SlideShare uma empresa Scribd logo

A bug's life - Decoupled Drupal Security and Vulnerability Management

Transferir como PPTX, PDF
Balázs Tatár
Balázs Tatár

Security awareness session, given at Decoupled Days 2019 in New York City, the United States.

Tecnologia
1 de 43
Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source days (SecOSdays) Active mentor @ Mentoring community group TATAR BALAZS JANOS @tatarbj WHO AM I?
A bug’s life Security awareness at work Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/ TATAR BALAZS JANOS @tatarbj
SECURITY AWARENESS Security measures at our work place � Programs to educate employees � DevSecOps � Individual responsibilities for company security policies � Measures to audit these efforts Source: http://www.bugs.org/dream/teachers/index.html TATAR BALAZS JANOS @tatarbj
ORGANISATIONAL STRUCTURES � Top-down approach � Creating security policies � Assessing your company’s vulnerabilities � Investing in security technologies Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/ TATAR BALAZS JANOS @tatarbj
EASY-TO-IMPLEMENT STEPS Hints for small businesses � Using different forms of Media to reinforce the Message � Highlight recent attacks in News � Seek the Services of a Professional Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters TATAR BALAZS JANOS @tatarbj
Security issues are bugs with different severity and business impact. TATAR BALAZS JANOS @tatarbj �
THE BUG Programming malfunction � Authentication / Authorization / Data confidentiality / Data integrity � No blaming game! Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/ TATAR BALAZS JANOS @tatarbj
The Eggs Planning and Security by Design Source: https://pixabay.com/vectors/search/ant/ TATAR BALAZS JANOS @tatarbj
PLANNING PHRASE At the start of every IT projects � Budgeting issues � Continuous education � Iterative approach Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/ TATAR BALAZS JANOS @tatarbj
THINKING EVIL™ Method by Andrew van der Stock TATAR BALAZS JANOS @tatarbj �
Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? TATAR BALAZS JANOS @tatarbj �
If I were evil, how would I abuse this feature? TATAR BALAZS JANOS @tatarbj �
Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? TATAR BALAZS JANOS @tatarbj �
SECURITY PRINCIPLES I. First and second-parties � Minimize attack surface area � Establish secure defaults � Least privilege � Defense in depth � Fail securely Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
SECURITY PRINCIPLES II. Third-parties � Don’t trust services � Separation of duties � Avoid security by obscurity � Keep security simple � Fix security issues correctly Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/ TATAR BALAZS JANOS @tatarbj
The Caterpillar Development iterations until the first release TATAR BALAZS JANOS @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. TATAR BALAZS JANOS @tatarbj ⚠
THE BASIC SKILLS The secure mind-set � Protection from disclosure/alteration/destruction � Rights and privileges belonging to the requester � Ability to build historical evidence � Management of configuration, sessions and errors/exceptions Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata TATAR BALAZS JANOS @tatarbj
APPLICATION LEVEL SECURITY Protection of your application � Sanitize inputs at the client side and server side � Verify file upload functionality � Use only current encryption and hashing algorithms � Check the randomness of the session � Make sure third party libraries are secured � Set strong password policy Source: https://www.pinterest.com/pin/67554063138904545 TATAR BALAZS JANOS @tatarbj
INFRASTRUCTURE LEVEL SECURITY Protection of your host � Use HTTPS for domain entries � Do not allow for directory listing � Use TLS not SSL � Hide web server information Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow TATAR BALAZS JANOS @tatarbj
