"BIG BANG!" Highlights & key takeaways of 24 security talks by Stefan Jakoubi & Thomas Konrad
In this talk we will point out highlights and key takeaways of two months SBA Live Academy!
Missed some talks? Watch them on YouTube (https://www.youtube.com/channel/UCGkdNRPzjB2c6RxoMJ5POCg/videos)!
Speaker:
Stefan Jakoubi, SBA Research
Thomas Konrad, SBA Research
Talk language: German
About the Speaker:
*********************
Stefan Jakoubi ist Geschäftsleiter für den Bereich „Professional Services“ bei SBA Research. Er ist seit über 13 Jahren im Großraum der Informationssicherheit tätig und "Sicherheits-Architekt" für Kunden und Forschungspartner. Hierbei liegt sein spezieller Fokus auf dem balancierten Zusammenspiel geschäftlicher Anforderungen und erforderlicher Sicherheitsmaßnahmen, um Entscheidungsträger in der Erfüllung ihrer Sorgfaltspflichten entsprechend zu unterstützen. Am liebsten hält er allerdings Security Awareness Vorträge, um komplexe Themengebiete zielgruppengerecht "zu übersetzen".
Thomas Konrad is Principal Security Consultant at SBA Research and has been part of software security team since 2010. He focuses on secure software development, web application security, penetration testing, secure software design, architecture, and process, and trains software development teams in those areas.
20. 20
SBA Live Academy Thema 5/25
CRLite – Revocation for X.509 certificates in the browser – this time
for real?
Mathias Tausig (SBA)
SBA Research gGmbH, 2020
28. 28
Take-Aways
• Steps towards DevSecOps
o #1: Start with simplification.
o #2: Push existing pockets of success.
o #3: Offer self-service security tools.
o #4: Work with both empowerment and accountability.
o #5: Create and promote a culture of continuous learning.
SBA Research gGmbH, 2019
29. 29
SBA Live Academy Thema 8/25
I know what they did last Summer…
Andreas Tomek (KPMG)
SBA Research gGmbH, 2020
32. 32
SBA Live Academy Thema 9/25
Passwords: Policy and Storage with NIST SP800-63b
Jim Manico
(Founder of Manicode Security & former board member for the OWASP
foundation)
SBA Research gGmbH, 2020
36. 36
SBA Live Academy Thema 10/25
A Primer in Single Page Application Security (Angular, React, Vue.js)
Thomas Konrad (SBA)
SBA Research gGmbH, 2020
37. 37
The DOM Is A Mess: XSS Sinks
SBA Research gGmbH, 2020
Imagesource:https://www.youtube.com/watch?v=vYA81UAExKA
https://github.com/wisec/domxsswiki/wiki
38. Classification: Public 38
SPAs, innerHTML and XSS
SBA Research gGmbH, 2020
<span [innerHTML]="html"></span><span [innerHTML]="html"></span>
Angular sanitizes this!
<span dangerouslySetInnerHTML={html}></span><span dangerouslySetInnerHTML={html}></span>
Makes you fear!
<span v-html="html"></span><span v-html="html"></span>
Makes you feel safe!
const html = '<img src=x onerror=alert(1)/>';const html = '<img src=x onerror=alert(1)/>';Input:
<img src=x />
39. 39
SBA Live Academy Thema 11/25
Wozu Datenschutzgesetze?
Gerald Sendera (SBA)
SBA Research gGmbH, 2020
49. 49
SBA Live Academy Thema 13/25
Using HTTPS by Default: How Web Servers Can Make the Web More
Secure
Matthew Holt (Full-time open source developer, project lead of the Caddy
web server)
SBA Research gGmbH, 2020
57. 57
SBA Live Academy Thema 15/25
Physical Attacks against (I)IoT-Devices, Embedded Devices,
Microcontrollers and System on Chips (SoC)
Christian Kudera (SBA)
SBA Research gGmbH, 2020
64. 64
SBA Live Academy Thema 17/25
Angriffe gegen das Stromnetz – Wenn der Strom nicht mehr aus der
Steckdose kommt
Johanna Ullrich (SBA)
SBA Research gGmbH, 2020
72. 72
SBA Live Academy Thema 19/25
Die COVID-19 Krise und Simulationsmodelle. Was kann man sagen?
Und was nicht?
Niki Popper (dwh)
SBA Research gGmbH, 2020
99. 99
Stefan Jakoubi
SBA Research gGmbH
Floragasse 7, 1040 Wien
+43 660 5 10 20 40
sjakoubi@sba-research.org
SBA Research gGmbH, 2020
Thomas Konrad
SBA Research gGmbH
Floragasse 7, 1040 Wien
+43 664 889 272 17
tkonrad@sba-research.org
100. 100
Professional Services
Penetration Testing
Architecture Reviews
Security Audit
Security Trainings
Incident Response Readiness
ISMS & ISO 27001 Consulting
Forschung & Beratung unter einem Dach
Applied Research
Industrial Security | IIoT Security |
Mathematics for Security Research |
Machine Learning | Blockchain | Network
Security | Sustainable Software Systems |
Usable Security
SBA Research
Wissenstransfer
SBA Live Academy | sec4dev | Trainings |
Events | Lehre | sbaPRIME
Kontaktieren Sie uns: anfragen@sba-research.org
102. 102
#bleibdaheim #remotelearning
Coming up - Security Meetup by SBA
10.06.2020, 18.00 Uhr, live:
"Secure development on
Kubernetes” by Andreas Falk
(Novatec Consulting)
Language: English
Treten Sie unserer Meetup Gruppe bei!
https://www.meetup.com/Security-Meetup-by-SBA-
Research/