IT security for all. Bootcamp slides

•

1 gefällt mir•1,126 views

Bildung Technologie News & Politik

IT security for startups
all
Bootcamp, MIPT, 21/12/2013

BIO
• Whitehat (Facebook, Google,Yandex
rewards)

• Security researcher

• CEO

• @d0znpp

Security?
• Not for our budget now

• Not affected revenue

• We are not interesting for hackers

• No one had hacked us before

• Rocket science

• QA job

Security!
• We have ﬁrewall

• We have admin

• We have antivirus

• All is OK

Security!
• External network level

• Application layer

• Internal network layer

• Staff awareness

Best practice!

Security like
bookkeeping
• A process

• Nondiscrete

• You can not start it retroactively

Enterprise way
• SDL - security development lifecycle

• Works but hard to implement

All in clouds!
!

For what i need
security?

Typical cases
• Marketing site (almost static content)

• Cloud CRM

• Cloud mail

• Cloud dev (github/bitbucket private reps)

• And what about DNS?

• What about integration between it?

• What about client-side security?

PCI DSS!
!

Our payments
protected

Typical cases
• «These materials include a framework of
speciﬁcations, tools, measurements and
support resources to help organizations
ensure the safe handling of cardholder
information at every step»

• And what about other information?

• What about MY data/money?

• Nothing...

Platform (CMS,
framework, etc) based
application
!

Our security depends
from platform security

Typical cases
• On what basis did you choose the
platform?

• Is your platform have security guide?

• Are you read it?

• Do you all understand there?

• Whether your application can run on the
new version of the same?

A little from history

• HTTP - 1991 for links at science articles

• PHP - Personal Home Pages

• ...

Typical questions after
security audit
• Why so easy to hack us?

• Why this has not been done before?

• How do we know whether it's someone
did earlier?

What i can do now?
• Scan your addresses using nmap -p1-65535

• Add nmap scanning to QA tests

• Create «Security basics» page in your Wiki

• http://en.wikipedia.org/wiki/Crosssite_scripting

• http://en.wikipedia.org/wiki/Crosssite_request_forgery

• ...

Q/A or QA ;)
Contact anytime:

• in@wallarm.com

• @d0znpp

Weitere ähnliche Inhalte

Was ist angesagt?

Automated Security Testing

Automated Security Testing

Automated Security Testing

We will discuss the what, why and the how of running modern security operations. We will take a look at the pain points in a DevOps life cycle and see the benefits of pragmatic security solutions. Attendees will get an idea about where and how to start devsecops for secure devops pipeline. This talk is focused on the what, why and the how of running security operations in the modern world. The way attacks are changing and developers are moving ahead with the next generation technologies is blazingly fast. However, traditional operations still exist. It then becomes imperative to make changes in the way security operations should run to defend against attackers and work with developers and modern businesses. In this talk, we will see what are the real world problems faced by organisations, how we can rapidly adapt to changes by modifying the culture and methodologies while relying on processes, tools and techniques.

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

When the internet bleeded : RootConf 2014

When the internet bleeded : RootConf 2014

When the internet bleeded : RootConf 2014

Anant Shrivastava

[OWASP Poland Day] Application security - daily questions & answers

[OWASP Poland Day] Application security - daily questions & answers

[OWASP Poland Day] Application security - daily questions & answers

Using commercially available attack tools like OpenBullet, Snipr MBA and BlackBullet has dramatically simplified the act of committing fraud through account takeovers, fake account creation or other automated attack. With thousands of configs available on the web, bad actors can find a pre-defined attacks for the retail, financial services, streaming media or other web application they want to target. If a predefined attack config for your company is discovered, how should you react? In this session, Will Glazier, head of security research at Cequence Security will provide tips and techniques to help you uncover the existence of an attack config, then demonstrate how it is used in OpenBullet, providing pointers on how to use OpenBullet to your mitigation advantage. A demonstration of Cequence Bot Defense will wrap up the session. Discussion topics for the talk will include: Researching Attack Configurations - Forums - Attack tools - Using the power of Google Turning the Tables: OpenBullet Deep Dive - How it works - Use it to your advantage: stop the attacks Using OpenBullet Findings to Prevent Attacks - Brief demo of Cequence Bot Defense

