SlideShare ist ein Scribd-Unternehmen logo

Owasp o2 platform november 2010

Als KEY, PDF herunterladen
Dinis Cruz
Dinis Cruz

Presentation on the OWASP O2 Platform (longer version) see http://o2platform.com and http://o2platform.wordpress.com

TechnologieBusiness
1 von 334
O2 Platform Automating Security Knowledge through Unit Tests
WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
Living in an O2 world
WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 • To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world • Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Real world O2 usage
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 Scripting environment based on C# ExtensionMethods, code refactoring and dynamic compilation of script (and supporting O2 C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant Created a bunch of O2 modules that solved analyst these and many more problems manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: Parse the source code to find the ‘formula’ that defines the Web Services in the Frameworks used, and mass-create rules that allow its effective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: Found a great C# Browser Automation API (WatiN) and wrote a large API that simplifies WatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Give developers the ability to reproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Show end-client (and developers) the tests made during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: Create an API that exposes the application’s behaviour as a set of methods, which can the be invoked in a foreach(var payload in payloads) loop which handles the payload submission and data collection (i.e. screenshots and html data returned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: Isolate the original code into a testable component, which is then used to map its entropy behaviour, confirm vulnerable scenario, write “CRSF token generator” and write javascript based exploit/PoC to detect Login timings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
PROBLEM: Create a PoC for the “Google Wireless MAC Address Location exposure” As made famous by Sammy’s “How I meet your girlfriend” presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010
Owasp o2 platform november 2010

Empfohlen

SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
Performance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket SciencePerformance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket ScienceScott Barber
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Jorge Hidalgo
 
Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users SarahCraig7
 
Rational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignRational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignR A Akerkar
 
What's New in Innoslate 4.4?
What's New in Innoslate 4.4?What's New in Innoslate 4.4?
What's New in Innoslate 4.4?SarahCraig7
 

Empfohlen

SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
Performance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket SciencePerformance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket ScienceScott Barber
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Jorge Hidalgo
 
Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users SarahCraig7
 
Rational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignRational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignR A Akerkar
 
What's New in Innoslate 4.4?
What's New in Innoslate 4.4?What's New in Innoslate 4.4?
What's New in Innoslate 4.4?SarahCraig7
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Jorge Hidalgo
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsKevin Moran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonarRajesh Kumar
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based ReviewsSarahCraig7
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMSkycure
 
Progressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressiveWaste
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application DefencesDamilola Longe, CISSP, CCSP, MSc
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 

Weitere ähnliche Inhalte

Was ist angesagt?

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Jorge Hidalgo
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsKevin Moran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based ReviewsSarahCraig7
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 

Was ist angesagt? (12)

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based Reviews
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 

Andere mochten auch

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesWebsecurify
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Papitha Velumani
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMSkycure
 
Progressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressiveWaste
 
Secure code
Secure codeSecure code
Secure codeddeogun
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityOWASPKerala
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing TEST Huddle
 
Securing ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsSecuring ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsMartin Åhlin
 
Gartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMGartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMYoussef Afzali
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORTvineetkathan
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)a16z
 

Andere mochten auch (16)

Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
 
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
Catch Me If You Can- Evaluating Android Anti-Malware Against Transformation A...
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
How to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMMHow to Add Advanced Threat Defense to Your EMM
How to Add Advanced Threat Defense to Your EMM
 
Progressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial ResultsProgressive Waste Solutions Third Quarter 2013 Financial Results
Progressive Waste Solutions Third Quarter 2013 Financial Results
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure code
Secure codeSecure code
Secure code
 
Introduction to OWASP & Web Application Security
Introduction to OWASP & Web Application SecurityIntroduction to OWASP & Web Application Security
Introduction to OWASP & Web Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing What? Why? Who? How? Of Application Security Testing
What? Why? Who? How? Of Application Security Testing
 
Securing ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web ApplicationsSecuring ASP.NET MVC 5 Web Applications
Securing ASP.NET MVC 5 Web Applications
 
Gartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMMGartner Market Insights- Mobile Threat Defense and EMM
Gartner Market Insights- Mobile Threat Defense and EMM
 
PHISHING PROJECT REPORT
PHISHING PROJECT REPORTPHISHING PROJECT REPORT
PHISHING PROJECT REPORT
 
Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)Mobile Is Eating the World (2016)
Mobile Is Eating the World (2016)
 

Ähnlich wie Owasp o2 platform november 2010

You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsKurt Solarte
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceYi-Feng Tzeng
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文Lucas Wang
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSSven Bernhardt
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Acumen
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Ajay Danait
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded walaAmit Mishra
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimationPramod Parajuli
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentationkmalec
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering pSven Krause
 

Ähnlich wie Owasp o2 platform november 2010 (20)

10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung
 
Gbf08 muggleton commissioning
Gbf08 muggleton commissioningGbf08 muggleton commissioning
Gbf08 muggleton commissioning
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile Analysts
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
 
From Dev to Ops
From Dev to OpsFrom Dev to Ops
From Dev to Ops
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
 
SPEC Process Engineering&Construction
SPEC Process Engineering&ConstructionSPEC Process Engineering&Construction
SPEC Process Engineering&Construction
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded wala
 
bg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystifiedbg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystified
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimation
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentation
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltd
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering p
 

