SlideShare ist ein Scribd-Unternehmen logo

Common Security Misconception

Matthew Ong
Matthew Ong

Various Security Misconception awareness topics on: OS, Languages, Frameworks, Libraries, .... May invite me private talk session for your team.

Software
1 von 32
Downloaden Sie, um offline zu lesen
1© 2019 CONFIDENTIAL 1© 2019 CONFIDENTIAL Alex Ong, ongbp@onet.sg, +6017-3180163 Solutions Architect, OneT Solutions Pte Ltd. COMMON SECURITY MISCONCEPTIONS
2© 2019 CONFIDENTIAL 2 ABOUT SPEAKER
3© 2019 CONFIDENTIAL About Alex(Matthew) ONG • 20+ Years(since 1997) in ICT or Related Industries • Certified Sun Microsystem(now Oracle) Train the Trainer • Ex-Mimos Master Trainer (2014-2016) • Master Trainer HRDF, Australian TAE40110 Certified. • Cross Industries & Process Regional Consultation: • ICT, Education, Manufacturing • Financial banking, Telecommunication • Defense: I can neither confirm nor deny.. • Singapore, Australia, Malaysia, Indonesia, Philipine
4© 2019 CONFIDENTIAL 4 BACKGROUND INFO
5© 2019 CONFIDENTIAL DISCLAIMER •Speaker Disclaimer: • DOES NOT advocate anyform of hacking • Hacking computer resources is against the law in most country • is NOT legally trained, please seek a competent legal council for cyberlaw for your country • What happens in rawsec, stays in rawsec • Pentesting(whitehat hacking) is advocated and should be done with AFTER formal written agreement from target clients
6© 2019 CONFIDENTIAL SECURITY CONCERNS COVERED • We will be covering some of: • BIOS: Intel ATM • WAF Limitations • OS: Win, Mac • Languages: .NET, Java • Libraries: OGNL, JSR 233 • DB: SQL Injections • Browsr: XSS
7© 2019 CONFIDENTIAL SECURITY? NOT REALLY MY ISSUES FEW UNDERSTAND SECURITY Many security engineers don’t understand development — and most developers don’t understand security. Source: SANS State of Application Security, 2015 Average Application Only 21% Custom Code 93% overall Vulnerabilities APPS ARE CHANGING • Agile and DevOps • Cloud and container • Microservers and APIs • Libraries and code reuse Can legacy Application Security Solutions have been able to keep up?
8© 2019 CONFIDENTIAL TYPICAL SECURITY PROCESS
9© 2019 CONFIDENTIAL IS APPSEC REAL ISSUES?
10© 2019 CONFIDENTIAL HACKING IMPACT
11© 2019 CONFIDENTIAL 11 COMMON MISCONCEPTION
12© 2019 CONFIDENTIAL WE DO .NET/WINDOZES Priced at USD 2k-3k for general entry ticket. extra cost for courses: • Win 64 Kernel level(Ring 0) Exploits • Heap spraying DEP(Data Execution Protection) • ASLR(Address Space Layout Randomization) bypass • SMEP(Supervisor Mode Execution Prevention) bypass • https://www.corelan.be/index.php/20 11/12/31/exploit-writing-tutorial-part- 11-heap-spraying-demystified/
13© 2019 CONFIDENTIAL WINDOWS BACKDOOR HOOK • MS: This API is a function/feature. • https://docs.microsoft.com/en- us/windows/desktop/winmsg/using-hooks
14© 2019 CONFIDENTIAL WE DO APPLE • AppleScript automation engine • Plenty of Apple users are not aware of this. • How to Create a Fake PDF Trojan with AppleScript • Script embedded in PDF. • Able to bypass scanning by Antivirus tools.
15© 2019 CONFIDENTIAL BIOS FRONTDOOR FROM BACK
