アプリケーションセキュリティ検査・検証の標準化
Application Security Verification Standard Project
speaker: Riotaro OKADA (@okdt) at OWASP Night 18th (2015/7/29), Tokyo, Japan
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
アプリケーションセキュリティ検査・検証の標準化
Application Security Verification Standard Project
speaker: Riotaro OKADA (@okdt) at OWASP Night 18th (2015/7/29), Tokyo, Japan
https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
TECH TALK 2021/08/31 Qlik Sense Extension開発 第2弾 - プログラミング可能な汎用エクステンションのご紹介QlikPresalesJapan
Extension(エクステンション)と呼ばれる機能は、標準的なWeb技術を利用してQlik Senseの可視化機能を拡張することを可能にします。エクステンションを用いれば、開発者はQlik Sense APIのパワーとWeb技術を組み合わせることができるプラグインを開発可能です。
本セミナーでは、エクステンションの開発手順についてあらためて説明しつつ、HTMLデータやJavaScriptコードを自由にプログラミング可能な汎用的なエクステンションの実装例をデモとともに紹介・解説いたします。
The Amazing Toolman - Mastering the tools and propose a hackable "Swiss Army ...SYUE-SIANG SU
The web technology has evolved from being a collection of simple and static pages to fully dynamic applications, and applications are getting more complex than they used to be. Besides, most big firms, such as Google, Facebook, etc, are still suffering from lots of attacks regarding web technology. Therefore, web security has increased in importance in this age.
Imagine being a well-trained expert in Web Security, there are still lots of dirty works have to be done manually when you are penetrating a website, something like finding potential entry points or probing possible attack vectors. Thus, an experienced export will then take advantage of some handy tools in order to deal with these works.
Many tools are out there, however, are actually doing the same thing, or even just a clone of another project, but with a little modification. Hence, we have to wisely choose those best tools out of them. In addition, we have no way using these tools comfortably at once. We often have to open these tools everywhere in every corner and toggle them respectively.
In this slide, I will introduce some handy tools, and then propose a hackable "Swiss Army Knife" security framework for the 21st century. This framework can be used in conjunction with existing tools like Burp, Docker, etc, and also a plenty of web extensions you often used on Chrome and Firefox. In addition, we can control and manage the WebExtension APIs as well, and therefore we can catch the snitch inside web extensions more easily.
The Amazing Toolman - Mastering the tools and propose a hackable "Swiss Army ...
Vuls×deep security
1. ×
Vuls × Deep Security
Try to clear up high urgency vulnerability
Kazuki Nagasawa
09/26/2016
@Future Architect Inc.
2. Who am I ?
Kazuki Nagasawa
• Network and server engineer
at Future Architect, Inc.
フューチャーアーキテクト所属インフラエンジニア
(ほぼセールスエンジニアな、ITコンサルタント)
• Twitter : @kray0630
• github : kn0630
3. Vuls × Deep Security
Try to clear up high urgency vulnerability
Deep Security保護下でも残存する、
緊急度の高い脆弱性がサクッとわからないか試してみました。
4. With Vuls
Vulsで できること
Vulnerability in OS
(Linux,FreeBSD)
Vulnerability in some
middleware
Vulnerability in
some software
①Scan
Vulnerability management
before attacked
スキャン結果を元に対策することができる
The list of vulnerability scanned
②Output
5. With Deep Security
Deep Securityで できること
Vulnerability in OS
(Linux,FreeBSD)
Vulnerability in some
middleware
Vulnerability in
some software
Attack
Vulnerability management
when attacked
事前に設定された内容で、被攻撃時に自動的に防御することができる
Block
The list of vulnerability to block
6. With Vuls and Deep Security
VulsとDeep Securityを組み合わせると…
Vulnerability in OS
(Linux,FreeBSD)
Vulnerability in some
middleware
Vulnerability in
some software
Have to check which vulnerability
is not to be blocked
VulsのScan結果全てが、対策に急を要すものかは確認が必要となる
Attack Block
Same?
The list of vulnerability to block
The list of vulnerability scanned
7. The list of vulnerability to block
With Vuls and Deep Security
VulsとDeep Securityを組み合わせると…
Vulnerability in OS
(Linux,FreeBSD)
Vulnerability in some
middleware
Vulnerability in
some software
Have to check which vulnerability
is not to be blocked
VulsのScan結果全てが、対策に急を要すものかは確認が必要となる
Attack Block
The list of vulnerability scanned
Same?Let's check easily!!
サクッとチェックしちゃいましょう!
8. PythonSDK
For Deep Security APIs
The list of vulnerability to block
How to do
で、どういうことをやったのか
Vulnerability in OS
(Linux,FreeBSD)
Vulnerability in some
middleware
Vulnerability in
some software
The list (JSON format) of
vulnerability scanned
②Get the list of
all target to block with API
API経由でDSから保護可能リストを取得
①Get the list of
Vulnerability scanned
Vulsのスキャン結果を取得
※Python SDK for Deep Security APIs
https://github.com/deep-security/deep-security-py
③Compare two lists,
and output result
2つのリストを比較
9. Output
出力結果はこんなかんじ
①
②
③
① The list of vulnerability scanned by Vuls
Vulsでスキャンした結果の脆弱性リスト
② The number and severity of vulnerability
that blocked by Deep Security
Vulsスキャン結果の中で、Deep Securityで保護できるものとその深刻度
③ The number and severity of vulnerability
that not to be blocked by Deep Security
Vulsスキャン結果の中で、Deep Securityで保護できないものとその深刻度
10. Summary
まとめ
① With Deep Security API and Vuls,
we can check high urgency vulnerability
Deep Security APIの取得結果とVulsの出力結果から、対象の環境における
緊急度の高い脆弱性もわかる。
② Probably,Vuls can cooperate with other products in
the same way
Vulsと他のセキュリティ製品の組み合わせも、同じように連携できそう。
③ Deep Security APIs are surely convenient
Deep Security APIはめっちゃ便利。
※どうやら色々できそう。現状のポリシ設定も加味して・・・、とかしてみたい。
11. Thank you all for listening ! :)
Source code is available at Github
https://github.com/kn0630/vulssimulator_ds
※It’s refer to “deep-security/amazon-inspector”
https://github.com/deep-security/amazon-inspector