SlideShare ist ein Scribd-Unternehmen logo

Owasp o2 platform (smaller presentation) august 2011

Als KEY, PDF herunterladen
Dinis Cruz
Dinis Cruz

Presentation on the OWASP O2 Platform (shorter version) see http://o2platform.com and http://o2platform.wordpress.com

TechnologieBusiness
1 von 76
O2 Platform Automating Security Knowledge through Unit Tests
WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
What is O2?
SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
THE CHALLENGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
THE PROBLEM WITH FRAMEWORKS • For this discussion a ‘Framework’ is an environment which augments the capabilities of the core language implementations (.NET Framework or J2EE). Examples of what I call a Frameworks are: Spring, Struts, Microsoft Enterprise Library, SharePoint, WebSphere Portal, SalesForce API, • Each Framework creates its own ‘reality’ almost like a VM (Virtual Machine), where they (for example Spring MVC) create an abstraction layer between the core language (i.e. Java) and the target application. • So, if the scanning engines (Black Box, White Box, Human Brain) don’t explicitly support frameworks, they will NOT understand how they work they and will NOT be able to find security issues in the applications built on top of those frameworks. • It is like trying to use a C++/Binary analyzer to scan JITTED .NET code (i.e. the assembly representation of .NET code) APP XYZ O2 developer senior consultant security SPRING FRAMEWORK consultant analyst J2EE manager GEEK-O-METER
SOME TECHNOLOGICAL SOLUTIONS THAT STILL NEED TO BE SOLVED • All current (Commercial and Open Source) Static Source Code Analysis tools have most (if not all) of the problems below (some have minor/basic coverage of it) • ANALYSIS ENGINEs - Part 1 • Attributes, Collections & other type of objects that receive taint in A and output it in B • Global Variables • Proper Taint Propagation across strings and between data types • Reflection (which creates ‘Hyper Jumps’ between code paths) • Events • Rules based on assemblies/jars versions and not on signatures • Taint Typing (also applied to business logic) • ANALYSIS ENGINEs - Part II • Rules Management (user-friendly process to mass create, edit, modify, import and export) • Join Traces (between application layers or interfaces or ‘Hyper Jumps’) • Read (and understand) configuration files (who have major impact on the attack surface and exploitability) • Auto Attack Surface Markup • Expose Control Flow • Understand Framework behavior • GlassBox • Integration with WB & BB (driving one tool from the other) O2 • Common Reporting developer senior consultant • Note: this (list above) security consultant IS A VERY SMALL & LIMITED LIST of the technologies / techniques that need to be analyst supported when running (manual or automatic, Black or White) scans. manager These capabilities (either when used by non-expert users or by expert security consultants) GEEK-O-METER allows the security engagement to be accurate, effective, consumable and actionable
WHERE WE ARE TODAY and WHERE WE NEED TO BE ASAP • Here is the evolution of technologies and were the current level of support is: ‘Out of the box‘ • 1996-2000: MainFrames, Web Servers, Java, ASP Classic capabilities • 2000-2004: C/C++, .NET Framework, J2EE, PHP is here • 2004-2006: Struts, Spring Framework, Ajax, Flash, Hibernate, Microsoft Enterprise Library • 2006-2009: lots of web innovation going on, here is a small list: O2 is here Languages & Technologies: Aspect, Web Services, REST, Widgets/Gadgets, AIR, Silverlight, Groovy & Grails, Python, Ruby & Ruby on Rails, JSP EL,Velocity, JSF (Faces), Application Platforms / Frameworks: ASP.NET MVC , SharePoint, IBM WebSphere Portal WebSphere Application Portal, SAP (web stuff)), iPhone & Apple iStore Online Applications: SalesForce, Amazon Web Services, MySpace/FaceBook/Twitter OWASP ‘standards/APIs/frameworks’: ESAPI, SAMM, ASVF, etc... And let’s not forget that most enterprise applications have their OWN frameworks and APIs (and sometimes even VMs) O2 developer • 2010-.... : Chrome, cloud computing (vSphere (VMWare’s cloud), senior consultant Azure (Microsoft’s cloud)), Web 3.0 and next generation of all of the above :) security We need consultant analyst to be here manager ASAP GEEK-O-METER
