This session introduces the OWASP Top Ten Web Application Security Risks, provides the basics of threat modeling, and helps understand how a Web Application Firewall (WAF) can help address security defects.
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
This presentation provides an overview of the OWASP Top Ten Web Application Security Risks, approaches to mitigate them, and a framework for addressing the inherent risk.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
This presentation provides an overview of the OWASP Top Ten Web Application Security Risks, approaches to mitigate them, and a framework for addressing the inherent risk.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security RisksAndre Van Klaveren
A presentation of the OWASP Top 10 2017 release candidate, expected to be finalized in summer 2017. Presented at the St. Louis CYBER meetup on Wednesday, June 7, 2017.
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Big Data Analytics to Enhance Security
Predictive Analtycis and Data Science Conference May 27-28
Anapat Pipatkitibodee
Technical Manager
anapat.p@Stelligence.com
c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2010, as part of Information Security Day 2010. The event is supported by the Kochi City Police. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2010 is scheduled on 05, 06 Aug 2010 The number of digital security incidents and cyber crimes are increasing daily on a proportionate rate. The industry is demanding more and more security professionals and controls to curb this never ending threat to information systems. c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Updated Mvc Web security updated presentationJohn Staveley
OWASP Top 10 threats to web applications and how to conunter the threats using Mvc.net mitigations, first shown at #DDDNorth, contains bonus slides for DDOS and social engineering
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Big Data Analytics to Enhance Security
Predictive Analtycis and Data Science Conference May 27-28
Anapat Pipatkitibodee
Technical Manager
anapat.p@Stelligence.com
c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2010, as part of Information Security Day 2010. The event is supported by the Kochi City Police. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2010 is scheduled on 05, 06 Aug 2010 The number of digital security incidents and cyber crimes are increasing daily on a proportionate rate. The industry is demanding more and more security professionals and controls to curb this never ending threat to information systems. c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be.
This was the presentation I made to the @LeedsSharp group in Leeds 26/02/2015. It focusses on web application security and the steps you need to take to counter most of the threats which are out there today as determined by the OWASP Top 10. Solutions focus on the MVC.net framework, there is a source code project to go with this presentation with all of the solutions implemented at https://github.com/johnstaveley/SecurityEssentials
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
New Vulnerabilities introduced in OWASP Top 10 2017. Cover Broken Access Control ,
XML External Entities (XXE), Insecure Deserialization, and Insufficient Logging & Monitoring, as well as solutions
OWASP Top 10 Most Critical Web Application Security Risks
The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code. More info at: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
How a new HTTP response header can help increase the depth of your web application defenses.
Also includes a few slides on HTTP Strict Transport Security, a header which helps protects HTTPS sites from sslstrip attacks.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
Meeting Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Exploiting the Tiredful API
Matt Scheurer
https://twitter.com/c3rkah
Abstract:
The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. Matt has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. He maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 12 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
Here are the slides from my recent workshop on "QAing the Security Way!"
This workshop was focused on setting up OWASP Mutillidae II application on local machines and perform hands-on OWASP Top 10 Most Critical Web Application Security Risks.
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
Threat Modeling and OWASP Top 10 (2017 rc1)
1. An Overview of the OWASP Top Ten Web Application Risks
and Threat Modeling Web Applications
THREAT MODELING FOR
WEB APPLICATIONS
AND OTHER DUTIES AS ASSIGNED…
1
2. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Who is Mike Tetreault?
● Twenty five years of IT experience
● Technically more, but seventh graders aren’t reliable network consultants..
● Primarily web application development and team leadership, but also includes
network, server, and database administration.
⦿ Security background
● Lifelong interest in physical and data security.
● Security is the one constant across all of my roles.
● Certification Activities
● 2003 – Certified Information Systems Security Professional (CISSP)
● 2009 – Certified Secure Software Lifecycle Professional (CSSLP)
● 2013 – Healthcare Information Security and Privacy Practitioner (HCISPP)
● Regularly participate in Examination and Credential Development Workshops
Introduction
2
3. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What do I do today?
● Functional IT Manager, Application Security
● Two primary practices:
● Access Enablement
● Web Application Firewall
● Authenticated Reverse Proxy
● Web Application and Code Security
● Static and Dynamic Analysis Tools
● Covers Preventative, Detective, Corrective, and Compensatory
controls
Introduction (cont)
3
4. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Why focus on web applications?
● We all have them and we all use them
● This is why they have the largest threat profile
⦿ Why are web applications everywhere?
● Quickly installed and updated
● Work across devices and operating systems
⦿ Why is this bad?
