Tools & techniques, building a dev secops culture at mozilla sba live academy - may 2020

•

0 gostou•220 visualizações

"Tools & Techniques from building a DevSecOps culture at Mozilla" For the past decade, security teams at Mozilla have sharpened their tools and improved their techniques to mature the security culture of the organization, and dramatically reduce vulnerabilities and risks. In this talk, Julien shows how Mozilla approaches DevSecOps and shares lessons learned from that journey. Speaker: Julien Vehent, Firefox Operations Security Talk language: English About the Speaker: ********************* Julien Vehent is a French computer security engineer who leads the Firefox Operations Security team at Mozilla. He specializes in web applications security, cloud infrastructure, cryptography and risk management. He is the author of “Security DevOps”, published at Manning in 2018.

Tecnologia

Building a DevOps
Security Culture
at Mozilla
1
Julien Vehent - Mozilla

$ whoami
2
twitter: jvehent
web: https://j.vehent.org
email: julien@vehent.org

7
comfort zone
Oh Hey Let’s do the devsecops thing!

git commit -a . && git push origin master
9

or what happens when security guys write ops tools
Sops
10

Don’t just build security tools.
Build operational tools
that do things securely.
11

Centralized
Distributed
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A
Sec A
Ops B
Dev B
Sec B
CISO
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Centralized security orgs are often too
far from devs & ops to be impactful
Distributed security orgs have better
impact but worse strategy & coordination

Embedding
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
The hybrid embedded model distributes engineers from a central security org into
dev & ops teams. Managers of those teams have direct influence into the work of
the embedded engineers, but security strategy & coordination is centralized.

Embedding works both ways: Security Champions
C-Suite
Eng. grp A Eng. grp B
Ops A
Dev A Sec A
Ops B
Dev B
Sec B
CISO
Champions are engineers from dev & ops teams who are treated like security team
members and have direct access to all the resources of the security org.

Trust
the
tests
18
github.com
/mozilla
/frost

21
test:
override:
# build and run an application container
- docker build -t myrepo/myapp
- docker run myrepo/myapp &
# retrieve the ZAP container
- docker pull owasp/zap2docker-weekly
# run the baseline scan against the application
- docker run -t owasp/zap2docker-weekly zap-baseline.py -t http://172.17.0.2:8080/ -m 3 -i
WARN: Web Browser XSS Protection Not Enabled [10016] x 3
https://www.example.com
https://www.example.com/robots.txt
https://www.example.com/sitemap.xml
WARN: X-Content-Type-Options Header Missing [10021] x 1
https://www.example.com
FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 4 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 22

22
github.com
/mozilla-services
/websec-check
Security
Checklists

23
Observatory
.Mozilla
.Org
Self
Service
Assessments

24
Clear Expectations
↓
Checklist
↓
Self Assessment
↓
Profit

26
Ships are safe in harbor.
But that’s not what
ships are for.

27
Rapid
Risk
Assessments
mzl.la/2mkWN37

To go beyond the security team
Get the security team closer to your organization
28

Mais conteúdo relacionado

Mais procurados

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...

DevSecCon

Speaker: Cheryl Biswas Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud. These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available.

Mining Malevolence: Cryptominers in the Cloud

CloudVillage

Traditionally, security teams have been accustomed to investigating incidents and falling back to previous code releases if they detect serious issues. With the rise of modern cloud-native applications and immutable infrastructure, however, security engineers have new solutions at their fingertips. Immutable infrastructure refers to infrastructure with components that are designed to be destroyed and replaced with new versions whenever a change is necessary. This makes immutable infrastructure different from conventional deployment technologies, in which components were typically updated while they were still running rather than being redeployed whenever a change takes place. In this session, Dima Stopel will discuss the changing security landscape and how immutable infrastructure and cloud-native technologies such as containers, can make tedious, risk-prone security workflows a thing of the past.

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...

Cloud Native Day Tel Aviv

Third party components are a part of any modern site: JS libs, analytics, trackers, share buttons, ads. Many components, each adding its performance cost, cause render delays or can effectively take your site down. This isn’t your code nor your servers, so what can you do about it? This presentation will answer this question with strategies and tactics for keeping 3rd parties from taking you down. This talk was given at Velocity Santa Clara, 2014: The presentation from Velocity Santa Clara, 2014 (http://velocityconf.com/velocity2014/public/schedule/detail/35448).

