in the URL, be securely stored,
Invalidate sessions after logout, idle, and absolute timeouts
116. const axios = require('axios').default;
const url = 'https://api.attacked-company.com/login';
const commonPasswords = downloadCommonPasswords();
var idx = 0;
while (true) {
try {
const { accessToken } = await axios.post(url, {
email: 'john@doe.com',
password: commonPasswords[idx++]
});
takeoverAccount(accessToken);
} catch (e) {
console.log('could not authentication with that password. Will try
with the next one');
}
}
Hey, What is that
code doing?
118. Fixing automated attacks
Public APIS (Login, Signup, Reset password ETC)
- Recaptcha (v3)
- DDOS protected with IP based filtering
Authenticated APIs should be rate limited
- Limit or increasingly delay failed login
- Log failures and alerts
- Prepare to block sessions
121. Log everything - What are we looking for?
IP addresses / Forwarded
Origin / Referer
Headers / Cookies
User agents
122. Fixing automated attacks
Failed logins? This is what you should do
- Implement user lockout mechanisms
- Start delaying failed attempts
- be careful not to create a denial of service scenario
Log all failures and alert administrators when credential stuffing, brute
force, or other attacks are detected.
135. Broken API context
Bypassing access control checks by modifying the URL (parameter
tampering or force browsing), internal application state, or the HTML
page, or by using an attack tool modifying API requests.
Permitting viewing or editing someone else's account, by providing its
unique identifier (insecure direct object references)
136.
137.
138.
139. Fixing broken API context
Pass context from JWT to microservices via Reverse Proxy headers
140. Fixing broken API context
DON’T forget to remove incoming headers before proxying to
remove the risk of header tampering
141. Fixing broken API context
Try to avoid query/route params for REST API
If you are using query/route params for REST API:
- Use guards (!)
146. Common issues
Elevation of privilege
- Acting as a user without being logged in
- Acting as an admin when logged in as a user
147. Accessing non-privileged entities
Accessing a private Github repository
Accessing repository of a different team on the same organization
Accessing hidden features
Accessing features out of my subscription plan
148. Elevation of privilege - Common Techniques
Technique 1: Access Token Manipulation.
Technique 2: Non authenticated access
Technique 3: Access Token Manipulation.
Technique 4: Account Manipulation
150. Fixing API authorization
Except for public resources, deny by default.
Implement access control mechanisms once and re-use them throughout the
application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
Model access controls should enforce record ownership rather than accepting that
the user can create, read, update, or delete any record.
Unique application business limit requirements should be enforced by domain
models.