16© 2019 CONFIDENTIAL APPEARANCE OF SAFETY Health warning! You may leave if: • weak heart • hypertension(high blood pressure) • had panic attack/insomia REAL SCARY STUFF to follow.
17© 2019 CONFIDENTIAL OUR WIFI IS HIDDEN, LOCAL AND SECURE • https://www.gdt.id.au/~gdt/presentations/2002-07-02-questnet-wlan/driveby.pdf Tiny Enemy Within/Nextdoor
18© 2019 CONFIDENTIAL DISCOVER HIDDEN WIFI SSID • https://www.acrylicwifi.com/en/blog/hidd en-ssid-wifi-how-to-know-name-of- network-without-ssid/
19© 2019 CONFIDENTIAL WE DO WAF/IDS/IPS • Perimeter protection tools: • Requires Constants Monitoring+Updating • MANUAL CVE/OWASP/DISA/PCI tracking. • CAN Protect Typical DOS/DDOS • highly trained experts needed • Non accurate blocking • Mostly Uses REGEXP(easy DOS/DDOS) • Hard to pick from Long list(16K) of rules • AI training needs time to build up
20© 2019 CONFIDENTIAL CRAFT AN EFFECTIVE REGEXP FOR THIS?? • Sample library attack(strut 2) • Need to pick right rules from long list of choices. • Need to match the right amount of patterns. • Ensure no REGEXP overflow for DOS attack. • Ensure NO OVER BLOCKING of actual business traffic.
21© 2019 CONFIDENTIAL WE HAVE SSL AUTHENTICATION • https://security.stackexchange.com/que stions/2087/how-to-hijack-a-session • List of session Hijacking tools
22© 2019 CONFIDENTIAL WE DO JAVA: OGNL EXP INJECTION • Commonly used java expression library • OGNL Exploits • https://pt.slideshare.net/hackstuff/cmd- injection
23© 2019 CONFIDENTIAL EXPRESSION INJECTION • OGNL Exploits since Feb 2013. • Expression inject can allow hacker to run any OGNL code to: • upload malware file into server • run malware file • does almost anything. • Also exploitable for JSR223 languages
24© 2019 CONFIDENTIAL OUR JS GURU PROTECT BROWSERS • Really Skilled Hackers does NOT use browser attack, NORMALLY. • Too many alerts created and highly tracable. • Xsser, SQLninja, Metasploit...
25© 2019 CONFIDENTIAL DEMO TIME. • Download: • https://github.com/WebGoat/WebGoat/rel eases/tag/7.1 • Duration depends on time. • SQL Injection • XSS • ...
26© 2019 CONFIDENTIAL APPSEC OWASP TOP 10(2013, 2017) Jeff Williams OWASP Chair for 8 years Creator of OWASP Top 10
27© 2019 CONFIDENTIAL A WHOLE NEW WORLD
28© 2019 CONFIDENTIAL YOU NEED RUNTIME WHITEBOX APPSEC Software is a black box. HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF IAST RASP whitebox: full visibility into running app
29© 2019 CONFIDENTIAL WHO IS WHO IN APPSEC • Founded by Jeff Williams after leaving OWASP • Founded 2013 • New paradigm of Security solutions.
30© 2019 CONFIDENTIAL SPEAKER DOES RECOMMENDS • Totally unrelated to hacking incident of any banks. • You should have 3 or more banks accounts from different banks. • By law, banks are suppose to keep your data private. • They are: • One for salary and main income(ATM only) • Fixed Deposits in different bank. Totally offline. • Visa/Master/Debit card from also another bank and can have online. Have minimum balance and low credit limit(less than 7K).
31© 2019 CONFIDENTIAL SOME SHORT QUESTIONS • Those who don't study AppSec are doomed to be hacked. Those who do study AppSec are doomed to watch helplessly while everyone else were hacked.
32© 2019 CONFIDENTIAL THANK YOU Alex Ong, ongbp@onet.sg, +6017-3180163