WEB SECURITY PRACTICES Protection of your users � Encode request/response � Do not store sensitive data inside cookies � Set secure and HttpOnly flags in cookies � Do not store sensitive information in a form’s hidden fields � Set secure response headers Source: https://www.pexels.com/photo/bee-hiding-1244184/ TATAR BALAZS JANOS @tatarbj
The Chrysalis First releases of the application TATAR BALAZS JANOS @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
VULNERABILITY ASSESSMENT Forest of the false positive issues � Environmental conditions � Scanning of the application / infrastructure � Iterative approach to improve findings � Asset management Source: https://99px.ru/avatari_vkontakte/10916/ TATAR BALAZS JANOS @tatarbj
SECURITY ASSESSMENT VA + manual verification � Looking to gain a broad coverage of the systems under test � No exploitation of vulnerabilities � Verification by authorized access � Examining logs, system responses, � error messages, code, etc… Source: https://masterok.livejournal.com/4202997.html TATAR BALAZS JANOS @tatarbj
Penetration tests simulate attacks by malicious parties. TATAR BALAZS JANOS @tatarbj �
SECURITY AUDIT VA + SA + Pentest � Driven by a risk function to look at specific compliance issues � Combination of different approaches � Characterized by a narrow scope Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/ TATAR BALAZS JANOS @tatarbj
SECURITY REVIEW And something else then before � Verification that industry or internal security standards have been applied � Gap analysis, review of design documents and architecture diagrams � Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
The Butterfly Maintenance releases and activities TATAR BALAZS JANOS @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
The three pillars Information security TATAR BALAZS JANOS @tatarbj �
Confidentiality: only allow access to data for which the user is permitted TATAR BALAZS JANOS @tatarbj �
Integrity: ensure data is not tampered or altered by unauthorized users TATAR BALAZS JANOS @tatarbj �
Availability: ensure systems and data are available to authorized users when they need it TATAR BALAZS JANOS @tatarbj �
VULNERABILITY MANAGEMENT Iterative identification � Evolutive and corrective maintenance � Detection � Reporting � Remediation � Necessary mitigation vs. what-if cases Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120 TATAR BALAZS JANOS @tatarbj
TRUSTED SOURCES Monitor regularly � Vendors, third party providers � National Vulnerability Database (NVD) � Common Vulnerabilities and Exposures (CVE) � ... and the Drupal Security Team! Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/ TATAR BALAZS JANOS @tatarbj
Drupal Vulnerability Management The tale behind the codes TATAR BALAZS JANOS @tatarbj ��
WHO AND HOW? Difficulties and authentication � Access complexity � None (AC:N) � Basic (AC:B) � Complex (AC:C) Source: https://mymodernmet.com/adam-gor-butterfly-photography/ TATAR BALAZS JANOS @tatarbj � Authentication � None (A:N) � User (A:U) � Admin (A:A)
THE PILLARS OF INFORMATION SECURITY The measurable elements � Confidentiality impact � All (CI:A) � Some (CI:S) � None (CI:N) Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper TATAR BALAZS JANOS @tatarbj � Integrity impact � All (II:A) � Some (II:S) � None (II:N)
Availability impact is out of the scope of Drupal VM. TATAR BALAZS JANOS @tatarbj �
CONDITIONS OF THE SURFACE How does the application have to behave? � Exploit (zero-day impact) � Exploit (E:E) � Proof (E:P) � Theoretical (E:T) Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg TATAR BALAZS JANOS @tatarbj � Target distribution � All (TD:A) � Default (TD:D) � Uncommon (TD:U)
SecOSdays 25-26 October 2019 – Sofia, Bulgaria https://secosday.eu TATAR BALAZS JANOS @tatarbj Call For Sessions and Sponsors are open! In 100 days!!!
Questions? TATAR BALAZS JANOS @tatarbj
Thank you! TATAR BALAZS JANOS @tatarbj