● Data is accessible from anywhere
● Clients do some hidden processing
⦿ This is what leads to vulnerabilities
Presentation Overview
4
5. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Asset
⦿ What we’re trying to protect.
⦿ Threat
⦿ What we’re trying to protect against.
⦿ Vulnerability
⦿ Weakness or gap in our protection efforts.
⦿ Risk
⦿ The intersection of assets, threats, and
vulnerabilities.
Terms
5
6. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
Why It Matters
⦿ According to the 2015 Global Information Security Workforce
Study by (ISC)2, 72% of the over 14,000 IT professionals
surveyed believe that application vulnerabilities are the
number one security issue for 2013.
⦿ Heartland Payment Systems suffered a SQL injection attack in
2008 which cost them $170 million, by their own admission.
⦿ Equifax breach of 2017 has been determined to be due to an
unpatched Apached Struts 2 vulnerability.
⦿ Corrective (patching) and Compensatory (Web Application
Firewall) controls could have prevented the attack.
⦿ 2016 “Cost of Data Breach” study by IBM and Ponemon puts
the overall cost of a data breach at $154 to $158 per record.
6
7. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Started in 2001
⦿ Has tremendous resources available for security
professionals and developers alike
⦿ In the midst of updating their flagship OWASP Top Ten
Most Critical Web Application Security Risks
⦿ RC2 expected any day now
⦿ This presentation is based on RC1, which was
rejected
OWASP - The Open Web Application
Security Project
7
8. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
OWASP Top Ten Web Application Security Risks
Injection Sensitive Data Exposure
Broken Authentication and
Session Management
Insufficient Attack
Protection (new)
Cross-Site Scripting (XSS) Cross-Site Request Forgery
Broken Access Control (new)
Using Components With
Known Vulnerabilities
Security Misconfiguration Underprotected APIs (new)
8
9. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Injection flaws, such as SQL, OS, and LDAP injection occur when
untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
⦿ What it looks like:
● String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
⦿ How to mitigate:
● Keep untrusted data separate from commands and queries.
● Use a safe API with parameterized inputs.
● Scrub inputs to escape special characters (eg, SQL’s ‘:’ operator).
A1: Injection
9
11. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Application functions related to authentication and session
management are often not implemented correctly, allowing
attackers to compromise passwords, keys, or session tokens, or to
exploit other implementation flaws to assume other users’ identities.
⦿ What it looks like:
● http://example.com/saleitems?
jsessionid=2P0OCLPSKHCJUN2JVdest=Hawaii
⦿ How to mitigate:
● Use a single set of strong authentication and session management
controls that has a simple interface for developers.
● Strong efforts should also be made to avoid Cross-Site Scripting (XSS)
flaws which can be used to steal session IDs.
A2: Broken Authentication and Session
Management
11
12. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping.
XSS allows attackers to execute scripts in the victim’s browser
which can hijack user sessions, deface web sites, or redirect the
user to malicious sites.
⦿ What it looks like:
● page += "<input name='creditcard' type='TEXT' value='" +
request.getParameter("CC") + "'>";
⦿ How to mitigate:
● Properly escape all untrusted (ie, user supplied) data based on the
HTML context (body, attribute, JavaScript, CSS, or URL) that the
data will be placed into.
A3: Cross-Site Scripting (XSS)
12
13. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Restrictions on what authenticated users are allowed to do are not
properly enforced. Attackers can exploit these flaws to access
unauthorized functionality and/or data, such as access other users’
accounts, view sensitive files, modify other users’ data, change access
rights, etc.
⦿ What it looks like:
● Valid: http://example.com/app/accountInfo?acct=myacct
● Not Valid: http://example.com/app/accountInfo?acct=notmyacct
⦿ How to mitigate:
● Use per-user or per-session indirect references.
○ This means that the reference is only valid for a single user or session, and
means nothing to a different user or session.
A4: Broken Access Control
13
14. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Good security requires having a secure configuration defined and
deployed for the application, frameworks, application server, web
server, database server, and platform. Secure settings should be
defined, implemented, and maintained, as defaults are often
insecure. Additionally, software should be kept up to date.
⦿ How to mitigate:
● Maintain a repeatable hardening process that makes it fast and
easy to deploy another environment that is properly locked down.
● Implement a process for keeping abreast of and deploying all new
software updates and patches in a timely manner.
A5: Security Misconfiguration
14
15. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Many web applications do not properly protect sensitive data.
Attackers may steal or modify such weakly protected data to
conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest
or in transit, as well as special precautions when exchanged with
the browser.
⦿ How to mitigate:
● Encrypt all sensitive data at rest and in transit.
● Use standard algorithms with proper key management.
● Do not store sensitive data unnecessarily.