Empfohlen

Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)eLearning Consortium 電子學習聯盟
 
Are You Prepared for the Next Mobile Attack?
Are You Prepared for the Next Mobile Attack?Are You Prepared for the Next Mobile Attack?
Are You Prepared for the Next Mobile Attack?Check Point Software Technologies
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Talos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseTalos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseCisco Canada
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008tswong
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 

Empfohlen

Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)eLearning Consortium 電子學習聯盟
 
Are You Prepared for the Next Mobile Attack?
Are You Prepared for the Next Mobile Attack?Are You Prepared for the Next Mobile Attack?
Are You Prepared for the Next Mobile Attack?Check Point Software Technologies
 
Webinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersWebinar–OWASP Top 10 for JavaScript for Developers
Webinar–OWASP Top 10 for JavaScript for DevelopersSynopsys Software Integrity Group
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Talos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseTalos Insight: Threat Innovation Emerging from the Noise
Talos Insight: Threat Innovation Emerging from the NoiseCisco Canada
 
Panda Security2008
Panda Security2008Panda Security2008
Panda Security2008tswong
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
Securing Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSECSecuring Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSECCheck Point Software Technologies
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseNowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Check Point Solutions Portfolio- Detailed
Check Point Solutions Portfolio- DetailedCheck Point Solutions Portfolio- Detailed
Check Point Solutions Portfolio- DetailedMoti Sagey מוטי שגיא
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentMarketingArrowECS_CZ
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsRahul Neel Mani
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey מוטי שגיא
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomwarePrathan Phongthiproek
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeMoti Sagey מוטי שגיא
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileMarketingArrowECS_CZ
 
Ecosystem
EcosystemEcosystem
EcosystemMoti Sagey מוטי שגיא
 
WannaCry: How to Protect Yourself
WannaCry: How to Protect YourselfWannaCry: How to Protect Yourself
WannaCry: How to Protect YourselfCheck Point Software Technologies
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)PacSecJP
 
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 

Weitere ähnliche Inhalte

Was ist angesagt?

Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseNowSecure
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentMarketingArrowECS_CZ
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsRahul Neel Mani
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey מוטי שגיא
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Skycure
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentesterCláudio André
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityNowSecure
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileMarketingArrowECS_CZ
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)PacSecJP
 

Was ist angesagt? (20)

Securing Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSECSecuring Your Cloud With Check Point's vSEC
Securing Your Cloud With Check Point's vSEC
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Five mobile security challenges facing the enterprise
Five mobile security challenges facing the enterpriseFive mobile security challenges facing the enterprise
Five mobile security challenges facing the enterprise
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Check Point Solutions Portfolio- Detailed
Check Point Solutions Portfolio- DetailedCheck Point Solutions Portfolio- Detailed
Check Point Solutions Portfolio- Detailed
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal Moti Sagey CPX keynote _Are All security products created equal
Moti Sagey CPX keynote _Are All security products created equal
 
Understanding ransomware
Understanding ransomwareUnderstanding ransomware
Understanding ransomware
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2
 
Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability Accessibility Clickjacking, Devastating Android Vulnerability
Accessibility Clickjacking, Devastating Android Vulnerability
 
CPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor LandscapeCPX 2016 Moti Sagey Security Vendor Landscape
CPX 2016 Moti Sagey Security Vendor Landscape
 
A day in the life of a pentester
A day in the life of a pentesterA day in the life of a pentester
A day in the life of a pentester
 
The fundamentals of Android and iOS app security
The fundamentals of Android and iOS app securityThe fundamentals of Android and iOS app security
The fundamentals of Android and iOS app security
 
Protect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast MobileProtect Your Enterprise - Check Point SandBlast Mobile
Protect Your Enterprise - Check Point SandBlast Mobile
 
Ecosystem
EcosystemEcosystem
Ecosystem
 
WannaCry: How to Protect Yourself
WannaCry: How to Protect YourselfWannaCry: How to Protect Yourself
WannaCry: How to Protect Yourself
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
 

Ähnlich wie Common Security Misconception

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Harry McLaren
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes WebinarThousandEyes
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Decisions
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
 
Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Rafael Maranon
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConTom Stiehm
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data CenterCisco Canada
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareMyNOG
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCTom Stiehm
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceThousandEyes
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA
 

Ähnlich wie Common Security Misconception (20)

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 
What is ThousandEyes Webinar
What is ThousandEyes WebinarWhat is ThousandEyes Webinar
What is ThousandEyes Webinar
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-ppt
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
 
Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)
 
OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014OWASP Mobile TOP 10 2014
OWASP Mobile TOP 10 2014
 
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechConShifting Security Left - The Innovation of DevSecOps - ValleyTechCon
Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon
 
Security and Virtualization in the Data Center
Security and Virtualization in the Data CenterSecurity and Virtualization in the Data Center
Security and Virtualization in the Data Center
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source SoftwareZero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
 
Shifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDCShifting Security Left - The Innovation of DevSecOps - AgileDC
Shifting Security Left - The Innovation of DevSecOps - AgileDC
 
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid WorkforceOptimizing and Troubleshooting Digital Experience for a Hybrid Workforce
Optimizing and Troubleshooting Digital Experience for a Hybrid Workforce
 
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
Data Con LA 2019 - Securing IoT Data with Pervasive Encryption by Eysha Shirr...
 
Webinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript ApplicationsWebinar–Reviewing Modern JavaScript Applications
Webinar–Reviewing Modern JavaScript Applications
 

Kürzlich hochgeladen

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 

Kürzlich hochgeladen (20)

A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 

Common Security Misconception

  • 1. 1© 2019 CONFIDENTIAL 1© 2019 CONFIDENTIAL Alex Ong, ongbp@onet.sg, +6017-3180163 Solutions Architect, OneT Solutions Pte Ltd. COMMON SECURITY MISCONCEPTIONS
  • 2. 2© 2019 CONFIDENTIAL 2 ABOUT SPEAKER
  • 3. 3© 2019 CONFIDENTIAL About Alex(Matthew) ONG • 20+ Years(since 1997) in ICT or Related Industries • Certified Sun Microsystem(now Oracle) Train the Trainer • Ex-Mimos Master Trainer (2014-2016) • Master Trainer HRDF, Australian TAE40110 Certified. • Cross Industries & Process Regional Consultation: • ICT, Education, Manufacturing • Financial banking, Telecommunication • Defense: I can neither confirm nor deny.. • Singapore, Australia, Malaysia, Indonesia, Philipine
  • 4. 4© 2019 CONFIDENTIAL 4 BACKGROUND INFO
  • 5. 5© 2019 CONFIDENTIAL DISCLAIMER •Speaker Disclaimer: • DOES NOT advocate anyform of hacking • Hacking computer resources is against the law in most country • is NOT legally trained, please seek a competent legal council for cyberlaw for your country • What happens in rawsec, stays in rawsec • Pentesting(whitehat hacking) is advocated and should be done with AFTER formal written agreement from target clients
  • 6. 6© 2019 CONFIDENTIAL SECURITY CONCERNS COVERED • We will be covering some of: • BIOS: Intel ATM • WAF Limitations • OS: Win, Mac • Languages: .NET, Java • Libraries: OGNL, JSR 233 • DB: SQL Injections • Browsr: XSS
  • 7. 7© 2019 CONFIDENTIAL SECURITY? NOT REALLY MY ISSUES FEW UNDERSTAND SECURITY Many security engineers don’t understand development — and most developers don’t understand security. Source: SANS State of Application Security, 2015 Average Application Only 21% Custom Code 93% overall Vulnerabilities APPS ARE CHANGING • Agile and DevOps • Cloud and container • Microservers and APIs • Libraries and code reuse Can legacy Application Security Solutions have been able to keep up?
  • 8. 8© 2019 CONFIDENTIAL TYPICAL SECURITY PROCESS
  • 9. 9© 2019 CONFIDENTIAL IS APPSEC REAL ISSUES?
  • 11. 11© 2019 CONFIDENTIAL 11 COMMON MISCONCEPTION
  • 12. 12© 2019 CONFIDENTIAL WE DO .NET/WINDOZES Priced at USD 2k-3k for general entry ticket. extra cost for courses: • Win 64 Kernel level(Ring 0) Exploits • Heap spraying DEP(Data Execution Protection) • ASLR(Address Space Layout Randomization) bypass • SMEP(Supervisor Mode Execution Prevention) bypass • https://www.corelan.be/index.php/20 11/12/31/exploit-writing-tutorial-part- 11-heap-spraying-demystified/
  • 13. 13© 2019 CONFIDENTIAL WINDOWS BACKDOOR HOOK • MS: This API is a function/feature. • https://docs.microsoft.com/en- us/windows/desktop/winmsg/using-hooks
  • 14. 14© 2019 CONFIDENTIAL WE DO APPLE • AppleScript automation engine • Plenty of Apple users are not aware of this. • How to Create a Fake PDF Trojan with AppleScript • Script embedded in PDF. • Able to bypass scanning by Antivirus tools.
  • 15. 15© 2019 CONFIDENTIAL BIOS FRONTDOOR FROM BACK
  • 16. 16© 2019 CONFIDENTIAL APPEARANCE OF SAFETY Health warning! You may leave if: • weak heart • hypertension(high blood pressure) • had panic attack/insomia REAL SCARY STUFF to follow.
