Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
Learn how to discover every web application you own and ascertain their risk levels through the hacker’s lens to gain a better understanding of the overall attack surface and locate the right path for remediation.
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
Open Source has the potential to deliver faster development cycles and better security than traditional proprietary approaches to software. However, turning the potential of Open Source into reality can be difficult. Recent security issues like Heartbleed, Shellshock and the Panama Papers highlighted some of the challenges users of Open Source can face. This talk will explore how we can address them.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
RASP (Runtime Application Self-Protection) is a new concept aiming at revolutionizing application security. This presentation is a envisioned as a guide for early adopters and technology evaluators.
What? Why? Who? How? Of Application Security Testing TEST Huddle
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O'Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.
Slide deck on the security aspects of using Open Source Software. Focused on the Apache HTTP Server project, this deck discusses general topics like what Open Source software is, what the prevailing myths surrounding it are and how the open development process works to ensure the result is secure.
Injecting Security into vulnerable web apps at RuntimeAjin Abraham
Web Application Security is not hard, but it’s easy to get it wrong as writing secure code is not easy as preaching. So to overcome incidents happening from such unforeseen events, organisations tend to rely on Web Application Firewalls or WAFs. Web Application Firewalls have been in the industry for a long time. Every one of them either work outside or around the web applications and act by intercepting the HTTP request coming to the web server, then take a decision to allow or block the request based on traditional signature checks. They are never aware of what is happening inside the application like how the user input is getting interpreted, Is the application/server under heavy load?, Is the attacker exfiltrating data by exploiting an SQLi that WAF couldn’t detect? etc. The strength of traditional WAF depends on manual or predefined rules/signature. As a result, they have the limitation that they will get bypassed if a payload is not present in their signature list. In the occurrence of a zero day, a WAF in most cases won’t be able to prevent an attack as they don’t know the signature of the exploit yet.
In this talk I will share my research outcomes on implementing a runtime application patching algorithm on an insecurely coded application to make it secure against code injection vulnerabilities and other logical issues related to web applications. I will introduce the next generation web application defending technology dubbed as Runtime Application Self Protection (RASP) that works by understanding your application to defend against web attacks by working inside the web application. RASP relies on Runtime Patching to inject security into web apps implicitly without introducing additional code changes. The root cause of all the code injection vulnerabilities is that the language interpreter cannot distinguish between data and code. The proposed solution will detect code context breakout to effectively detect and prevent code injections with the help of runtime hooking and patching at framework api or language api level. The research focuses mainly on detecting and preventing vulnerabilities like SQL Injection, Cross Site Scripting, Remote Command Execution, HTTP Verb Tampering, Header Injection, File Upload Bypass, Path Traversal etc and other application security challenges like Session Hijacking, Credential Stuffing and Layer 7 DDoS etc. This research is carried out by implementing a RASP module to a vulnerable web application written in python using tornado framework with sqlite backend.
This presentation talks about the focus towards building security in the software development life cycle and covers details related to Reconnaissance, Scanning and Attack based test design and execution approach.
Open Source has the potential to deliver faster development cycles and better security than traditional proprietary approaches to software. However, turning the potential of Open Source into reality can be difficult. Recent security issues like Heartbleed, Shellshock and the Panama Papers highlighted some of the challenges users of Open Source can face. This talk will explore how we can address them.
What Good is this Tool? A Guide to Choosing the Right Application Security Te...Kevin Fealey
Abstract:
Choosing the right Application Security Testing (AST) tool can be challenging for any security program, and after rolling it out, discovering the real security value it brings can be downright discouraging. No single tool can solve all of all of your security problems, but unfortunately, that is exactly how many of them are marketed. This is compounded by sales teams who convince executive leadership that security programs should be built around their tools, rather than fitting each tool within a well-planned security program. The primary takeaways from this talk are:
• An understanding the real value of each type of AST tool (SAST, DAST, IAST);
• How to leverage your tools for better security visibility and process efficiency;
• Steps to find the right tool for your security program;
• Keys to finding the best stage of the SDLC to implement each tool type within your security program;
• How to integrate new tools with your existing DevOps or Agile environments and processes
Additional Takeaways:
• Examine the strengths and limitations of SAST, DAST, and IAST tools
• Learn how to choose the right tools for your security program
• Discover how to seamlessly integrate your tools into existing DevOps and Agile environments and processes
• Provide security visibility to developers, managers, and executives by enhancing your existing technology
• Learn to use your tools to improve the efficiency of security tasks that are currently manual
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
Why test automation is getting more difficult, and what can be done about it. This slides are from a presentation by Group Director, Product Management at TestPlant, Gordon McKeown, which was presented at the Northern Lights conference in Manchester in April 2016.