● Disable autocomplete and caching on pages that collect or display
sensitive information.
A6: Sensitive Data Exposure
15
16. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Web Applications need to be resilient in the face of attacks. This means that
the confidentiality, integrity, and availability of the data must be maintained in
the face of attack.
⦿ What it looks like:
● Attacker with OWASP ZAP or SQLMap scans an application to detect its
vulnerabilities and possible exploit them.
⦿ How to mitigate:
● Detect Attacks
○ Commodity scanners stick out. Use this uniqueness to identify them. Look for a high
volume of requests, repeated requests for the same resource, etc.
● Respond to Attacks
● Blocking is the first line of defense, but delaying responses or requiring a captcha is
valid as well.
● Patch Quickly
● If a critical patch can’t be pushed quickly, consider a “virtual patch” instead.
A7: Insufficient Attack Protection
16
17. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. This allows the attacker
to force the victim’s browser to generate requests the vulnerable application thinks
are legitimate requests from the victim.
⦿ What it looks like:
● http://example.com/app/transferFunds?
amount=1500&destinationAccount=4673243243
● Embedded link in malicious page: <img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
⦿ How to mitigate:
● Include a unique token, individual to each user or session, in every page as a hidden
field.
○ Verify that this token is returned with every request. If it is not, destroy the session and force
the user to reauthenticate.
● Require an explicit user authentication for high-value transactions.
○ This ensure the user is aware of the activity.
A8: Cross-Site Request Forgery (CSRF)
17
18. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Components, such as libraries, frameworks, and other software
modules, almost always run with full privileges. If a vulnerable
component is exploited, such an attack can facilitate serious data
loss or server takeover. Applications using components with known
vulnerabilities may undermine application defenses and enable a
range of possible attacks and impacts.
⦿ How to mitigate:
● Don’t use external, third-part components. It’s not realistic, but it
will work.
● Identify all components and versions you are using. Keep up to
date with both releases by the components maintainers and
identified vulnerabilities on security mailing lists and databases.
A9: Using Components with Known
Vulnerabilities
18
19. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ What it is:
● Many modern web applications use APIs to transmit
commands and data between the users and systems. This
communication can be easily intercepted, analyzed, and
manipulated.
⦿ How to mitigate:
● Ensure secured communication between the clients and
APIs.
● Ensure the parser configuration is hardened against attacks.
● Protect against injection attacks in all forms, not just
browsers.
A10: Underprotected APIs
19
20. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ First, are there any questions about the OWASP
Top Ten vulnerabilities?
⦿ Web applications present a big target
● Broad profile with rich data
⦿ Where do you begin with your security efforts?
⦿ Enter: Threat Modeling!
What now?
20
21. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ A systematic approach for understanding, classifying,
and assigning risk to threats and vulnerabilities
⦿ Security becomes what it should be: A cost/benefit
analysis.
⦿ Based on two different classification schemes:
● STRIDE
○ STRIDE classifies threat
● DREAD
○ DREAD classifies risks
What is Threat Modeling?
21
22. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ The sooner the better.
⦿ Prevention is better than a cure.
When Do You Threat Model?
22
Source: IBM Systems Sciences Institute
23. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Identify your security objectives
● All security can be characterized as being related to
Confidentiality, Integrity, or Availability.
● An objective can be tied to one or all of those characteristics
⦿ High Level Objective Categories
● Identity
● Financial
● Reputation
● Privacy and Regulatory
● Availability Guarantees
How do you start?
23
24. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Application Overview
● Understand the Components, Data Flows, and Trust Boundaries.
● UML Use Case diagrams are handy for this.
⦿ Decompose the Application
● Identify the features and modules with security impacts.
● Understand:
○ How data enters the module.
○ How the module validates and processes the data.
○ Where the data flows.
○ How the data is stored.
○ What fundamental decisions and assumptions are made by the module.
⦿ Now that you know what the application looks like, you can
classify its threats using the STRIDE model.
What does the application look like?
24
28. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Spoofing
● Users cannot become another user or assume their attributes.
⦿ Tampering
● Applications should never send internal data to users, and should always verify
inputs before storing or processing it.
⦿ Repudiation
● An application needs to be able to prove that authorized activities are initiated by
authenticated users.
⦿ Information Disclosure
● Applications should only store sensitive data if proper controls are in place.
⦿ Denial Of Service
● Large, resource-intensive queries should only be accessible to properly authorized
and authenticated users.
⦿ Elevation of Privileges
● Users should only be able to access information and processing capabilities
appropriate for their role in a system.
STRIDE – Characterizing Known Threats
28
29. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Each threat is scored on a 1-10 scale, added together, and divided by 5.