  • 17. 17© 2019 CONFIDENTIAL OUR WIFI IS HIDDEN, LOCAL AND SECURE • https://www.gdt.id.au/~gdt/presentations/2002-07-02-questnet-wlan/driveby.pdf Tiny Enemy Within/Nextdoor
  • 18. 18© 2019 CONFIDENTIAL DISCOVER HIDDEN WIFI SSID • https://www.acrylicwifi.com/en/blog/hidd en-ssid-wifi-how-to-know-name-of- network-without-ssid/
  • 19. 19© 2019 CONFIDENTIAL WE DO WAF/IDS/IPS • Perimeter protection tools: • Requires Constants Monitoring+Updating • MANUAL CVE/OWASP/DISA/PCI tracking. • CAN Protect Typical DOS/DDOS • highly trained experts needed • Non accurate blocking • Mostly Uses REGEXP(easy DOS/DDOS) • Hard to pick from Long list(16K) of rules • AI training needs time to build up
  • 20. 20© 2019 CONFIDENTIAL CRAFT AN EFFECTIVE REGEXP FOR THIS?? • Sample library attack(strut 2) • Need to pick right rules from long list of choices. • Need to match the right amount of patterns. • Ensure no REGEXP overflow for DOS attack. • Ensure NO OVER BLOCKING of actual business traffic.
  • 21. 21© 2019 CONFIDENTIAL WE HAVE SSL AUTHENTICATION • https://security.stackexchange.com/que stions/2087/how-to-hijack-a-session • List of session Hijacking tools
  • 22. 22© 2019 CONFIDENTIAL WE DO JAVA: OGNL EXP INJECTION • Commonly used java expression library • OGNL Exploits • https://pt.slideshare.net/hackstuff/cmd- injection
  • 23. 23© 2019 CONFIDENTIAL EXPRESSION INJECTION • OGNL Exploits since Feb 2013. • Expression inject can allow hacker to run any OGNL code to: • upload malware file into server • run malware file • does almost anything. • Also exploitable for JSR223 languages
  • 24. 24© 2019 CONFIDENTIAL OUR JS GURU PROTECT BROWSERS • Really Skilled Hackers does NOT use browser attack, NORMALLY. • Too many alerts created and highly tracable. • Xsser, SQLninja, Metasploit...
  • 25. 25© 2019 CONFIDENTIAL DEMO TIME. • Download: • https://github.com/WebGoat/WebGoat/rel eases/tag/7.1 • Duration depends on time. • SQL Injection • XSS • ...
  • 26. 26© 2019 CONFIDENTIAL APPSEC OWASP TOP 10(2013, 2017) Jeff Williams OWASP Chair for 8 years Creator of OWASP Top 10
  • 27. 27© 2019 CONFIDENTIAL A WHOLE NEW WORLD
  • 28. 28© 2019 CONFIDENTIAL YOU NEED RUNTIME WHITEBOX APPSEC Software is a black box. HTTP Traffic Code Frameworks Libraries Runtime Data Flow Runtime Control Flow Backend Connections Configuration Data Server Configuration Etc… Platform Runtime Software Architecture SAST DAST WAF IAST RASP whitebox: full visibility into running app
  • 29. 29© 2019 CONFIDENTIAL WHO IS WHO IN APPSEC • Founded by Jeff Williams after leaving OWASP • Founded 2013 • New paradigm of Security solutions.
  • 30. 30© 2019 CONFIDENTIAL SPEAKER DOES RECOMMENDS • Totally unrelated to hacking incident of any banks. • You should have 3 or more banks accounts from different banks. • By law, banks are suppose to keep your data private. • They are: • One for salary and main income(ATM only) • Fixed Deposits in different bank. Totally offline. • Visa/Master/Debit card from also another bank and can have online. Have minimum balance and low credit limit(less than 7K).
  • 31. 31© 2019 CONFIDENTIAL SOME SHORT QUESTIONS • Those who don't study AppSec are doomed to be hacked. Those who do study AppSec are doomed to watch helplessly while everyone else were hacked.
  • 32. 32© 2019 CONFIDENTIAL THANK YOU Alex Ong, ongbp@onet.sg, +6017-3180163