SlideShare ist ein Scribd-Unternehmen logo

Hacking Encounters of the 3rd Kind

Imperva
Imperva

As the software world evolves, more and more companies rely on 3rd party applications and software components as part of their infrastructure. However, this approach does not come without risks. The implementation of 3rd party applications has its advantages, chief among them shortened development time frames and increased software maturity. Despite these obvious benefits, organizations must remain aware of potential security implications. This presentation will: - Explain how 3rd party software vulnerabilities might lead to a data breach - Deliver examples of incidents and how they occur - Discuss the effectiveness of patching

Technologie
1 von 35
Downloaden Sie, um offline zu lesen
© 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
© 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
© 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
© 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
© 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
© 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
© 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
© 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
© 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
© 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
© 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
© 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
© 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
© 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
© 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
© 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
© 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
© 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
© 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
© 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
© 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
© 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
© 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
© 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
© 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
© 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
© 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
© 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
© 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
© 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
© 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential

Empfohlen

Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint securitySolarwinds N-able
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 

Empfohlen

Imperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindImperva - Hacking encounters of the 3rd kind
Imperva - Hacking encounters of the 3rd kindBarry Shteiman
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Av is dead long live managed endpoint security
Av is dead long live managed endpoint securityAv is dead long live managed endpoint security
Av is dead long live managed endpoint securitySolarwinds N-able
 
Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Chasing the Adder. A tale from the APT world...
Chasing the Adder. A tale from the APT world...Stefano Maccaglia
 
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Malicious software
Malicious softwareMalicious software
Malicious softwareCAS
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 

Weitere ähnliche Inhalte

Was ist angesagt?

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Sonatype
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYBlack Duck by Synopsys
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applicationseightbit
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open SourceBlack Duck by Synopsys
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Sonatype
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsSonatype
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open SourceShane Coughlan
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
 
Malicious software
Malicious softwareMalicious software
Malicious softwareCAS
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 

Was ist angesagt? (20)

Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
Aliens in Your Apps! Are You Using Components With Known Vulnerabilities?
 
FROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITYFROM OPEN SOURCE COMPLIANCE TO SECURITY
FROM OPEN SOURCE COMPLIANCE TO SECURITY
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Application Security in the Age of Open Source
Application Security in the Age of Open SourceApplication Security in the Age of Open Source
Application Security in the Age of Open Source
 
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
Understanding & Addressing OWASP’s Newest Top Ten Threat: Using Components wi...
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your ApplicationsWhite Paper: 7 Security Gaps in the Neglected 90% of your Applications
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
 
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Malicious software
Malicious softwareMalicious software
Malicious software
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 

Ähnlich wie Hacking Encounters of the 3rd Kind

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesImperva
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsImperva
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised InsiderImperva
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemDenim Group
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the CrimeIBM Security
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationBlack Duck by Synopsys
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security RisksImperva
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsIBM Security
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecIBM Security
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM Security
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgEric Vanderburg
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Frank Lesniak
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core SecurityCore Security
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityTheresa Mammarella
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsFireEye, Inc.
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurityRogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 

Ähnlich wie Hacking Encounters of the 3rd Kind (20)

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known VulnerabilitiesBleeding Servers – How Hackers are Exploiting Known Vulnerabilities
Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities
 
Protecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-onsProtecting Against Vulnerabilities in SharePoint Add-ons
Protecting Against Vulnerabilities in SharePoint Add-ons
 
Anatomy of the Compromised Insider
Anatomy of the Compromised InsiderAnatomy of the Compromised Insider
Anatomy of the Compromised Insider
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
 
Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the Crime
 
RVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene PresentationRVAsec Bill Weinberg Open Source Hygiene Presentation
RVAsec Bill Weinberg Open Source Hygiene Presentation
 
6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks6 Most Surprising SharePoint Security Risks
6 Most Surprising SharePoint Security Risks
 
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your EndpointsMalware in a JAR: How Rogue Java Applications Compromise your Endpoints
Malware in a JAR: How Rogue Java Applications Compromise your Endpoints
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App SecWhat the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
What the New OWASP Top 10 2013 and Latest X-Force Report Mean for App Sec
 
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence QuarterlyIBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
IBM X-Force: Insights from the 1Q 2015 X-Force Threat Intelligence Quarterly
 
Countering malware threats - Eric Vanderburg
Countering malware threats - Eric VanderburgCountering malware threats - Eric Vanderburg
Countering malware threats - Eric Vanderburg
 
Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...Practical AD Security: How to Secure Your Active Directory Network Without Br...
Practical AD Security: How to Secure Your Active Directory Network Without Br...
 