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually.
In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program.
Practical White Hat Hacker Training - Vulnerability DetectionPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
Neev uses a scrum based Agile Development methodology, a proven Extended Delivery Center model of engagement - all designed to ensure high quality, timely deliverables.
Tune in for the Ultimate WAF Torture Test: Bots Attack!Distil Networks
Are WAFs the best approach for defending your website against malicious bots? How can you optimize your WAF for bot detection and mitigation? Watch this webinar and learn practical tips on how to defend your web infrastructure against the OWASP Top 10 as well as brute force attacks, web scraping, unauthorized vulnerability scans, fraud, spam and man-in-the-middle attacks.
World renowned expert and author of Web Application Firewalls: A Practical Approach, John Stauffacher, shares his expertise. He has over 17 years of experience in IT Security and is a certified Network Security and Engineering specialist.
Learn more : http://resources.distilnetworks.com/h/i/95930604-tune-in-for-the-ultimate-waf-torture-test-bots-attack/177622
Chidambaram Vetrivel delivered a session on "Universal Test Automation Framework" at ATAGTR2020
ATAGTR2020 was the 5th Edition of Global Testing Retreat.
Chidambaram has 10+ years of IT experience and has been working as an Automation Expert in designing, strategizing and architecting automation testing solutions.
The video recording of the session is now available on the following link: https://youtu.be/_akHHEgLlVU
To know more about #ATAGTR2020, please visit: https://gtr.agiletestingalliance.org/
In this presentation a brief justification to performance testing will be given following with some terminology and a short demo
links is provided to some recommended solutions trails /freemium
in the comments, the two demo sessions,
TruClient Lite scripting demo
StormRunner Load simple performance test
Quality of software code for a given product shipped effectively translates not only to its functional quality but as well to its non functional aspects say security. Many of the issues in code can be addressed much before they reach SCM.
Todays' IT industry has vastly grown in multiple segments serving many time critical offerings. Need of the hour is continuous nature of requirements with the expectation of continuous delivery. Challenge in Agile methodology is managing 3 stages viz. requirements gathering, development & testing simultaneously. This nature of process has changed the traditional model of Waterfall process where each segment was controlled independently and process called Continuous Integration or Automated Integration is evolving. In this program, we will discuss about one virtual project having continuous mode of changing requirements and define Test Driven Development model using Open Source Tools combination.
Functional Testing of RESTful ApplicationsNenad Bozic
Rise in popularity of the microservice architecture on one side and need to have the server which has many clients (mobile, web, machine to machine) brought both the challenge and the opportunity to better test RESTful applications on level of features. Main feature of RESTful application are exposed endpoints which enable creating test application as REST client which will view our application as blackbox. Test application can prepare input and wait for output which can be compared against expected one.
In this presentation we will give overview of types of test you can do, concentrate on blackbox testing over REST Api, touch the terms of whitebox testing and graybox testing and why later approach is useful for external dependencies outside of our control and explain why you should use tools such as Cucumber to better communicate features with business people. Presentation will walk through our experiences and how we overcame problems along the way.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-box Web Application Vulnerability Scanners
1. Why Johnny Still Can’t
Pentest:
A Comparative Analysis of Open-source Black-box
Web Application Vulnerability Scanners
@rana__khalil
Rana Khalil, University of Ottawa
2. Who am I?
• Student at the University of Ottawa
• B.S. in Mathematics and Computer
Science (2016)
• M.S. in Computer Science (2018)
• Supervisor: Dr. Carlisle Adams
• OSCP Certification (current)
• Previous work experience include:
software development, testing,
ransomware research, teaching and
penetration testing
2
5. Web Applications
• We use web applications for
everything:
• Over 3.9 billion users world wide
• Over 1.8 billion websites online
5
Banking Education
Shopping Communication
• How much personal data do you have
online?