Third Party Performance (Velocity, 2014)

Guy Podjarny

Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around DevSecOps pipeline. Is DevSecOps the only thing you need to do for security in your IT division or is there more? What impact does bringing in secure culture in an engineering context mean? What handshake is needed between the IT function and the security / risk function for large enterprises? How does this impact roles and responsibilities of a developer? This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.

Dev week cloud world conf2021

Archana Joshi

Demystifying DevSecOps

Archana Joshi

Elizabeth Lawler - Devops, security, and compliance working in unison

DevSecCon

Rethinking Application Security for cloud-native era

Priyanka Aash

Equifax cyber attack contained by containers

Aqua Security

DevSecOps, The Good, Bad, and Ugly

4ndersonLin

Automating Security Compliance on AWS with DevSecOps

Tushar Gupta

Why should developers care about container security?

Eric Smalling

Talk DevSecOps to me

Michelle Ribeiro

DevSecOps Days SF at RSA Conference 2018

DevSecOps Days

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

Sohini Mukherjee

'Moon' Security Management System for OPNFV

OPNFV

Do you know that 90% of all vulnerabilities can be prevented by introducing security in every step of your software development lifecycle (SDLC)? Get ready to join Wouter on his journey on how he introduced security into the SDLC at a company. During his talk, Wouter will introduce you to how development, operations and security can be fitted together into “SecDevOps”. The talk uses practical examples so that you will be able to experiment with “SecDevOps” yourself and know what you should pay attention to when implementing this into your own SDLC.

JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...

Wouter Bloeyaert

The New Security Playbook: DevSecOps

James Wickett

Dev secops. Real experience.

Vitaly Balashov

The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.

DevSecOps without DevOps is Just Security

Kevin Fealey

Mais procurados (20)

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...

Mining Malevolence: Cryptominers in the Cloud

Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...

Third Party Performance (Velocity, 2014)

Dev week cloud world conf2021

Demystifying DevSecOps

Elizabeth Lawler - Devops, security, and compliance working in unison

Rethinking Application Security for cloud-native era

Equifax cyber attack contained by containers

DevSecOps, The Good, Bad, and Ugly

Automating Security Compliance on AWS with DevSecOps

Why should developers care about container security?

Talk DevSecOps to me

DevSecOps Days SF at RSA Conference 2018

Leveraging Osquery for DFIR @ Scale _BSidesSF_2020

'Moon' Security Management System for OPNFV

JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...

The New Security Playbook: DevSecOps

Dev secops. Real experience.

DevSecOps without DevOps is Just Security

Semelhante a Tools & techniques, building a dev secops culture at mozilla sba live academy - may 2020

All organizations want to go faster and decrease friction in delivering software. The problem is that InfoSec has historically slowed this down or worse. But, with the rise of CD pipelines and new devsecops tooling, there is an opportunity to reverse this trend and move Security from being a blocker to being an enabler. This talk will discuss hallmarks of doing security in a software delivery pipeline with an emphasis on being pragmatic. At each phase of the delivery pipeline, you will be armed with philosophy, questions, and tools that will get security up-to-speed with your software delivery cadence. From DeliveryConf 2020

Pragmatic Pipeline Security

James Wickett

All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Presented at LASCON 2018, in Austin, TX.

The DevSecOps Builder’s Guide to the CI/CD Pipeline

James Wickett

DevSecOps and the CI/CD Pipeline

James Wickett

Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing. It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.

Making Security Agile

Oleg Gryb

The Emergent Cloud Security Toolchain for CI/CD

James Wickett

AppSec California 2016 - Making Security Agile

Oleg Gryb

The Emergent Cloud Security Toolchain for CI/CD given at RSA Conference 2018 in San Francisco. All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table. Learning Objectives: 1: Learn the emerging patterns for security in CI/CD pipelines. 2: Receive a pragmatic security toolchain for CI/CD to use in your organization. 3: Understand the real meaning of DevSecOps is without all the hype.