⦿ Damage
● If a threat exploit occurs, how much damage will it cause?
⦿ Reproducibility
● How easy is it to reproduce a threat exploit?
⦿ Exploitability
● How difficult are the steps needed to exploit the threat?
⦿ Affected Users
● How many users are affected if a threat is exploited?
⦿ Discoverability
● How easy is it to discover the threat?
● Often set to 10 by default, with the assumption that it will be discovered.
DREAD – Classifying, Quantifying, Comparing,
and Prioritizing Risk
29
30. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Analyze the DREAD score for each threat
⦿ Understand the remediation for each threat, and what you need
to do with the risk presented by each:
● Acceptance – Not all security is “worth it”
○ You don’t spend $50,000 on security controls for a hot dog cart.
● Avoidance – Just don’t do it
○ Not typically feasible in application development.
● Limitation – Take steps to minimize risk
○ Most common risk management strategy.
○ Example: Disk drives may fail, so we maintain RAID and backups.
● Transference – Let someone else take the risk
○ Outsource common functions that are not a core competency .
○ Purchasing insurance can be an option.
Next Steps
30
31. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ “Awww, man. This is too hard!”
⦿ The less structured approach:
⦿ 1. What are you building or deploying?
⦿ 2. What can go wrong?
⦿ 3. What are you going to do about it?
⦿ 4. Did you do well with steps 1-3?
An Alternative…
31
32. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ “Think like an attacker.”
⦿ Not quite.. “Let’s go through this in a structured
way and find the real problems.”
⦿ “You’re never done threat modeling.”
⦿ “Perfect is the enemy of good.”
⦿ Model -> Identify -> Mitigate -> Validate
⦿ “The way to threat model is…”
⦿ There is no perfect way to threat model!
⦿ What works for you may not work for others.
Traps of Threat Modeling
32
33. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ “Threat modeling is born, not taught.”
⦿ Just like any skill, it is learned.
⦿ Interest helps though.
⦿ “Threat modeling is for specialists.”
⦿ Threat modeling is like version control.
⦿ Every developer understands it, but only a few are
responsible for administering it.
⦿ Starting at the wrong time
⦿ Earlier is almost always better.
Traps of Threat Modeling
33
34. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Let’s say you have a space station, and it has a highly
exploitable exhaust port… What would its DREAD score
look like?
Other Uses!
34
35. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Or you have a big invading space ship, and you allow
unauthenticated access to your network (and don’t
have host security)…
Other Uses!
35
36. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ If you run a highly virtualized environment with
potentially hostile VM’s, be sure you monitor
hosts breaking out of
the sandbox…
Other Uses!
36
37. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ You maintain a complex, life critical system of
hardware and software, and allow one person
to develop,
implement,
and support the
application…
Other Uses!
37
38. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Web Application Firewall (WAF)
⦿ What is it?
⦿ System that filters, monitors, and blocks traffic to
and from a web application
⦿ Why use it?
⦿ Can mitigate every item in the OWASP Top Ten
⦿ Payment Card Industry (PCI) Data Security Standard
(DSS) Section 6.6 requires it.
⦿ Or Application Code Reviews, but why choose?
An Alternative to the Alternative
38
39. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
OWASP Top Ten Web Application Security Risks
Injection Sensitive Data Exposure
Broken Authentication and
Session Management
Insufficient Attack
Protection (new)
Cross-Site Scripting (XSS) Cross-Site Request Forgery
Broken Access Control (new)
Using Components With
Known Vulnerabilities
Security Misconfiguration Underprotected APIs (new)
39
40. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ They’re touchy to set up.
⦿ They can be noisy for alerts.
⦿ The lower your tolerance for false positives, the less
meaningful your controls.
⦿ The converse is true as well!
⦿ WAF’s require a specialized skill set to be truly
proficient.
Web Application Firewalls are great,
but…
40
41. 10/19/2017 Mike Tetreault, CISSP, CSSLP, HCISPP
⦿ Email: mike@macrocosmictech.com
⦿ I’m on LinkedIn, and these slides will be too!
⦿ Resources:
● OWASP – The Open Web Application Security Project
○ https://www.owasp.org/
● Threat Modeling, Frank Swiderski and Window Snyder
● Threat Modeling Web Applications, J.D. Meier, Alex Mackman, Blaine
Wastell
● Threat Modeling: Designing for Security, Adam Shostack
● Mailing Lists and other resources:
○ Common Vulnerabilities and Exposures Database - http://cve.mitre.org
○ Microsoft Security Response Center
○ SANS – http://www.sans.org
Questions / Comments / Resources
41