• Name, SIN, addresses, phone numbers,
emails
• Financial information
• Heath information
6. Web Security
• State of web security today
• Trustwave’s 2018 Global Security
Report:
• 100% of web applications displayed
at least one vulnerability
• Median number of 11 vulnerabilities
per application
6
8. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications:
8
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
9. How to Secure a Web Application?
• A combination of techniques are
used to secure web applications.
9
• Static code analysis
• Web application firewalls
• Secure coding practices
• Web application vulnerability scanners
10. WAVS
Web Application Vulnerability Scanners have three modules:
10
Crawler Attacker Analysis
*XSS found*
*SQLi found*
*LFI found*
*RFI found*
11. WAVS
Web application vulnerability scanners are largely used in two ways:
1. Point-and-Shoot (PaS) / Default
• Scanner is given root URL of the application
• Default configuration remains unchanged
• Minimal human interference
11
12. WAVS
Web application vulnerability scanners are used in two ways:
2. Trained / Configured
• Change configuration (ex. crawl depth)
• Manually visit every page of the application while scanner is in proxy mode.
12
Browser Scanner Proxy Web Application
13. Previous Work
13
• Suto’s case studies:
• 2007 paper evaluated scanners in PaS mode
• 2010 paper evaluated scanners in PaS and Trained modes
• Benchmark applications:
• Web Input Vector Extractor Teaser (WIVET) created in 2009 by Tatli et al.
• Web Application Vulnerability Scanner Evaluation Project (WAVSEP) created in 2010 by
Chen
• Doupé et al.’s 2010 work on evaluating WAVS on the WackoPicko application
• Several other more recent studies evaluate scanners in PaS mode only
15. Research Goal
• Goal: Performing a comprehensive comparative analysis of the performance of six
chosen scanners in two modes:
• PaS / Default
• Trained / Configured
15
Tool
Selection
Benchmark
Selection
Environment
Setup
Feature &
Metric
Selection
Result
Analysis
16. Tool Selection
• Chen’s evaluation
• Consultation with professional ethical hackers
16
Name Version License Price
Last
Update*
Arachni 1.5.1-0.5.12 Arachni Public Source v1.0 N/A 2017-03-29
Burp Pro 1.7.35 Commercial $349/year 2018-08-29
Skipfish 2.10b Apache v2.0 N/A 2012-12-04
Vega 1.0 MIT N/A 2016-06-29
Wapiti 3.0.1 GNU GPL v2 N/A 2018-05-11
ZAP 2.7.0 Apache v2.0 N/A 2017-11-28
*Checked on August 2018
17. Benchmark Selection
• Benchmark applications:
• WIVET – crawling challenges
• WAVSEP – vulnerability classes
• Intentionally vulnerable realistic web application
• Type of vulnerabilities included in the application
• Architecture of the application and the web technologies used
• Ability of the application to withstand aggressive automated scans
• OWASP Vulnerable Web Applications Directory (VWAD) project
• WackoPicko
17
18. Benchmark Selection - WIVET
• Contains 56 test cases that utilize
both Web 1.0 and Web 2.0
technologies
• Test cases include:
• Standard anchor links
• Links created dynamically using
JavaScript
• Multi-page forms
• Links in comments
• Links embedded in Flash objects
• Links within AJAX requests
18
19. Benchmark Selection - WAVSEP
• Consists of a total of 1220 true positive (TP) test cases and 40 false positive
(FP) test cases
19
Vulnerability Category # of TP test cases # of FP test cases
SQL Injection 138 10
Reflected XSS 89 7
Path Traversal / LFI 816 8
RFI 108 6
Unvalidated Redirect 60 9
DOM XSS 4 0
Passive 5 0
20. Benchmark Selection - WackoPicko
20
• Open-source intentionally vulnerable realistic
web application
• Photo sharing and purchasing site
• Contains 16 vulnerabilities covering several of
the OWASP Top 10