The Emergent Cloud Security Toolchain for CI/CD

James Wickett

.NET Conf 2019 Tel-Aviv Israel There are cases where bugs are discovered only after the product is shipped and used by the end-users. The main reason for these bugs that appear only in the production environment is the use of real user scenarios with real user data. Production debugging is about solving customer-facing issues that aren't easily reproducible in the development or testing environments. When it comes to a cloud-hosted application, production debugging becomes even harder. The code is running on multiple hosts, a business flow can span many services. A remote debugging session with the cloud is dangerous and may introduce side effects to the currently running software, such as performance degradation, interruption of service, and data correctness issues. In this lecture, we will see how we can remote debug our cloud staging environment, and how we can use Visual Studio Snapshot debugger to set Snapshots and Log points in our production environment. To get even more insights, the audience will see a revolutionary tool and approach for a collaborative production debugging – OzCode Debugging as a Service (DaaS), where the DevOps and the Dev team can solve production problems together! You will learn: 1. The difficulties of debugging a modern cloud-hosted application 2. Methods and tools for capturing the state and debugging cloud-hosted services

C# Production Debugging Made Easy

Alon Fliess

Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology). Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)

Security Testing with Zap

Soluto

Alexey Kupriyanenko "Release Early, Often, Stable"

Fwdays

Dev{sec}ops

Steven Carlson

All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...

DevOpsDays Tel Aviv

Erik Costlow, Product Evangelist at Contrast Security, was Oracle's principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.

Securing a Cloud Migration

Carlos Andrés García

Securing a Cloud Migration

VMware Tanzu

Talk given at ISC2 Secure SDLC event in Austin, TX The release velocity for our applications is increasing, often leaving security testing behind. In some cases, the security team ends up being the bottleneck. That's bad. In an idyllic world, security testing would happen earlier in the development lifecycle, but lets do one better. Lets do security testing on every code change. Using automation tooling and DevOps practices, this talk will help you tune security testing to your release cadence and more importantly help you deliver more rugged software.

Attacking Pipelines--Security meets Continuous Delivery

James Wickett

Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services. Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India

Continuous Delivery, Continuous Integration

Amazon Web Services

The DevOps paradigm - the evolution of IT professionals and opensource toolkit

Marco Ferrigno

The DevOps Paradigm

NaLUG

DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...

DevSecCon

ABN AMRO DevSecOps Journey

Derek E. Weeks

Semelhante a Tools & techniques, building a dev secops culture at mozilla sba live academy - may 2020 (20)

Pragmatic Pipeline Security

The DevSecOps Builder’s Guide to the CI/CD Pipeline

DevSecOps and the CI/CD Pipeline

Making Security Agile

The Emergent Cloud Security Toolchain for CI/CD

AppSec California 2016 - Making Security Agile

The Emergent Cloud Security Toolchain for CI/CD

C# Production Debugging Made Easy

Security Testing with Zap

Alexey Kupriyanenko "Release Early, Often, Stable"

Dev{sec}ops

All you need is Zap - Omer Levi Hevroni & Yshay Yaacobi - DevOpsDays Tel Aviv...

Securing a Cloud Migration

Attacking Pipelines--Security meets Continuous Delivery

Continuous Delivery, Continuous Integration

The DevOps paradigm - the evolution of IT professionals and opensource toolkit

The DevOps Paradigm

DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...

ABN AMRO DevSecOps Journey

Mais de SBA Research

SESSION 3C-2 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong Uniqueness Generating randomness collectively has been a long standing problem in distributed computing. It plays a critical role not only in the design of state-of-the-art Byzantine fault-tolerant (BFT) and blockchain protocols, but also for a range of applications far beyond this field. We present RandRunner, a random beacon protocol with a unique set of guarantees that targets a realistic system model. Our design avoids the necessity of a (BFT) consensus protocol and its accompanying high complexity and communication overhead. We achieve this by introducing a novel extension to verifiable delay functions (VDFs) in the RSA setting that does not require a trusted dealer or distributed key generation (DKG) and only relies on well studied cryptographic assumptions. This design allows RandRunner to tolerate adversarial or failed leaders while guaranteeing safety and liveness of the protocol despite possible periods of asynchrony.