TO SCALE WE NEED TARGETED SOLUTIONS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
HOW TO SCALE: AUTOMATE SECURITY KNOWLEDGE • The only way we will be able to scale (and have these solutions used by a wide audience (from developer’s upwards), is if we are able to ‘capture + automate’ the knowledge, workflow and wisdom of security consultants. And we need to do this in such a way that repeated analysis by non-technical staff will have the same result has the analysis created by an security expert • In a nutshell ... what we need is to do, is to automate the security expert’s brain ... so that we are able to independently use it in a repeatable and consistently way, and once we have done that (automating their brain) ... we can work on making it very simple to use by non-security experts And due to the complexity of each targeted application / framework ... ... this ‘one button’ solution is only possible if .... WE CREATE TARGETED SOLUTIONS & PRODUCT O2 developer senior (see next 4 slides for an example of what this could look like) consultant security consultant analyst Note that today an ‘Application Security Analysis’ engagement is a very: complex, non-repeatable, non- manager scalable, non-measurable, and very opaque (from the client point of view) process. It is also very hard GEEK-O-METER to calculate its ROI
SPRING FRAMEWORK : SECURITY ANALYSIS PLATFORM • Due to the complexity and ‘realities’ created by the Spring Framework, the only way to deal to analyze/expose its behavior is to create fine-tune ‘packages’ of the available technology O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SHAREPOINT (MOSS) : SECURITY ANALYSIS PLATFORM • Same think for frameworks & development environments like Microsoft Office Sharepoint Server (MOSS). Unless we have a customized engine & technology that understands Sharepoint, it is very hard (if not impossible) to (for example) write secure web parts. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
SHAREWORKZ SECURITY ANALYSIS PLATFORM • .... and the same thing applies for for applications built on top MOSS (which also create their own reality and unique class of vulnerabilities (before & after customization) • quote from www.shareworkz.com: “... ShareWorkz helps you get the most from Microsoft SharePoint – quickly! Built in SharePoint Server 2007 Standard Edition, ShareWorkz reduces the time to build and deploy a best practice, enterprise class SharePoint 2007 Solution to 1 month or less...” O2 developer senior consultant security consultant analyst manager GEEK-O-METER
OPEN SOURCE SECURITY ANALYSIS PLATFORM • The Open Source community also needs a generic platform made up of only Open Source or free tools. • This is a very CRITICAL piece of the puzzle, since this is what will enable the wide use of these techniques across the Open Source and Commercial Software development world (it will also allow the Framework developers to be responsible for creating their markups (after all, who better than the Spring developers to help with the development of the “Spring Framework : Security Analysis Platform”) PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Where to go next? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Where Next?
Try O2 and Join the community O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list • Ask questions O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list • Ask questions • Use O2 on your engagements and create Unit Tests for your clients O2 developer senior consultant security consultant analyst manager GEEK-O-METER
Any Questions O2 developer senior consultant security consultant analyst manager GEEK-O-METER