• Contains crawling challenges:
• HTML parsing
• Multi-step process
• Infinite website
• Authentication
• Client-side code
22. Environment Setup 2/2
22
• Each scanner was run in two modes:
• PaS / Default - default configuration setting
• Trained / Configured
1. Maximize crawling coverage – changing
configuration
2. Maximize crawling coverage – use of proxy
3. Maximize attack strength
• WackoPicko test scans were further divided into two
subcategories:
• INITIAL – without authentication / publicly accessible
• CONFIG - valid username/password combination
• In total, each scanner was run eight times
23. Feature and Metric Selection
• Crawling coverage
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed
• Scan time on the WAVSEP and WackoPicko appliations
• Reporting
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability
• Efficiency
• Product documentation
• Community support
23
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
24. Feature and Metric Selection
• Crawling coverage
• % of passed test cases on the WIVET application
• Crawling challenges in the WackoPicko application
• Vulnerability detection accuracy
• TP, FN and FP on the WAVSEP and WackoPicko
applications
• Speed
• Scan time on the WAVSEP and WackoPicko applications
• Reporting
• Vulnerability detected
• Vulnerability location
• Exploit performed
• Usability
• Efficiency
• Product documentation
• Community support
24
Crawling
Coverage
Detection
Accuracy
Speed
WIVET
WackoPicko
WAVSEP
Features Applications
26. Vulnerability Detection Accuracy – FNs 1/4
Vulnerabilities in WackoPicko that were not
detected by any scanners:
1. Weak authentication credentials
• admin/admin
• Reasons:
• Scanners did not attempt to guess
username/password
• Scanners did attempt to guess
username/password but failed
26
27. Vulnerability Detection Accuracy – FNs 2/4
Vulnerabilities in WackoPicko that were not detected
by any scanners:
2. Parameter Manipulation
• Sample user: WackoPicko/users/sample.php?userid=1
Real user: WackoPicko/users/sample.php?userid=2
• Reasons:
• Most scanners did not attempt to
manipulate the userid field
• Arachni manipulated the userid field but
failed to enter a valid number
• Skipfish successfully manipulated the
userid field but did not report it as a
vulnerability 27
userid=2
28. Vulnerability Detection Accuracy – FNs 3/4
Vulnerabilities in WackoPicko that were not detected by any scanners:
3. Sored SQL Injection
4. Directory Traversal
5. Stored XSS
Reasons:
• Crawling challenges – discussed later
• Lack of detection for these types of vulnerabilities
28
29. Vulnerability Detection Accuracy – FNs 4/4
Vulnerabilities in WackoPicko that were not
detected by any scanners:
6. Forceful Browsing
• Access to a link that contains a high quality
version of a picture without authentication
• /WackoPicko/pictures/high_quality.php?key=hig
hquality&picid=11
7. Logic Flaw
• Coupon management functionality
Reasons:
• Require understanding business logic of the
application
• Application specific vulnerabilities
29
30. Vulnerability Detection Accuracy – TPs 1/4
30
WackoPicko Overall Scan Detection Results
Arachni Burp Skipfish Vega Wapiti ZAP
PaS 37.5 37.5 31.25 18.75 25 37.5
Trained 37.5 50 31.25 25 25 43.75
0
10
20
30
40
50
60
70
80
90
100
%ofDetectedVulnerabilities
Key Observations:
• All scanners missed at least 50% of the
vulnerabilities
• In PaS mode Burp, ZAP and Arachni
achieved the same score
• Running the scanners in trained mode
increased the overall detection
• Vega – increase in attack vector
• ZAP & Burp – Manually visiting the pages in
proxy mode for Flash and dynamic JS
technologies
31. 31
WackoPicko Detection Results. The simplest configuration that detected a vulnerability is listed.