NDSS 2021 RandRunner: Distributed Randomness from Trapdoor VDFs with Strong U...

SBA Research

The number of threats that need to be considered in information security is constantly increasing and with it the pressure on those responsible to protect the assets of their own company. Knowing your own security requirements plays a crucial role in averting risks and ensuring adequate protection. So what are your security requirements and how can you define them? How do you implement security requirements effectively and which tools and resources do you have at your disposal? These are precisely the questions that will be addressed in the SBA Meetup. Talk language: English

SBA Security Meetup – Security Requirements Management 101 by Daniel Schwarz ...

SBA Research

Abstract: ********* A resilient architecture acts as a strong foundation for secure applications. Designing such an architecture can be challenging, if you’re not relying on security design principles to guide you. Nevertheless, many developers neglect those fundamentals. Thomas will start by discussing the importance of security design principles and how to apply them in your own projects. He will follow up with a deep-dive into a selection of important principles. Understanding the nuances of those principles allows you to adapt them to your specific needs and decide, whether and where to apply them. Speaker: ********** Thomas Kerbl (Team Lead / Principal Security Consultant - SEC Consult) Talk language: English

SBA Security Meetup: Building a Secure Architecture – A Deep-Dive into Securi...

SBA Research

SBA Security Meetup: I want to break free - The attacker inside a Container

SBA Research

"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig “Audit ante portas – Das Audit steht vor den Toren.” Einer der Schreckenssätze für viele Sicherheitsverantwortlichen. Dies bedeutet für die meisten schlaflose und schweißvolle Nächte und bangen. Doch gibt es hierfür reale Gründe? Wir werden das Gesamtbild “Audit” in den Fokus stellen und beleuchten. Speaker: Thomas Kopeinig (condignum GmbH) Talk language: German About the Speaker: ********************* Thomas Kopeinig ist Security Analyst bei der condignum GmbH in Wien. Nach seinen berufsbegleitenden Studien in Wien und Hagenberg startete er als Security Consultant und entwickelte sich immer weiter in die Richtung GRC & Audit & ISMS. In seiner Rolle bei der condignum GmbH beschäftigt er sich aktuell mit der Frage, wie genau diese Themen für Organisationen jeder Größe effizient und angemessen realisierbar gemacht werden können.

"Rund um die ISO27001 Zertifizierung – Nähkästchentalk" by Thomas Kopeinig

SBA Research

"Secure development on Kubernetes" With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking. In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns. Speaker: Andreas Falk, Novatec Consulting Talk language: English About the Speaker: ********************* Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany. In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.

Secure development on Kubernetes by Andreas Falk

SBA Research

"BIG BANG!" Highlights & key takeaways of 24 security talks by Stefan Jakoubi & Thomas Konrad In this talk we will point out highlights and key takeaways of two months SBA Live Academy! Missed some talks? Watch them on YouTube (https://www.youtube.com/channel/UCGkdNRPzjB2c6RxoMJ5POCg/videos)! Speaker: Stefan Jakoubi, SBA Research Thomas Konrad, SBA Research Talk language: German About the Speaker: ********************* Stefan Jakoubi ist Geschäftsleiter für den Bereich „Professional Services“ bei SBA Research. Er ist seit über 13 Jahren im Großraum der Informationssicherheit tätig und "Sicherheits-Architekt" für Kunden und Forschungspartner. Hierbei liegt sein spezieller Fokus auf dem balancierten Zusammenspiel geschäftlicher Anforderungen und erforderlicher Sicherheitsmaßnahmen, um Entscheidungsträger in der Erfüllung ihrer Sorgfaltspflichten entsprechend zu unterstützen. Am liebsten hält er allerdings Security Awareness Vorträge, um komplexe Themengebiete zielgruppengerecht "zu übersetzen". Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy - "BIG BANG!" Highlights & key takeaways of 24 security talks