Mehr von Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Mehr von Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Owasp o2 platform november 2010

  • 1. O2 Platform Automating Security Knowledge through Unit Tests
  • 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 4. for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 7. and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 8. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  • 11. ... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 14. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 15. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 16. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  • 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  • 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 20. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 21. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 23. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 24. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 25. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 26. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  • 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 28. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 29. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 30. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 31. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 32. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 33. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 34. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 35. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  • 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  • 43. Living in an O2 world
  • 44. WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 45. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 46. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 47. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 48. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 49. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 • To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
  • 50. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 51. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  • 52. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 53. SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 54. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 55. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 56. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 57. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 58. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 59. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 60. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 61. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  • 62. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 63. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 64. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  • 65. IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 66. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 67. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world • Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 68. Real world O2 usage
  • 69. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 70. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 71. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 72. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 Scripting environment based on C# ExtensionMethods, code refactoring and dynamic compilation of script (and supporting O2 C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
  • 73. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 74. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 75. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
  • 76. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant Created a bunch of O2 modules that solved analyst these and many more problems manager GEEK-O-METER
  • 77. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 78. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 79. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 80. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: Parse the source code to find the ‘formula’ that defines the Web Services in the Frameworks used, and mass-create rules that allow its effective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 81. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 82. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 83. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 84. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 85. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 86. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 87. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 88. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 89. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 90. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 91. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 92. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 93. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 94. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 95. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 96. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: Found a great C# Browser Automation API (WatiN) and wrote a large API that simplifies WatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 97. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 98. PROBLEM: BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 99. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 100. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 101. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 102. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 103. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 104. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 105. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 106. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 107. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 108. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 109. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 110. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 111. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 112. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 113. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 114. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 115. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 116. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 117. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 118. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 119. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 120. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 121. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 122. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 123. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 124. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 125. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 126. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 127. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 128. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 129. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 130. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 131. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 132. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 133. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 134. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 135. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 136. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 137. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 138. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 139. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 140. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 141. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 142. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 143. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 144. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 145. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 146. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 147. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 148. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: Create an API that exposes the application’s behaviour as a set of methods, which can the be invoked in a foreach(var payload in payloads) loop which handles the payload submission and data collection (i.e. screenshots and html data returned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 149. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 150. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 151. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 152. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: Isolate the original code into a testable component, which is then used to map its entropy behaviour, confirm vulnerable scenario, write “CRSF token generator” and write javascript based exploit/PoC to detect Login timings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 153. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 154. PROBLEM: Create a PoC for the “Google Wireless MAC Address Location exposure” As made famous by Sammy’s “How I meet your girlfriend” presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER

Hinweis der Redaktion

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. \n
  89. \n
  90. \n
  91. \n
  92. \n
  93. \n
  94. \n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n
  103. \n
  104. \n
  105. \n
  106. \n
  107. \n
  108. \n
  109. \n
  110. \n
  111. \n
  112. \n
  113. \n
  114. \n
  115. \n
  116. \n
  117. \n
  118. \n
  119. \n
  120. \n
  121. \n
  122. \n
  123. \n
  124. \n
  125. \n
  126. \n
  127. \n
  128. \n
  129. \n
  130. \n
  131. \n
  132. \n
  133. \n
  134. \n
  135. \n
  136. \n
  137. \n
  138. \n
  139. \n
  140. \n
  141. \n
  142. \n
  143. \n
  144. \n
  145. \n
  146. \n
  147. \n
  148. \n
  149. \n
  150. \n
  151. \n
  152. \n
  153. \n
  154. \n
  155. \n
  156. \n
  157. \n
  158. \n
  159. \n
  160. \n
  161. \n
  162. \n
  163. \n
  164. \n
  165. \n
  166. \n
  167. \n
  168. \n
  169. \n
  170. \n
  171. \n
  172. \n
  173. \n
  174. \n
  175. \n
  176. \n
  177. \n
  178. \n
  179. \n
  180. \n
  181. \n
  182. \n
  183. \n
  184. \n
  185. \n
  186. \n
  187. \n
  188. \n
  189. \n
  190. \n
  191. \n
  192. \n
  193. \n
  194. \n
  195. \n
  196. \n
  197. \n
  198. \n
  199. \n
  200. \n
  201. \n
  202. \n
  203. \n
  204. \n
  205. \n
  206. \n
  207. \n
  208. \n
  209. \n
  210. \n
  211. \n
  212. \n
  213. \n
  214. \n
  215. \n
  216. \n
  217. \n
  218. \n
  219. \n
  220. \n
  221. \n
  222. \n
  223. \n
  224. \n
  225. \n
  226. \n
  227. \n
  228. \n
  229. \n
  230. \n
  231. \n
  232. \n
  233. \n
  234. \n
  235. \n
  236. \n
  237. \n
  238. \n
  239. \n
  240. \n
  241. \n
  242. \n
  243. \n
  244. \n
  245. \n
  246. \n
  247. \n
  248. \n
  249. \n
  250. \n
  251. \n
  252. \n
  253. \n
  254. \n
  255. \n
  256. \n
  257. \n
  258. \n
  259. \n
  260. \n
  261. \n
  262. \n
  263. \n
  264. \n
  265. \n
  266. \n
  267. \n
  268. \n
  269. \n
  270. \n
  271. \n
  272. \n
  273. \n
  274. \n
  275. \n
  276. \n