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

The OWASP Zed Attack Proxy

The OWASP Zed Attack Proxy

The OWASP Zed Attack Proxy

So Your Company Hired A Pentester

So Your Company Hired A Pentester

So Your Company Hired A Pentester

My tryst with sourcecode review

My tryst with sourcecode review

My tryst with sourcecode review

Anant Shrivastava

Tw noche geek quito webappsec

Tw noche geek quito webappsec

Tw noche geek quito webappsec

[OWASP Poland Day] Saving private token

[OWASP Poland Day] Saving private token

[OWASP Poland Day] Saving private token

As developers, we build great things. The next step is to protect this work and our precious data, sometimes the crown jewels of the company. This extensive presentation is an introduction into information security, with many tips and thoughts for developers. It focuses on the benefits of applying information security, and how to use it in your work. Michael Boelen has a background in Linux security. He is the developer of several open source tools. This presentation includes some tips specifically for Linux, although most principles are applicable on all platforms.

Linux Security for Developers

Linux Security for Developers

Linux Security for Developers

[OWASP Poland Day] Web App Security Architectures

[OWASP Poland Day] Web App Security Architectures

[OWASP Poland Day] Web App Security Architectures

This is not your normal DevSecOps presentation. We’re going to take on the most difficult aspect of security automation, the dreaded and pitfall prone, dynamic testing. You want to shift left and automate all the things, but DAST specifically has many thorns. How do you ensure what you’re testing matches production? Do devs own the environment? On metal, docker, kubernetes, or docker-compose? Test coverage? Balancing all these elements and more is not easy. Especially if you want to create a single, scalable, standard for your entire org. In this talk, we’ll cover what is needed to start automating your dynamic security testing, how to navigate the trade-offs you’ll have to consider, and finally how best to fit automated DAST testing into your software delivery pipelines. We’ll discuss simple and easy steps to gain efficiency and how to scale to mature pipelines that require little to no human intervention.

The Final Frontier, Automating Dynamic Security Testing

The Final Frontier, Automating Dynamic Security Testing

The Final Frontier, Automating Dynamic Security Testing

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Security knowledge framework

[OWASP Poland Day] Security knowledge framework

[OWASP Poland Day] Security knowledge framework

Mod Security

Anatomy of a Cloud Hack

Anatomy of a Cloud Hack

Anatomy of a Cloud Hack

NotSoSecure Global Services

You’re tasked with ‘doing AppSec’ for your company and you’ve got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo can be your one source of truth and become the heart of your AppSec automation program. DefectDojo grew out of a Product Security program 8 years ago and was created by AppSec people for AppSec people. In this talk, you’ll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your one source of truth for discovered security vulnerabilities, report generation, aggregation of over 80 different security tools, inventory of applications, tracking testing efforts and metrics on the AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo.

Intro to DefectDojo at OWASP Switzerland

Intro to DefectDojo at OWASP Switzerland

Intro to DefectDojo at OWASP Switzerland

Sullivan heartbleed-defcon22 2014

Sullivan heartbleed-defcon22 2014

Sullivan heartbleed-defcon22 2014

Was ist angesagt? (20)

Automated Security Testing

Automated Security Testing

Automated Security Testing

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

Modern Security Operations aka Secure DevOps @ All Day DevOps 2017

When the internet bleeded : RootConf 2014

When the internet bleeded : RootConf 2014

When the internet bleeded : RootConf 2014

[OWASP Poland Day] Application security - daily questions & answers

[OWASP Poland Day] Application security - daily questions & answers

[OWASP Poland Day] Application security - daily questions & answers

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

There’s an OpenBullet Attack Config for Your Site – What Should You Do?

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware

The OWASP Zed Attack Proxy

The OWASP Zed Attack Proxy

The OWASP Zed Attack Proxy

So Your Company Hired A Pentester

So Your Company Hired A Pentester

So Your Company Hired A Pentester

My tryst with sourcecode review

My tryst with sourcecode review

My tryst with sourcecode review

Tw noche geek quito webappsec

Tw noche geek quito webappsec

Tw noche geek quito webappsec

[OWASP Poland Day] Saving private token

[OWASP Poland Day] Saving private token

[OWASP Poland Day] Saving private token

Linux Security for Developers

Linux Security for Developers

Linux Security for Developers

[OWASP Poland Day] Web App Security Architectures

[OWASP Poland Day] Web App Security Architectures

[OWASP Poland Day] Web App Security Architectures

The Final Frontier, Automating Dynamic Security Testing

The Final Frontier, Automating Dynamic Security Testing

The Final Frontier, Automating Dynamic Security Testing

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Application frameworks' vulnerabilities