SBA Research

"Rechtliche Risiken mit externen Mitarbeitern" Externe MitarbeiterInnen, die IT-mäßig eingebunden werden (müssen) sind kein neues Phänomen. Das Thema ist jedoch gerade jetzt besonders aktuell: Unternehmen, die keine Erfahrungen mit externer IT-Anbindung haben, mussten von einem Tag auf den anderen MitarbeiterInnen ins Home Office schicken; selbst Organisationen, die bereits Erfahrungswerte haben, stehen vor der Herausforderung, aus einer breiten Palette von Anwendungen die passendste und sicherste zu wählen. Der Vortrag informiert über die rechtlichen Risiken in Bezug auf Geheimhaltung, Systemintegrität und Datenschutz in Zeiten von Home Office. Speaker: Dr. Stefan Eder, Benn-Ibler Rechtsanwälte GmbH Talk language: German About the Speaker: ********************* Dr. Stefan Eder ist Rechtsanwalt und Partner in der Wirtschaftskanzlei Benn-Ibler Rechtsanwälte GmbH. Er hat zusätzlich Betriebsinformatik studiert und ist in diverse IT-Projekte involviert. Er trägt regelmäßig zu Themen der IT-Sicherheit vor und engagiert sich als Gründer des Österreich-Chapters der Legal Hackers für die Erforschung und Entwicklung kreativer Lösungen an der Schnittstelle zwischen IT und Recht. Er organisiert darüber hinaus die REMEP, eine Plattform für Rechtsinformatik.

SBA Live Academy, Rechtliche Risiken mit externen Mitarbeitern

SBA Research

"What the heck is secure computing?" What is “secure computing”? Why should it be important to me? Now that it is important to me, how can I use secure computing for my work? This presentation will give an overview of the two main types of secure computing. We explain the fundamental ideas behind the technology and point out important details. We also present ideas on how this technology can be used for new applications, and last but not least, we answer your questions. Speaker: Matthias Gusenbauer, Talk language: English About the Speaker: ********************* I am a researcher at SBA Research in Vienna, Austria. My research focuses on bridging people and technology to solve issues in security and privacy. In order to accomplish this I focus on usable security and privacy with an interest in applied cryptography. I have been a research fellow at the National Institute of Informatics (NII) in Tokyo to work on visualizing network traces. During a second stay with the NII as part of Echizen Laboratory I worked on visualizing the Bitcoin blockchain. Now I continue to work in the domain of usable security, cryptography and privacy.

SBA Live Academy, What the heck is secure computing

SBA Research

Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. For the first time, the 2020 Symposium took part as a full virtual conference. Our group of researchers are very greatful for the opportunity to present their work on HydRand, a distributed protocol for the secure provisioning of distributed randomness, at this prestigious event. In his talk, Philipp Schindler outlines the fundamental concepts of distributed randomness as well as the details of HydRand’s design.

HydRand: Efficient Continuous Distributed Randomness. IEEE S&P 2020 by Philip...

SBA Research

Target Group: SysAdmins, Developer, DevOps Focus: technical Talk language: English Abstract ********** What are Containers and what makes them secure to use? Which different types of Containers are out there and how can I best use them securely? What container types are there beyond Docker? About the Speaker: ********************* Mathias Tausig is Security Consultant at SBA Research. Mathias received a master’s degree (DI / MSc) in Technical Mathematics from the University of Technology Vienna (TU Wien). His professional experience includes a tenure as a Security Officer for a Certification Authority and lecturing IT-Security at the University of Applied Sciences Campus Vienna.

SBA Live Academy - Secure Containers for Developer by Mathias Tausig

SBA Research

Abstract ********* SecDevOps has complex challenges: remote code execution vulnerabilities could lead to a takeover of the backend. Web hosters and Cloud providers have to deal with the extreme: remote code execution as a service by running user code (PHP, NodeJS, Go, dotnet, …). What does the Linux Kernel provide to contain successful attacks other than a firewall, user separation and permissions? Do Docker containers really contain? About the Speaker: ********************* Reinhard Kugler is Principal Security Consultant at SBA Research. He focuses on secure software engineering, infrastructure security and malware analysis. Currently his main activities concentrate on penetration testing.

SBA Live Academy - After the overflow: self-defense techniques (Linux Kernel)...