Recomendados

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 

Recomendados

A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
A bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementA bug's life - Drupal Application Security and Vulnerability Management
A bug's life - Drupal Application Security and Vulnerability ManagementBalázs Tatár
 
Security Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsSecurity Awareness for Open Source Web Applications
Security Awareness for Open Source Web ApplicationsBalázs Tatár
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101Shahee Mirza
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets n|u - The Open Security Community
 
Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & PrivacyNawanan Theera-Ampornpunt
 

Mais conteúdo relacionado

Mais procurados

Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013IGN MANTRA
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)OWASP Ottawa
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSebastien Gioria
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universeSebastien Gioria
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPJoe McCray
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018SecuRing
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionJoe McCray
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Abhinav Sejpal
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 

Mais procurados (20)

Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013Seminar enkripsi unsyiah 15 nov 2013
Seminar enkripsi unsyiah 15 nov 2013
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
Secure Coding For Java - Une introduction
Secure Coding For Java - Une introductionSecure Coding For Java - Une introduction
Secure Coding For Java - Une introduction
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
OWASP, PHP, life and universe
OWASP, PHP, life and universeOWASP, PHP, life and universe
OWASP, PHP, life and universe
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Wireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEPWireless Pentesting: It's more than cracking WEP
Wireless Pentesting: It's more than cracking WEP
 
Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018Testing iOS apps without jailbreak in 2018
Testing iOS apps without jailbreak in 2018
 
Getting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking CompetitionGetting ready for a Capture The Flag Hacking Competition
Getting ready for a Capture The Flag Hacking Competition
 
Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1Owasp top 10 web application security hazards - Part 1
Owasp top 10 web application security hazards - Part 1
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 

Semelhante a A bug's life - Decoupled Drupal Security and Vulnerability Management

ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)Sam Kumarsamy
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018Ken DeSouza
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!Parasoft
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
Blockchain and Apache NiFi
Blockchain and Apache NiFiBlockchain and Apache NiFi
Blockchain and Apache NiFiTimothy Spann
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programidsecconf
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing IRJET Journal
 

Semelhante a A bug's life - Decoupled Drupal Security and Vulnerability Management (20)

ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Butler
ButlerButler
Butler
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To Start
 
Drupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal SecurityDrupal Camp Atlanta 2011 - Drupal Security
Drupal Camp Atlanta 2011 - Drupal Security
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
bcs_sb_TechPartner_SAPlatform_Damballa_EN_v1a (2)
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018What You Need to Know About Web App Security Testing in 2018
What You Need to Know About Web App Security Testing in 2018
 
Computer security
Computer securityComputer security
Computer security
 
BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!BUSTED! How to Find Security Bugs Fast!
BUSTED! How to Find Security Bugs Fast!
 
Butler
ButlerButler
Butler
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
 
Blockchain and Apache NiFi
Blockchain and Apache NiFiBlockchain and Apache NiFi
Blockchain and Apache NiFi
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting program
 
Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing Two Aspect Endorsement Access Control for web Based Cloud Computing
Two Aspect Endorsement Access Control for web Based Cloud Computing
 

Mais de Balázs Tatár

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019Balázs Tatár
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Balázs Tatár
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Balázs Tatár
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Balázs Tatár
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Balázs Tatár
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesBalázs Tatár
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Balázs Tatár
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Balázs Tatár
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Balázs Tatár
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Balázs Tatár
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyBalázs Tatár
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!Balázs Tatár
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!Balázs Tatár
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practiceBalázs Tatár
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITBalázs Tatár
 

Mais de Balázs Tatár (20)

How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019How To Have Fun in Open Source - CMS Garden Unconference 2019
How To Have Fun in Open Source - CMS Garden Unconference 2019
 
Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019Software Development Weaknesses - SecOSdays Sofia, 2019
Software Development Weaknesses - SecOSdays Sofia, 2019
 
Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019Let's write secure Drupal code! DUG Belgium - 08/08/2019
Let's write secure Drupal code! DUG Belgium - 08/08/2019
 
Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019Let's write secure drupal code! - Drupal Camp Pannonia 2019
Let's write secure drupal code! - Drupal Camp Pannonia 2019
 
Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019Let's write secure Drupal code! - Drupal Camp Poland 2019
Let's write secure Drupal code! - Drupal Camp Poland 2019
 
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019Let's write secure Drupal code! - DrupalCamp Kyiv 2019
Let's write secure Drupal code! - DrupalCamp Kyiv 2019
 
Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019Let's write secure Drupal code! - DrupalCamp Belarus 2019
Let's write secure Drupal code! - DrupalCamp Belarus 2019
 
Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019Let's write secure Drupal code! - DrupalCamp Spain 2019
Let's write secure Drupal code! - DrupalCamp Spain 2019
 
DrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slidesDrupalCon Seattle 2019 - Mentoring Booth slides
DrupalCon Seattle 2019 - Mentoring Booth slides
 
Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019Let's write secure Drupal code! Drupal MountainCamp 2019
Let's write secure Drupal code! Drupal MountainCamp 2019
 
Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019Let's write secure Drupal code! - DrupalCamp London 2019
Let's write secure Drupal code! - DrupalCamp London 2019
 
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
Everything You Always Wanted to Know About Drupal Security* (*But Were Afraid...
 
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
Everything You Always Wanted to Know About Drupal Security (*But Were Afraid ...
 
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018Let's write secure Drupal code! - DrupalCamp Oslo, 2018
Let's write secure Drupal code! - DrupalCamp Oslo, 2018
 
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
Mentoring slides - Drupal Europe, Darmstadt, Germany 2018
 
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, GermanyLet's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany
 
Let's write secure Drupal code!
Let's write secure Drupal code!Let's write secure Drupal code!
Let's write secure Drupal code!
 
Let's write secure drupal code!
Let's write secure drupal code!Let's write secure drupal code!
Let's write secure drupal code!
 
Quality assurance in practice
Quality assurance in practiceQuality assurance in practice
Quality assurance in practice
 
Quality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGITQuality assurance in practice - coffee meeting, January, DIGIT
Quality assurance in practice - coffee meeting, January, DIGIT
 

Último

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Último (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