Empfohlen

SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
Performance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket SciencePerformance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket ScienceScott Barber
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Jorge Hidalgo
 
Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users SarahCraig7
 
Rational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignRational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignR A Akerkar
 
What's New in Innoslate 4.4?
What's New in Innoslate 4.4?What's New in Innoslate 4.4?
What's New in Innoslate 4.4?SarahCraig7
 

Empfohlen

SDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileSDLC & DevOps Transformation with Agile
SDLC & DevOps Transformation with AgileAbdel Moneim Emad
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
Performance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket SciencePerformance Testing in Context; From Simple to Rocket Science
Performance Testing in Context; From Simple to Rocket ScienceScott Barber
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Oracle Code One ...Jorge Hidalgo
 
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)
Multilanguage Pipelines with Jenkins, Docker and Kubernetes (Commit Conf 2018)Jorge Hidalgo
 
Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users Innoslate 101: A Webinar for New Users
Innoslate 101: A Webinar for New Users SarahCraig7
 
Rational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignRational Unified Process for User Interface Design
Rational Unified Process for User Interface DesignR A Akerkar
 
What's New in Innoslate 4.4?
What's New in Innoslate 4.4?What's New in Innoslate 4.4?
What's New in Innoslate 4.4?SarahCraig7
 
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Jorge Hidalgo
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsKevin Moran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonarRajesh Kumar
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based ReviewsSarahCraig7
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen SoftwareentwicklungOPITZ CONSULTING Deutschland
 
Gbf08 muggleton commissioning
Gbf08 muggleton commissioningGbf08 muggleton commissioning
Gbf08 muggleton commissioningToronto 2030 District
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsKurt Solarte
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceYi-Feng Tzeng
 
From Dev to Ops
From Dev to OpsFrom Dev to Ops
From Dev to OpsOliver Lemm
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文Lucas Wang
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSSven Bernhardt
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Acumen
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 

Weitere ähnliche Inhalte

Was ist angesagt?

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryPerforce
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Jorge Hidalgo
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseJames Wickett
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsKevin Moran
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPriyanka Aash
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based ReviewsSarahCraig7
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Kevin Moran
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessTechWell
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 

Was ist angesagt? (12)

Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service DeliveryAchieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
Achieving Secure DevOps: Overcoming the Risks of Modern Service Delivery
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOps
 
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
Multilanguage pipelines with Jenkins, Docker and Kubernetes (DevOpsDays Riga ...
 
DevOps for Defenders in the Enterprise
DevOps for Defenders in the EnterpriseDevOps for Defenders in the Enterprise
DevOps for Defenders in the Enterprise
 
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile AppsMachine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
Machine Learning-Based Prototyping of Graphical User Interfaces for Mobile Apps
 
Practical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOpsPractical appsec lessons learned in the age of agile and DevOps
Practical appsec lessons learned in the age of agile and DevOps
 
Cast vs sonar
Cast vs sonarCast vs sonar
Cast vs sonar
 
What are Model-Based Reviews
What are Model-Based ReviewsWhat are Model-Based Reviews
What are Model-Based Reviews
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Continuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps SuccessContinuous Testing: A Key to DevOps Success
Continuous Testing: A Key to DevOps Success
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 

Ähnlich wie Owasp o2 platform (smaller presentation) august 2011

You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsDevOps.com
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsKurt Solarte
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceYi-Feng Tzeng
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文Lucas Wang
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSSven Bernhardt
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Acumen
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxTurja Narayan Chaudhuri
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Ajay Danait
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded walaAmit Mishra
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimationPramod Parajuli
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentationkmalec
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering pSven Krause
 

Ähnlich wie Owasp o2 platform (smaller presentation) august 2011 (20)

10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung10 Thesen zur professionellen Softwareentwicklung
10 Thesen zur professionellen Softwareentwicklung
 
Gbf08 muggleton commissioning
Gbf08 muggleton commissioningGbf08 muggleton commissioning
Gbf08 muggleton commissioning
 
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOpsYou Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
You Build It, You Secure It: Higher Velocity and Better Security with DevSecOps
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile Analysts
 
Dev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and ComplianceDev(Sec)Ops - Architecture for Security and Compliance
Dev(Sec)Ops - Architecture for Security and Compliance
 
From Dev to Ops
From Dev to OpsFrom Dev to Ops
From Dev to Ops
 
BEE Company Presentation 中英文
BEE Company Presentation 中英文BEE Company Presentation 中英文
BEE Company Presentation 中英文
 
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CSTest driven cloud development using Oracle SOA CS and Oracle Developer CS
Test driven cloud development using Oracle SOA CS and Oracle Developer CS
 
Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360Dr. McNatty Webinar: An Introduction to Acumen 360
Dr. McNatty Webinar: An Introduction to Acumen 360
 
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptxDevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
DevSecOps in the Cloud from the Lens of a Well-Architected Framework.pptx
 
Behavior Driven Development (BDD)
Behavior Driven Development (BDD)Behavior Driven Development (BDD)
Behavior Driven Development (BDD)
 
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
Project Controls Expo 09/10 Nov London 2011 - "Fuse® ‐ The ‘One‐Stop Shop’ F...
 