SBA Research

Managing passwords is a critical developer task. Developers tasked with building or augmenting legacy authentication systems have a daunting task when facing modern adversaries. This talk will review some of the changes suggested in NIST SP800-63b the “Digital Identity Guideline on Authentication and Lifecycle Management regarding password policy”. We’ll discuss topics such as credential stuffing and the importance of managing common passwords found in public breaches. We’ll also discuss various strategies around storing passwords using modern algorithms and methods. * Importance of Password Storage * Credential Stuffing * Password Policy Updates from NIST[masked]b * Password Topologies * Offline Password Attacks * Password Cracking * Password Hashing Strategies * Password Keyed Protections * Hard-Coded Passwords and Backdoors Speaker: Jim Manico, Manicode Security Talk language: English About the Speaker: ********************* Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the Java Champion community, and is the author of "Iron-Clad Java: Building Secure Web Applications" from Oracle Press. Jim also volunteers for the OWASP foundation as the project co-lead for the OWASP ASVS and the OWASP Proactive Controls.

SBA Live Academy - Passwords: Policy and Storage with NIST SP800-63b by Jim M...

SBA Research

Zielgruppe: Architekten, Entwickler, Tester, DevOps Schwerpunkt: technisch Abstract ********** Dieser Vortrag gibt eine kurze Einführung in die Welt des Threat Modeling. Es wird erklärt was Threat Modeling eigentlich ist, welche Methoden zur Verfügung stehen und wie man es ganz pragmatisch selbst anwenden kann. About the Speaker: ********************* Daniel Schwarz ist Senior Security Analyst bei der condignum GmbH in Wien. Nach seinem Abschluss an der FH St. Pölten im Bereich IT- und Information Security startete er beruflich als Penetration Tester und fokussierte sich als Security Consultant im Laufe der letzten sieben Jahren immer stärker auf die Themen sichere Softwareentwicklung, Secure Design, Threat Modeling und Security Requirements Engineering. In seiner Rolle bei der condignum GmbH beschäftigt er sich aktuell mit der Frage, wie genau diese Themen für Organisationen jeder Größe effizient und angemessen realisierbar gemacht werden können.

SBA Live Academy - Threat Modeling 101 – eine kurze aber praxisnahe Einführun...

SBA Research

Zielgruppe: Alle Interessierten, kein elektrotechnisches Vorwissen notwendig Schwerpunkt: strategisch Abstract ********** In diesem Vortrag gibt es einen Einblick wie man das Stromnetz durch Cyber-Angriffe lahmlegt, ganz ohne Smart-Grid-Funktionalität. Wir sprechen über das Management von Stromnetzen, optimale Strategien für den Angriff, warum Bitcoin und Ethereum nützlich sind oder auch schon einmal die Uhren um sieben Minuten nachgehen. About the Speaker: ********************* Johanna Ullrich is key researcher at SBA Research and leads the Networks and Critical Infrastructures Security Research Group. Johanna received an BSc in Electrical Engineering and Information Technology, an MSc in Automation Engineering, and an PhD sub auspiciis praesidentis in Computer Science being among the top students of Austria. In addition, she was awarded the Research Prize of the Dr. Maria Schaumayer Foundation and was nominated for the Hedy Lamarr Prize 2019 by the Austrian Research Promotion Agency (FFG). Johanna teaches graduate courses at University of Applied Sciences Wiener Neustadt, FH Technikum Wien as well as FH Campus Wien.

SBA Live Academy - Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr a...

SBA Research

Zielgruppe: Personen die an Angriffsszenarien gegen IoT-Geräte und eingebettete Systeme interessiert sind Schwerpunkt: technisch Sprache: Deutsch Abstract: ********** Dieser Vortrag gibt einen Einblick in physische Angriffe gegen IoT-Geräte und eingebettete Systeme. Mögliche Angriffe sowie Gegenmaßnahmen werden im Überblick präsentiert. About the Speaker: ********************* Christian Kudera is researcher and security analyst at SBA Research. Christian received an MSc in Hardware & Software Security from TU Wien. Currently he is working towards his PhD degree with the focus on Internet of Things and embedded systems security. He has more than six years of experience as security analyst in the areas of hardware and software security. He teaches multiple courses at TU Wien (Internet Security, Advanced Internet Security) and at Universities of Applied Sciences (Rosenheim Technical University of Applied Sciences, FH Campus Wien, FH St. Pölten).