A bug's life - Decoupled Drupal Security and Vulnerability Management

  • 1.
  • 2. Tatar Balazs Janos @tatarbj Works with Drupal since 2007 CTO @ Petend Drupal Security Correspondent @ European Commission Provisional member @ Drupal Security Team SecOSdreamer @ Secure Open Source days (SecOSdays) Active mentor @ Mentoring community group TATAR BALAZS JANOS @tatarbj WHO AM I?
  • 3. A bug’s life Security awareness at work Source: https://www.kisspng.com/png-flik-ant-insect-atta-the-walt-disney-company-bug-s-2727501/ TATAR BALAZS JANOS @tatarbj
  • 4. SECURITY AWARENESS Security measures at our work place � Programs to educate employees � DevSecOps � Individual responsibilities for company security policies � Measures to audit these efforts Source: http://www.bugs.org/dream/teachers/index.html TATAR BALAZS JANOS @tatarbj
  • 5. ORGANISATIONAL STRUCTURES � Top-down approach � Creating security policies � Assessing your company’s vulnerabilities � Investing in security technologies Enterprise level Source: https://blog.ferrovial.com/en/2016/11/what-have-ants-taught-architecture/ TATAR BALAZS JANOS @tatarbj
  • 6. EASY-TO-IMPLEMENT STEPS Hints for small businesses � Using different forms of Media to reinforce the Message � Highlight recent attacks in News � Seek the Services of a Professional Source: https://cheezburger.com/7113430784/cnn-has-some-strange-reporters TATAR BALAZS JANOS @tatarbj
  • 7. Security issues are bugs with different severity and business impact. TATAR BALAZS JANOS @tatarbj �
  • 8. THE BUG Programming malfunction � Authentication / Authorization / Data confidentiality / Data integrity � No blaming game! Source: https://www.welcomewildlife.com/true-bugs-the-good-the-bad-the-ugly/ TATAR BALAZS JANOS @tatarbj
  • 9. The Eggs Planning and Security by Design Source: https://pixabay.com/vectors/search/ant/ TATAR BALAZS JANOS @tatarbj
  • 10. PLANNING PHRASE At the start of every IT projects � Budgeting issues � Continuous education � Iterative approach Source: https://www.wired.com/2014/11/harvester-ants-randomly-move-their-nests/ TATAR BALAZS JANOS @tatarbj
  • 11. THINKING EVIL™ Method by Andrew van der Stock TATAR BALAZS JANOS @tatarbj �
  • 12. Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? TATAR BALAZS JANOS @tatarbj �
  • 13. If I were evil, how would I abuse this feature? TATAR BALAZS JANOS @tatarbj �
  • 14. Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? TATAR BALAZS JANOS @tatarbj �
  • 15. SECURITY PRINCIPLES I. First and second-parties � Minimize attack surface area � Establish secure defaults � Least privilege � Defense in depth � Fail securely Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
  • 16. SECURITY PRINCIPLES II. Third-parties � Don’t trust services � Separation of duties � Avoid security by obscurity � Keep security simple � Fix security issues correctly Source: https://www.twincities.com/2015/06/21/catch-bugs-for-scientists-to-study-at-interstate-state-park/ TATAR BALAZS JANOS @tatarbj
  • 17. The Caterpillar Development iterations until the first release TATAR BALAZS JANOS @tatarbj Source: https://www.stickpng.com/img/animals/insects/caterpillars/caterpillar-clipart
  • 18. Stakeholders’ knowledge of basic principles and how they may be implemented in software product is vital to software security. TATAR BALAZS JANOS @tatarbj ⚠
  • 19. THE BASIC SKILLS The secure mind-set � Protection from disclosure/alteration/destruction � Rights and privileges belonging to the requester � Ability to build historical evidence � Management of configuration, sessions and errors/exceptions Source: https://species.wikimedia.org/wiki/Coccinella_septempunctata TATAR BALAZS JANOS @tatarbj
  • 20. APPLICATION LEVEL SECURITY Protection of your application � Sanitize inputs at the client side and server side � Verify file upload functionality � Use only current encryption and hashing algorithms � Check the randomness of the session � Make sure third party libraries are secured � Set strong password policy Source: https://www.pinterest.com/pin/67554063138904545 TATAR BALAZS JANOS @tatarbj
  • 21. INFRASTRUCTURE LEVEL SECURITY Protection of your host � Use HTTPS for domain entries � Do not allow for directory listing � Use TLS not SSL � Hide web server information Source: https://www.vice.com/en_us/article/d7ezaq/what-would-happen-if-all-the-bees-died-tomorrow TATAR BALAZS JANOS @tatarbj
  • 22. WEB SECURITY PRACTICES Protection of your users � Encode request/response � Do not store sensitive data inside cookies � Set secure and HttpOnly flags in cookies � Do not store sensitive information in a form’s hidden fields � Set secure response headers Source: https://www.pexels.com/photo/bee-hiding-1244184/ TATAR BALAZS JANOS @tatarbj