Application security
Application securityApplication security
Application security
 
Know Your Attacker - Core Security
Know Your Attacker - Core SecurityKnow Your Attacker - Core Security
Know Your Attacker - Core Security
 
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application SecurityJavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
JavaZone 2023: CVE 101: A Developer's Guide to the World of Application Security
 
Proatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security TeamsProatively Engaged: Questions Executives Should Ask Their Security Teams
Proatively Engaged: Questions Executives Should Ask Their Security Teams
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 

Mehr von Imperva

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyImperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security SurveyImperva
 
Imperva ppt
Imperva pptImperva ppt
Imperva pptImperva
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Imperva
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesImperva
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchImperva
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecurityImperva
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRImperva
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware Imperva
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged VendorsImperva
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet SophisticationImperva
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made EasyImperva
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceImperva
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyImperva
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR PlanImperva
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataImperva
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityImperva
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationImperva
 

Mehr von Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Kürzlich hochgeladen

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Hacking Encounters of the 3rd Kind

  • 1. © 2014 Imperva, Inc. All rights reserved. Hacking Encounters of the 3rd Kind Looking Into the Security Impact of 3rd Party Software Confidential1 Barry Shteiman, Director of Security Strategy, Imperva
  • 2. © 2014 Imperva, Inc. All rights reserved. Agenda Confidential2 §  Introduction §  What is 3rd party software §  Latest examples §  Hacking of a known component §  Addressing the problem §  Wrap up
  • 3. © 2014 Imperva, Inc. All rights reserved. Barry Shteiman, Director of Security Strategy Confidential3 §  Security Researcher working with the CTO office §  Author of several application security tools, including HULK §  Open source security projects code contributor §  Twitter @bshteiman
  • 4. © 2014 Imperva, Inc. All rights reserved. What Is 3rd Party Software Confidential4
  • 5. © 2014 Imperva, Inc. All rights reserved. 3rd Party Software Defined Confidential5 A third-party software component is a reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. Source: Wikipedia, http://en.wikipedia.org/wiki/Third-party_software_component
  • 6. © 2014 Imperva, Inc. All rights reserved. Identified by Type Confidential6 •  Software created by a 3rd party supplier •  Software components created by a 3rd party •  Infrastructure/Software as a service
  • 7. © 2014 Imperva, Inc. All rights reserved.7 Adoption According to Veracode: •  “Up to 70% of internally developed code originates outside of the development team” •  28% of assessed applications are identified as created by a 3rd party Confidential 72% 18% 9% 1% Application by supplier type Internally Developed Commercial Open Source Outsourced
  • 8. © 2014 Imperva, Inc. All rights reserved. Pros vs. Cons Confidential8 •  Reduced development time and cost •  Smaller R&D team is required •  Mature solution used by many •  Delayed/No SLA on Patches •  SDLC Gap •  Patches may introduce new bugs
  • 9. © 2014 Imperva, Inc. All rights reserved. OWASP Top 10, “Using Known Vulnerable Components” Confidential9 Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. Source: OWASP Top 10 2013 Whitepaper
  • 10. © 2014 Imperva, Inc. All rights reserved. What’s Vulnerable? Confidential10 Source: Aspect Security’s study “Understanding Security Risks in OSS Components” Aspect Security study: “A recent study by Aspect Security of over 113 million library downloads by developers in 60,000 organizations, showed that 26 percent of those downloads contain known vulnerabilities.”
  • 11. © 2014 Imperva, Inc. All rights reserved. Landscape Impact Confidential11 Source: Secunia Vulnerability Review 2014 http://secunia.com/company/news/1208-vulnerabilities-in-the-50-most-popular-programs---76-from-third-party-programs-389 Secunia: 1,208 vulnerabilities in the 50 most popular programs - 76% from third-party programs