SPEC Process Engineering&Construction
SPEC Process Engineering&ConstructionSPEC Process Engineering&Construction
SPEC Process Engineering&Construction
 
Latest Resume latest uploaded wala
Latest Resume latest uploaded walaLatest Resume latest uploaded wala
Latest Resume latest uploaded wala
 
bg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystifiedbg Meetup München - DevOps Demystified
bg Meetup München - DevOps Demystified
 
COCOMO methods for software size estimation
COCOMO methods for software size estimationCOCOMO methods for software size estimation
COCOMO methods for software size estimation
 
PGK Services Presentation
PGK Services PresentationPGK Services Presentation
PGK Services Presentation
 
Conjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltdConjugate consulting & outsoucing ltd
Conjugate consulting & outsoucing ltd
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
Be a winner…use requirements engineering p
Be a winner…use requirements engineering pBe a winner…use requirements engineering p
Be a winner…use requirements engineering p
 

Mehr von Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Mehr von Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Kürzlich hochgeladen

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 

Kürzlich hochgeladen (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 

Owasp o2 platform (smaller presentation) august 2011

  • 1. O2 Platform Automating Security Knowledge through Unit Tests
  • 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 4. for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 7. and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 8. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  • 11. ... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 14. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 15. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 16. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  • 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  • 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 20. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 21. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 23. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 24. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 25. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 26. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  • 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 28. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 29. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 30. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 31. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 32. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 33. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 34. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 35. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  • 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  • 44. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 45. SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 46. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 47. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 48. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 49. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 50. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 51. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 52. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 53. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  • 54. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 55. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  • 56. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 57. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 58. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  • 59. THE CHALLENGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 60. THE PROBLEM WITH FRAMEWORKS • For this discussion a ‘Framework’ is an environment which augments the capabilities of the core language implementations (.NET Framework or J2EE). Examples of what I call a Frameworks are: Spring, Struts, Microsoft Enterprise Library, SharePoint, WebSphere Portal, SalesForce API, • Each Framework creates its own ‘reality’ almost like a VM (Virtual Machine), where they (for example Spring MVC) create an abstraction layer between the core language (i.e. Java) and the target application. • So, if the scanning engines (Black Box, White Box, Human Brain) don’t explicitly support frameworks, they will NOT understand how they work they and will NOT be able to find security issues in the applications built on top of those frameworks. • It is like trying to use a C++/Binary analyzer to scan JITTED .NET code (i.e. the assembly representation of .NET code) APP XYZ O2 developer senior consultant security SPRING FRAMEWORK consultant analyst J2EE manager GEEK-O-METER
  • 61. SOME TECHNOLOGICAL SOLUTIONS THAT STILL NEED TO BE SOLVED • All current (Commercial and Open Source) Static Source Code Analysis tools have most (if not all) of the problems below (some have minor/basic coverage of it) • ANALYSIS ENGINEs - Part 1 • Attributes, Collections & other type of objects that receive taint in A and output it in B • Global Variables • Proper Taint Propagation across strings and between data types • Reflection (which creates ‘Hyper Jumps’ between code paths) • Events • Rules based on assemblies/jars versions and not on signatures • Taint Typing (also applied to business logic) • ANALYSIS ENGINEs - Part II • Rules Management (user-friendly process to mass create, edit, modify, import and export) • Join Traces (between application layers or interfaces or ‘Hyper Jumps’) • Read (and understand) configuration files (who have major impact on the attack surface and exploitability) • Auto Attack Surface Markup • Expose Control Flow • Understand Framework behavior • GlassBox • Integration with WB & BB (driving one tool from the other) O2 • Common Reporting developer senior consultant • Note: this (list above) security consultant IS A VERY SMALL & LIMITED LIST of the technologies / techniques that need to be analyst supported when running (manual or automatic, Black or White) scans. manager These capabilities (either when used by non-expert users or by expert security consultants) GEEK-O-METER allows the security engagement to be accurate, effective, consumable and actionable
