SlideShare uma empresa Scribd logo

Software Supply Chain Security та компоненти з відомими вразливостями

OWASP Kyiv
OWASP Kyiv

This document discusses using components with known vulnerabilities and provides recommendations and tools to address this issue. It begins with an overview of the OWASP top 10 issue of using vulnerable components and provides examples using the NodeJS decompress package and Ruby on Rails rubyzip gem. It then recommends regularly scanning for vulnerabilities, subscribing to security bulletins, and keeping components up-to-date. Finally, it introduces several open source tools for detecting vulnerable components, such as OWASP Dependency-Check and Dependency-Track, as well as standards for application security verification.

Tecnologia
1 de 21
Software Supply Chain Security A9: Using Components with Known Vulnerabilities
Agenda • OWASP Top 10. 2017. A9. Using Components with Known Vulnerabilities • Example 1. NodeJS + decompress npm package • Example 2. Ruby on Rails + rubyzip gem • Recommendations and tools • Q&A
Is the Application Vulnerable? • You do not know the versions of all components you use • Software is vulnerable, unsupported, or out of date • You do not scan for vulnerabilities regularly • You do not subscribe to security bulletins • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion • Developers do not test the compatibility of updated, upgraded, or patched libraries • you do not secure the components’ configurations (OWASP Top-10 A6:2017-Security Misconfiguration)
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
SAMM 2.0
OWASP Application Security Verification Standard
Tools • npm audit • Retire.js • Vulners agent/nmap/nessus/etc. • OWASP Dependency-Check • OWASP Dependency-Track
OWASP Dependency-Check • https://owasp.org/www-project-dependency-check/ • Version 5.3.2 • Command Line • Ant Task • Maven Plugin • Gradle Plugin • Jenkins/SBT/Leiningen Plugin
OWASP Dependency-Track • 3.8.0 • Intelligent Supply Chain Component Analysis platform • Open Source • Dashboard • API and Integration
OWASP Dependency-Track
Links https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ https://owasp.org/www-project-dependency-check/ https://owasp.org/www-project-dependency-track/ https://owasp.org/www-project-application-security-verification- standard/ https://owasp.org/www-project-samm/
Q&A

Recomendados

WAF In DevOps DevOpsFusion2019
WAF In DevOps DevOpsFusion2019WAF In DevOps DevOpsFusion2019
WAF In DevOps DevOpsFusion2019Franziska Buehler
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Guy Podjarny
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Melbourne meetup march 2018
Melbourne meetup march 2018Melbourne meetup march 2018
Melbourne meetup march 2018Michael Hyatt
 

Recomendados

WAF In DevOps DevOpsFusion2019
WAF In DevOps DevOpsFusion2019WAF In DevOps DevOpsFusion2019
WAF In DevOps DevOpsFusion2019Franziska Buehler
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAarno Aukia
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Third Party Performance (Velocity, 2014)
Third Party Performance (Velocity, 2014)Guy Podjarny
 
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”wannabe Cyberpunk; “I don’t know what I’m supposed to do.”
wannabe Cyberpunk; “I don’t know what I’m supposed to do.”Moshiul Islam, CISSP, CISA, CFE
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Melbourne meetup march 2018
Melbourne meetup march 2018Melbourne meetup march 2018
Melbourne meetup march 2018Michael Hyatt
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineGene Gotimer
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsCheah Eng Soon
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASPPriyanka Raghavan
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full StackRon Nixon
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test Automation[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test AutomationFuture Processing
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 
The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing ProcessSynerzip
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 

Mais conteúdo relacionado

Mais procurados

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsTushar Gupta
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineGene Gotimer
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachVMware Tanzu
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full StackRon Nixon
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsWhiteSource
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for DevelopersMichael Boelen
 
[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test Automation[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test AutomationFuture Processing
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldKarun Chennuri
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDNebulaworks
 

Mais procurados (20)

DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Automating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOpsAutomating Security Compliance on AWS with DevSecOps
Automating Security Compliance on AWS with DevSecOps
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Open Source Security Tools for the Pipeline
Open Source Security Tools for the PipelineOpen Source Security Tools for the Pipeline
Open Source Security Tools for the Pipeline
 
Security as Code: A DevSecOps Approach
Security as Code: A DevSecOps ApproachSecurity as Code: A DevSecOps Approach
Security as Code: A DevSecOps Approach
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DevSecOps OWASP
DevSecOps OWASPDevSecOps OWASP
DevSecOps OWASP
 
DevSecOps for you Full Stack
DevSecOps for you Full StackDevSecOps for you Full Stack
DevSecOps for you Full Stack
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
 
DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...DevSecCon London 2017: Hands-on secure software development from design to de...
DevSecCon London 2017: Hands-on secure software development from design to de...
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD Project
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
Linux Security for Developers
Linux Security for DevelopersLinux Security for Developers
Linux Security for Developers
 
[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test Automation[QE 2018] Marek Puchalski – Web Application Security Test Automation
[QE 2018] Marek Puchalski – Web Application Security Test Automation
 
What it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps WorldWhat it feels like to live in a Security Enabled DevOps World
What it feels like to live in a Security Enabled DevOps World
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 

Semelhante a Software Supply Chain Security та компоненти з відомими вразливостями

The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing ProcessSynerzip
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Amazon Web Services
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owaspHelen Bravo
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Amazon Web Services
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)NGINX, Inc.
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevOps Indonesia
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)NGINX, Inc.
 
Maven 3 Overview
Maven 3 OverviewMaven 3 Overview
Maven 3 OverviewMike Ensor
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxJosh Grossman
 

Semelhante a Software Supply Chain Security та компоненти з відомими вразливостями (20)

The QA/Testing Process
The QA/Testing ProcessThe QA/Testing Process
The QA/Testing Process
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
Using Amazon Inspector to Discover Potential Security Issues - AWS Online Tec...
 
Dev opsandsecurity owasp
Dev opsandsecurity owaspDev opsandsecurity owasp
Dev opsandsecurity owasp
 
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
Security and DevOps: Agility and Teamwork - SID315 - re:Invent 2017
 
Agile AppSec DevOps
Agile AppSec DevOpsAgile AppSec DevOps
Agile AppSec DevOps
 
Devops as a service
Devops as a serviceDevops as a service
Devops as a service
 
Keeping up with PHP
Keeping up with PHPKeeping up with PHP
Keeping up with PHP
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set - EMEA (Updated)
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSourceDevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
 
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
ModSecurity and NGINX: Tuning the OWASP Core Rule Set (Updated)
 
Maven 3 Overview
Maven 3 OverviewMaven 3 Overview
Maven 3 Overview
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 

Mais de OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...OWASP Kyiv
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonOWASP Kyiv
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...OWASP Kyiv
 
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101OWASP Kyiv
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityOWASP Kyiv
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushOWASP Kyiv
 
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL PinningOWASP Kyiv
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingOWASP Kyiv
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?OWASP Kyiv
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansOWASP Kyiv
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceOWASP Kyiv
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSocketsOWASP Kyiv
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017OWASP Kyiv
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorOWASP Kyiv
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsOWASP Kyiv
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveOWASP Kyiv
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationOWASP Kyiv
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSOWASP Kyiv
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersOWASP Kyiv
 

Mais de OWASP Kyiv (20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 
Threat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat DragonThreat Modeling with OWASP Threat Dragon
Threat Modeling with OWASP Threat Dragon
 
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...
 
Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101Vlad Styran - Cyber Security Economics 101
Vlad Styran - Cyber Security Economics 101
 
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in SecurityPavlo Radchuk - OWASP SAMM: Understanding Agile in Security
Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security
 
Ivan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git PushIvan Vyshnevskyi - Not So Quiet Git Push
Ivan Vyshnevskyi - Not So Quiet Git Push
 
Dima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL PinningDima Kovalenko - Modern SSL Pinning
Dima Kovalenko - Modern SSL Pinning
 
Yevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth PhishingYevhen Teleshyk - OAuth Phishing
Yevhen Teleshyk - OAuth Phishing
 
Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?Vlada Kulish - Why So Serial?
Vlada Kulish - Why So Serial?
 
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 PlansVlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans
 
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand ExperienceRoman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience
 
Ihor Bliumental - WebSockets
Ihor Bliumental - WebSocketsIhor Bliumental - WebSockets
Ihor Bliumental - WebSockets
 
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017
 
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factorViktor Zhora - Cyber and Geopolitics: Ukrainian factor
Viktor Zhora - Cyber and Geopolitics: Ukrainian factor
 
Andriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tipsAndriy Shalaenko - GO security tips
Andriy Shalaenko - GO security tips
 
Vlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All LoveVlad Styran - "Hidden" Features of the Tools We All Love
Vlad Styran - "Hidden" Features of the Tools We All Love
 
Volodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya InvestigationVolodymyr Ilibman - Close Look at Nyetya Investigation
Volodymyr Ilibman - Close Look at Nyetya Investigation
 
Ihor Bliumental - Collision CORS
Ihor Bliumental - Collision CORSIhor Bliumental - Collision CORS
Ihor Bliumental - Collision CORS
 
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web DevelopersLidiia 'Alice' Skalytska - Security Checklist for Web Developers
Lidiia 'Alice' Skalytska - Security Checklist for Web Developers
 

Último

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Último (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Software Supply Chain Security та компоненти з відомими вразливостями