[OWASP Poland Day] Security knowledge framework

[OWASP Poland Day] Security knowledge framework

[OWASP Poland Day] Security knowledge framework

Mod Security

Anatomy of a Cloud Hack

Anatomy of a Cloud Hack

Anatomy of a Cloud Hack

Intro to DefectDojo at OWASP Switzerland

Intro to DefectDojo at OWASP Switzerland

Intro to DefectDojo at OWASP Switzerland

Sullivan heartbleed-defcon22 2014

Sullivan heartbleed-defcon22 2014

Sullivan heartbleed-defcon22 2014

Ähnlich wie IT security for all. Bootcamp slides

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

Are you overwhelmed by the plethora of cloud security vendors and not sure how to get started with security monitoring in a cloud environment? Find out how we at RightScale use security monitoring in the cloud to achieve compliance, send critical alerts, and collect forensic data. In this webinar, we will: - Guide you through the framework we used to define our goals for security monitoring, decide how we wanted to do it, and then select which tools to use. - Share practical insights on how to successfully do security monitoring in a cloud environment. - Realign the focus to be on delivering results instead of implementing technology for technology's sake. Join RightScale's Director of Security & Compliance Phil Cox and Senior Security Engineer Tony Spataro to learn directly from the team responsible for the security architecture and regulatory compliance for one of the most complex cloud-based deployments on the planet.

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

What happens when a security researcher finds a hole in your code? Do have a clear policy to submit this kind of findings? Most not. Responsible Disclosure is something every company should manage, and Bug Bounties Programs help to improve the security as well as be in contact with the hacker community. During the talk we will see how a Responsible Disclosure Program or a BugBounty Program works, and how the company should focus and not forget about other mitigations and counter mesures related to security

Bugbounty Programs - Codemotion

Bugbounty Programs - Codemotion

Bugbounty Programs - Codemotion

SeungJin Lee (beist) GrayHash / CEO Grayhash is a security consultant team (i.e. hackers) and used to be a very small firm but has worked with many clients. What we mainly do is finding zero-days from customers' products and infrastructures. We have started working with LINE from April and have learned what's crucial for big companies like LINE. We have identified issues and challenges not only in software but also in infrastructure because Dev teams do make mistakes in both of them. I will talk about our efforts to make LINE more secure with interesting episodes and insightful examples.

Life as an enterprise security geek from underground. (What enterprises want ...

Life as an enterprise security geek from underground. (What enterprises want ...

Life as an enterprise security geek from underground. (What enterprises want ...

LINE Corporation

Protect your Database with Data Masking & Enforced Version Control

Protect your Database with Data Masking & Enforced Version Control

Protect your Database with Data Masking & Enforced Version Control

DBmaestro - Database DevOps

What happens when a company either doesn’t fully empower the Security team, or have one at all? Stuff like Goto fail, Equifax, unsandboxed AVs and infinite other buzz, or yet to be buzzed, words describe failures of not adequately protecting customers or services they rely on. Having a solid security team enables a company to set a bar, ensure security exists within the design, insert tooling at various stages of the process and continuously iterate on such results. Working with the folks building the products to give them solutions instead of just problems allows one to scale, earn trust and most importantly be effective and actually ship. There’s a whole security industry out there with folks wearing every which hat you can think of. They have influence and the ability to find a bug one day and disclose it the next, so companies must adapt both engineering practices and perspectives in order to ‘navigate the waters of reality’ and not just hope one doesn’t take a look at their product. Having processes in place that reduce attack surface, automate testing and set a minimum bar can reduce bugs therefore randomization for devs therefore cost of patching and create a culture where security makes more sense as it demonstratively solves problems. Nvidia is evolving in this space. Focused on the role of product security, I’ll go through the various components of a security team and how they each interact and complement each other, commodity and niche tooling as well as how relationships across organizations can give one an edge in this area. This talk balances the perspective of security engineers working within a large company with the independent nature of how things work in the industry. Attendees will walk away with a breadth of knowledge, an inside view of the technical workings, tooling and intricacies of finding and fixing bugs and finding balance within a product-first world.