SBA Live Academy - Physical Attacks against (I)IoT-Devices, Embedded Devices,...

SBA Research

Target Group: Anyone interested in resilience and cyber security Focus: organizational Talk language: English Abstract ********* "Cyber Resilience – Failure is not an option" This lecture is dedicated to the topic of cyber-resilience and presents the basics and the differentiation from cyber-security as well as current standards and best practices. About the Speaker: ********************* Simon Tjoa is professor at St. Pölten University of Applied Sciences and has worked for 15 years in the information security domain. He is the academic director of the master programs Information Security and Applied Research and Innovation in Computer Science. Before joining St. Pölten University of Applied Sciences, he worked as security consultant and research at various organizations. He received his doctoral degree in informatics from University of Vienna. His research interests include critical infrastructure protection, digital forensics, cyber resilience and business process security. He is program committee and organizing committee member of several security related international workshops and conferences. Furthermore, he currently serves as secretary of IEEE SMC Austria Chapter and holds professional security certifications such as AMBCI, CISA or CISM.

SBA Live Academy: Cyber Resilience - Failure is not an option by Simon Tjoa

SBA Research

Zielgruppe: “Neigungsgruppe Datenschutz”, Datenschutzverantwortliche etc, “Alle” Schwerpunkt: Grundlagen/Hintergrund/Awareness Sprache: Deutsch Abstract: ********* Wer hätte gedacht, dass Oracle einer der weltgrößten Datenhändler ist und etwa 2 Millionen Personenprofile mit tausenden personenbezogenen Attributen verwaltet? Wem ist bewusst, wie sich die Anwendung eines Personenprofils auswirken könnte? Wir alle kennen die DSGVO. Nicht jeder findet sie gut. Das Wissen darüber, warum es dennoch wichtig war, eine verbindliche und in Europa weitgehend einheitliche Rechtsgrundlage für die kommerzielle Vewendung von Daten zu erlassen, ist – abgesehen von Buzzwords wie Facebook und Cambridge Analytica – wenig verbreitet. About the Speaker: ********************* Gerald Sendera is Data Protection Supervisor and Legal Counsel for SBA Research. His consulting activities are focused on data protection management and GDPR-compliance, in which he combines legal knowledge with hands-on experience in information technology. Gerald graduated in law at the University of Vienna (Mag.iur) in 2001 and has been working in IT since 2004 in different functions. During his career he completed technical certification trainings for vendor solutions such as Avaya, Cisco or Oracle. He is CIS-certified “Data Protection Officer” and was awarded the “Privacy Professional” certification at Sigmund Freud University Vienna’s Training Academy.

SBA Live Academy: Datenschutz Teil 1: Wozu Datenschutzgesetze? by Gerald Sendera

SBA Research

Target Audience: Everyone involved in software development (developers and team leaders in software-oriented companies) Focus: technical Talk language: English Abstract ********** Single Page Application frameworks have brought us a boost in clean application architecture and also security, mainly because of a better separation of concerns. But using an SPA framework alone does not automatically get you bullet-proof security. There is still a lot to look out for, and, for example, XSS is not a fully solved problem yet. In this talk, we’ll explore the most important security pitfalls SPA frameworks and how to solve them. We’ll also compare some of the security features of the most common SPA frameworks Angular, React and Vue.js. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: A Primer in Single Page Application Security by Thomas Konrad

SBA Research

Target Audience: Everyone involved in software development (developers, team leaders, CISOs in software-oriented companies) Focus: technical Talk language: English Abstract ********* Let’s face it: There is no such thing as a big-bang launch any more. We all want to be agile and react quickly to the wishes and demands of our customers in software development. The downside of this approach is that security has a hard time keeping pace, thereby often being completely neglected. That’s why we need to bridge the gap between security and agility. In this talk, we’ll have a look at how security can become an integral part of the development process, and more than just a penetration test at the end. We’ll see how we can overcome immediate pain and get strategic focus in software security. About the Speaker: ********************* Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.

SBA Live Academy: Software Security – Towards a Mature Lifecycle and DevSecOp...

SBA Research

Mais de SBA Research (20)