Name RXSS XSS
Stored
SQLi
Reflected
Command
line injection
File
Inclusion
File
Exposure
RXSS
behind JS
RXSS
behind
Flash
Arachni INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL
Burp Pro INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
Skipfish INITIAL INITIAL INITIAL INITIAL INITIAL
Vega INITIAL INITIAL INITIAL INITIAL
Wapiti INITIAL INITIAL INITIAL INITIAL
ZAP INITIAL INITIAL INITIAL INITIAL INITIAL INITIAL CONFIG
PaS
Trained
• Reminder: INITIAL means w/o authentication credentials and CONFIG means w/ authentication
• Running the scanners in trained mode increased the overall detection
Vulnerability Detection Accuracy – TPs 2/4
32. Vulnerability Detection Accuracy – TPs 3/4
32
WAVSEP Overall TP Detection
Key Observations:
• WAVSEP results were better than
WackoPicko.
• Vulnerability categories in the application
• Integrating WAVSEP in the SDLC of the
scanner
• ZAP achieved highest score, followed by
Vega and Skipfish
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 60.2 27.9 4.0 25.4 71.3 60.7
Trained 60.2 42.5 62.6 24.4 71.3 79.3
0
10
20
30
40
50
60
70
80
90
100
%ofWAVSEPTestsDetected
34. Crawling Challenges 1/6
Features that scanners found difficult to crawl in
WackoPicko:
1. Uploading a file
• All scanners were not able to upload a
picture in PaS mode
• Burp and ZAP were able to in Trained mode
34
35. Crawling Challenges 2/6
Features that scanners found difficult to crawl in
WackoPicko:
2. Authentication
• All scanners except for Wapiti successfully
created accounts
• None of the scanners used the created
accounts to authenticate
35
Scanner # of Accounts
Arachni 202
Burp 113
Skipfish 364
Vega 117
Wapiti 0
ZAP 111
36. Crawling Challenges 3/6
36
Features that scanners found difficult to
crawl in WackoPicko:
3. Multi-step processes
• All scanners were not able to complete
the process in PaS mode
• Burp and ZAP were able to in Trained
mode
37. Crawling Challenges 4/6
Features that scanners found difficult to crawl in WackoPicko:
4. Infinite websites
• All scanners recognized the infinite loop except Arachni
37
…..
/calendar.php?date=1541454543 /calendar.php?date=1541540943 /calendar.php?date=1541627343
38. Crawling Challenges 5/6
Features that scanners found difficult
to crawl in WackoPicko:
5. Client-side code
• Flash applications
• Dynamic JavaScript
• Ajax Requests
38
Arachni Burp Skipfish Wapiti Vega ZAP
PaS 94 50 50 50 16 42
Trained 94 50 50 50 16 78
0
10
20
30
40
50
60
70
80
90
100
%ofWIVETTestsPassed
WIVET Results
39. Crawling Challenges 6/6
Features that scanners found difficult to crawl in
WackoPicko:
6. State - awareness
• All the scanners exploited SQL injection
vulnerability in login form, however didn’t
discover any of the vulnerabilities that require
authentication
• Vulnerabilities that require authentication
were only discovered in Trained mode
• Credentials given
• Logout link excluded
39
Scanner Web Application
40. Crawling Challenges 6/6
Features that scanners found difficult to crawl in
WackoPicko:
6. State - awareness
• All the scanners exploited SQL injection
vulnerability in login form, however didn’t
discover any of the vulnerabilities that require
authentication
• Vulnerabilities that require authentication
were only discovered in Trained mode
• Credentials given
• Logout link excluded
40
Scanner Web Application
42. Conclusion
• Scanners are far from being used as PaS tools only
• Several classes of vulnerabilities were not detected
• Scanners had difficulty crawling through common web architectures
and web technologies
• Different scanners have different strengths/weaknesses
• Open-source scanner performance is comparable to commercial scanner
performance and in several cases better
42
43. Last Words…
To secure a web application you need to find and stop ALL
attack vectors, whereas to break a web application you just
need to exploit ONE attack vector.
43
Web application vulnerability scanners are trying to solve a VERY hard problem!