  • 23. The Chrysalis First releases of the application TATAR BALAZS JANOS @tatarbj Source: https://www.nicepng.com/ourpic/u2e6a9o0y3u2y3e6_becoming-a-chrysalis-butterfly-caterpillar-monarch-i-ytimg/
  • 24. VULNERABILITY ASSESSMENT Forest of the false positive issues � Environmental conditions � Scanning of the application / infrastructure � Iterative approach to improve findings � Asset management Source: https://99px.ru/avatari_vkontakte/10916/ TATAR BALAZS JANOS @tatarbj
  • 25. SECURITY ASSESSMENT VA + manual verification � Looking to gain a broad coverage of the systems under test � No exploitation of vulnerabilities � Verification by authorized access � Examining logs, system responses, � error messages, code, etc… Source: https://masterok.livejournal.com/4202997.html TATAR BALAZS JANOS @tatarbj
  • 26. Penetration tests simulate attacks by malicious parties. TATAR BALAZS JANOS @tatarbj �
  • 27. SECURITY AUDIT VA + SA + Pentest � Driven by a risk function to look at specific compliance issues � Combination of different approaches � Characterized by a narrow scope Source: https://ccsenvironmental.uk/weird-and-funny-facts-about-insects-and-bugs/ TATAR BALAZS JANOS @tatarbj
  • 28. SECURITY REVIEW And something else then before � Verification that industry or internal security standards have been applied � Gap analysis, review of design documents and architecture diagrams � Activity that does not utilize any of VA, SA, Pentest or Security audit approaches Source: https://www.britishbugs.org.uk/heteroptera/Pentatomidae/pentotoma_rufipes.html TATAR BALAZS JANOS @tatarbj
  • 29. The Butterfly Maintenance releases and activities TATAR BALAZS JANOS @tatarbj Source: https://www.pngkey.com/detail/u2q8w7a9o0q8e6u2_monarch-butterfly-transparent-background/
  • 30. The three pillars Information security TATAR BALAZS JANOS @tatarbj �
  • 31. Confidentiality: only allow access to data for which the user is permitted TATAR BALAZS JANOS @tatarbj �
  • 32. Integrity: ensure data is not tampered or altered by unauthorized users TATAR BALAZS JANOS @tatarbj �
  • 33. Availability: ensure systems and data are available to authorized users when they need it TATAR BALAZS JANOS @tatarbj �
  • 34. VULNERABILITY MANAGEMENT Iterative identification � Evolutive and corrective maintenance � Detection � Reporting � Remediation � Necessary mitigation vs. what-if cases Source: https://www.thoughtco.com/fascinating-facts-about-ladybugs-1968120 TATAR BALAZS JANOS @tatarbj
  • 35. TRUSTED SOURCES Monitor regularly � Vendors, third party providers � National Vulnerability Database (NVD) � Common Vulnerabilities and Exposures (CVE) � ... and the Drupal Security Team! Source: https://blogs.iadb.org/sostenibilidad/en/the-fight-of-the-butterfly-restoring-haitis-native-species/ TATAR BALAZS JANOS @tatarbj
  • 36. Drupal Vulnerability Management The tale behind the codes TATAR BALAZS JANOS @tatarbj ��
  • 37. WHO AND HOW? Difficulties and authentication � Access complexity � None (AC:N) � Basic (AC:B) � Complex (AC:C) Source: https://mymodernmet.com/adam-gor-butterfly-photography/ TATAR BALAZS JANOS @tatarbj � Authentication � None (A:N) � User (A:U) � Admin (A:A)
  • 38. THE PILLARS OF INFORMATION SECURITY The measurable elements � Confidentiality impact � All (CI:A) � Some (CI:S) � None (CI:N) Source: http://www.fanpop.com/clubs/butterflies/images/9481952/title/beautiful-butterflies-wallpaper TATAR BALAZS JANOS @tatarbj � Integrity impact � All (II:A) � Some (II:S) � None (II:N)
  • 39. Availability impact is out of the scope of Drupal VM. TATAR BALAZS JANOS @tatarbj �
  • 40. CONDITIONS OF THE SURFACE How does the application have to behave? � Exploit (zero-day impact) � Exploit (E:E) � Proof (E:P) � Theoretical (E:T) Source: https://commons.wikimedia.org/wiki/File:Bill_in_Ash_Vegas_-_2_Butterflies_(by).jpg TATAR BALAZS JANOS @tatarbj � Target distribution � All (TD:A) � Default (TD:D) � Uncommon (TD:U)
  • 41. SecOSdays 25-26 October 2019 – Sofia, Bulgaria https://secosday.eu TATAR BALAZS JANOS @tatarbj Call For Sessions and Sponsors are open! In 100 days!!!
  • 43. Thank you! TATAR BALAZS JANOS @tatarbj

Notas do Editor

  1. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  2. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.
  3. Each test is approached using a consistent and complete methodology in a way that allows the tester to use their problem solving abilities, the output from a range of tools and their own knowledge of networking and systems to find vulnerabilities that would/ could not be identified by automated tools.