  • 12. © 2014 Imperva, Inc. All rights reserved. Into the Wild Confidential12 Looking Into Recent Incidents
  • 13. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential13 Source: Topsy social analytics
  • 14. © 2014 Imperva, Inc. All rights reserved. A Social Experiment Confidential14 Source: Topsy social analytics
  • 15. © 2014 Imperva, Inc. All rights reserved. Ever Seen a Bleeding Server? Confidential15 Heartbleed (CVE-2014-0160) •  A bug in OpenSSL, allowing data leakage directly from server memory •  OpenSSL is used for Web servers, network appliances, and client software packages •  OpenSSL runs on 66% of SSL protected websites Sources: - Netcraft - http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html - Heartbleed.com
  • 16. © 2014 Imperva, Inc. All rights reserved. But I Can Patch It! Can’t I? Confidential16 ChangeCipherSpec (CVE-2014-0224)
  • 17. © 2014 Imperva, Inc. All rights reserved. 3rd Party Code Driven Incidents Confidential17 Source: ZDNet - http://www.zdnet.com/wordpress-plugin-vulns-affect-over-20-million-downloads-7000031703/ Wordpress Plugin vulnerabilities… A Petri Dish.
  • 18. © 2014 Imperva, Inc. All rights reserved. From Our Own Threat Advisories Confidential18
  • 19. © 2014 Imperva, Inc. All rights reserved. Show Me More Confidential19 Hacking of a Known Component
  • 20. © 2014 Imperva, Inc. All rights reserved. Zero-Days vs. Known Vulnerabilities Confidential20 §  Zero-Days gets all the glory •  Technically interesting •  Give rise to some interesting theoretical questions: How to defend the “unknown unknowns?” §  But known vulnerabilities are doing a lot of the damage •  Provide hackers with a very cost- effective method to exploit applications http://faildesk.net/wp-content/uploads/2012/02/movie-hacking-vs.-real-hacking.gif
  • 21. © 2014 Imperva, Inc. All rights reserved. Confidential21 Hacking a Known Component Apache Tomcat, running Apache Struts2 library. Target server is running a couple of applications that use the Struts library
  • 22. © 2014 Imperva, Inc. All rights reserved. Confidential22 Hacking a Known Component Struts2 showcase application, running with the Struts2 library.
  • 23. © 2014 Imperva, Inc. All rights reserved. Hacking a Known Component Confidential23 Source: www.exploit-db.com Lets find ourselves a nice exploit for Struts Apache has many extension libraries, Struts is amongst the most popular library.
  • 24. © 2014 Imperva, Inc. All rights reserved. Lets Attack Apache Struts Confidential24 CVE of the day: CVE-2013-2251, Now we need an exploit!
  • 25. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential25
  • 26. © 2014 Imperva, Inc. All rights reserved. Remote Code Execution Confidential26 Hacker now owns the server. PWN3D! Injection Complete Attempting Remote Code Injection
  • 27. © 2014 Imperva, Inc. All rights reserved. Botnets Are Targeting Known Components Confidential27 Recently Observed: •  Botnets scan public servers for vulnerabilities •  Inject Hijack/Drive-by code to vulnerable systems •  Onboarding hijacked systems into the botnet
  • 28. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential28 Botnet operator uses zombies to scan sites for vulnerabilities * As observed by Imperva’s ADC Research Team
  • 29. © 2014 Imperva, Inc. All rights reserved. From a Botnet Communication Confidential29 Botnet exploits vulnerabilities and absorbs victim servers * As observed by Imperva’s ADC Research Team
  • 30. © 2014 Imperva, Inc. All rights reserved. Addressing the Problem Confidential30
  • 31. © 2014 Imperva, Inc. All rights reserved. Explore the Options Confidential31 1.  Don’t use 3rd Party Components? 2.  Use 3rd Party Components, Responsibly •  Identify 3rd party components, Track versions and dependencies •  Monitor security state of components •  Continuously pentest the application that includes third party components •  Create an acceptance process for new components which includes security validation •  Disable unused functionality •  Introduce compensating controls, such as Web Application Firewalls to reduce risk
  • 32. © 2014 Imperva, Inc. All rights reserved. When a company builds its security model it usually does not take into account elements that are not in control, which creates the security hole. Companies should: §  Implement policies both on the legal and technical aspects to control data access and data usage §  Have processes and controls in place to effectively manage and secure code involving 3rd party components §  Continuously monitor Recommendations 32 Confidential32
  • 33. © 2014 Imperva, Inc. All rights reserved. Webinar Materials 33 Post-Webinar Discussions Answers to Attendee Questions Webinar Recording Link Join Group Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
  • 34. © 2014 Imperva, Inc. All rights reserved. Questions? Confidential34 www.imperva.com
  • 35. © 2014 Imperva, Inc. All rights reserved. Thank You 35 Confidential