  • 62. WHERE WE ARE TODAY and WHERE WE NEED TO BE ASAP • Here is the evolution of technologies and were the current level of support is: ‘Out of the box‘ • 1996-2000: MainFrames, Web Servers, Java, ASP Classic capabilities • 2000-2004: C/C++, .NET Framework, J2EE, PHP is here • 2004-2006: Struts, Spring Framework, Ajax, Flash, Hibernate, Microsoft Enterprise Library • 2006-2009: lots of web innovation going on, here is a small list: O2 is here Languages & Technologies: Aspect, Web Services, REST, Widgets/Gadgets, AIR, Silverlight, Groovy & Grails, Python, Ruby & Ruby on Rails, JSP EL,Velocity, JSF (Faces), Application Platforms / Frameworks: ASP.NET MVC , SharePoint, IBM WebSphere Portal WebSphere Application Portal, SAP (web stuff)), iPhone & Apple iStore Online Applications: SalesForce, Amazon Web Services, MySpace/FaceBook/Twitter OWASP ‘standards/APIs/frameworks’: ESAPI, SAMM, ASVF, etc... And let’s not forget that most enterprise applications have their OWN frameworks and APIs (and sometimes even VMs) O2 developer • 2010-.... : Chrome, cloud computing (vSphere (VMWare’s cloud), senior consultant Azure (Microsoft’s cloud)), Web 3.0 and next generation of all of the above :) security We need consultant analyst to be here manager ASAP GEEK-O-METER
  • 63. TO SCALE WE NEED TARGETED SOLUTIONS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 64. HOW TO SCALE: AUTOMATE SECURITY KNOWLEDGE • The only way we will be able to scale (and have these solutions used by a wide audience (from developer’s upwards), is if we are able to ‘capture + automate’ the knowledge, workflow and wisdom of security consultants. And we need to do this in such a way that repeated analysis by non-technical staff will have the same result has the analysis created by an security expert • In a nutshell ... what we need is to do, is to automate the security expert’s brain ... so that we are able to independently use it in a repeatable and consistently way, and once we have done that (automating their brain) ... we can work on making it very simple to use by non-security experts And due to the complexity of each targeted application / framework ... ... this ‘one button’ solution is only possible if .... WE CREATE TARGETED SOLUTIONS & PRODUCT O2 developer senior (see next 4 slides for an example of what this could look like) consultant security consultant analyst Note that today an ‘Application Security Analysis’ engagement is a very: complex, non-repeatable, non- manager scalable, non-measurable, and very opaque (from the client point of view) process. It is also very hard GEEK-O-METER to calculate its ROI
  • 65. SPRING FRAMEWORK : SECURITY ANALYSIS PLATFORM • Due to the complexity and ‘realities’ created by the Spring Framework, the only way to deal to analyze/expose its behavior is to create fine-tune ‘packages’ of the available technology O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 66. SHAREPOINT (MOSS) : SECURITY ANALYSIS PLATFORM • Same think for frameworks & development environments like Microsoft Office Sharepoint Server (MOSS). Unless we have a customized engine & technology that understands Sharepoint, it is very hard (if not impossible) to (for example) write secure web parts. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 67. SHAREWORKZ SECURITY ANALYSIS PLATFORM • .... and the same thing applies for for applications built on top MOSS (which also create their own reality and unique class of vulnerabilities (before & after customization) • quote from www.shareworkz.com: “... ShareWorkz helps you get the most from Microsoft SharePoint – quickly! Built in SharePoint Server 2007 Standard Edition, ShareWorkz reduces the time to build and deploy a best practice, enterprise class SharePoint 2007 Solution to 1 month or less...” O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 68. OPEN SOURCE SECURITY ANALYSIS PLATFORM • The Open Source community also needs a generic platform made up of only Open Source or free tools. • This is a very CRITICAL piece of the puzzle, since this is what will enable the wide use of these techniques across the Open Source and Commercial Software development world (it will also allow the Framework developers to be responsible for creating their markups (after all, who better than the Spring developers to help with the development of the “Spring Framework : Security Analysis Platform”) PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 69. Where to go next? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 71. Try O2 and Join the community O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 72. Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 73. Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 74. Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list • Ask questions O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 75. Try O2 and Join the community • Go to http://o2platform.com to download O2 and read the documentation • Join the O2 Mailing list • Ask questions • Use O2 on your engagements and create Unit Tests for your clients O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  • 76. Any Questions O2 developer senior consultant security consultant analyst manager GEEK-O-METER

Hinweis der Redaktion

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n