ProdSec: A Technical Approach

ProdSec: A Technical Approach

ProdSec: A Technical Approach

As security threats continue to evolve and increase, companies need to also adapt their approach to IT security. One important concept that is gaining in popularity and adoption is zero trust security. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. Zero Trust means moving beyond a perimeter security strategy. As companies offer customers and business partners new digital experiences and processes, networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location. This dynamic is impacting IBM i customers and zero trust security is an important element of a modern security strategy. Join us for this webcast to hear about: • Understanding zero trust security concepts • Zero trust security in the real world • Zero trust security for IBM i environments

Understanding Zero Trust Security for IBM i

Understanding Zero Trust Security for IBM i

Understanding Zero Trust Security for IBM i

In today’s IT world, the threats from bad actors are increasing and the negative impacts of a data breach continue to rise. Responsible enterprises have an obligation to handle the personal data of their customers with care and protect their company’s information with all the tools at their disposal. For IBM i customers, this includes system settings, company-wide security protocols and the strategic use of additional third-party solutions. These solutions should include things like multi factor authentication (MFA), auditing and SEIM features, access control, authority elevation, and more. In this presentation, we will help you understand how all these elements can work together to create an effective, comprehensive IBM i security environment. Watch this on-demand webinar to learn about: • taking a holistic approach to IBM i Security • what to look for when you consider adding a security product to your IBM i IT infrastructure. • the components to consider a comprehensive, effective security strategy • how Precisely can help

What Does a Full Featured Security Strategy Look Like?

What Does a Full Featured Security Strategy Look Like?

What Does a Full Featured Security Strategy Look Like?

What happens when a security researcher finds a hole in your code? Do have a clear policy to submit this kind of findings? Most not. Responsible Disclosure is something every company should manage, and Bug Bounties Programs help to improve the security as well as be in contact with the hacker community. During the talk we will see how a Responsible Disclosure Program or a BugBounty Program works, and how the company should focus and not forget about other mitigations and counter mesures related to security. Also we will dig a bit in how a security report must be performed in a good way. Find out more presentations at https://madrid2018.codemotionworld.com/speakers/

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

It is well known among security professionals that the weakest link in any organization's security is the employee- the so-called "human element". While endpoint security controls may mitigate this risk, they are nowhere close to removing it completely. This is where security training becomes essential. This talk will cover how to introduce and improve security training in any organization, along with industry best practices, and methods to keep knowledge retention high. The speaker will provide specific examples from his own experience of cases where a properly trained employee could have easily thwarted a devastating attack immediately. Will your employees be your weakest link, or your strongest asset?

Security Training: Making your weakest link the strongest - CircleCityCon 2017

Security Training: Making your weakest link the strongest - CircleCityCon 2017

Security Training: Making your weakest link the strongest - CircleCityCon 2017

In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.

AppSec in an Agile World

AppSec in an Agile World

AppSec in an Agile World

This presentation was from Joomla day 2016 held right here in KLCC Malaysia. Astiostech presented several important factors to consider when monitoring a web service with of course special focus on Joomla. However, these guidelines can be used for just about any web service you may want to monitor. Monitoring is pivotal to a web infrastructure and it should not be considered today as a luxury. With tools like Nagios XI, we can simply start monitoring with mere clicks of a web browser and you're pretty much on the right track.

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Cybersecurity Roadmap for Beginners

Cybersecurity Roadmap for Beginners

Cybersecurity Roadmap for Beginners

Sanjeev Kumar Jaiswal

User management - the next-gen of authentication meetup 27012022

User management - the next-gen of authentication meetup 27012022

User management - the next-gen of authentication meetup 27012022

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

As a hacker and engineer I've been interested in identity and privacy since the dawn of the Internet and the online services it's enabled. For the past year I've been helping to build and open source The @ Platform, which inverts the usual model by giving everybody (and every thing) their own place to store data and control who (and what) has access to it. This talk will give an overview of the platform and its underlying protocol, and illustrate how it can be used to build privacy preserving apps and Internet connected things. It will also cover how the platform can be self hosted on devices like the Raspberry Pi, and how people can get involved in the open source community growing around it.

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

Shift Left Security

Shift Left Security

Shift Left Security

Alexey Sintsov- SDLC - try me to implement

Alexey Sintsov- SDLC - try me to implement

Alexey Sintsov- SDLC - try me to implement

This talk will demo one threat modeling methodology and how an engineering team is appending it to their Secure Software Development Life Cycle.   The goal is to create a single platform for communicating architectural risk and planning mitigations within sprints. This will not only address security concerns sooner in a product's lifecycle but establish a trusting relationship between engineering and security teams. As an ever-evolving space, to reduce risk and deploy products to market, this is one additional step any software-focused team can quickly adapt to their practices.

Threat Modeling All Day!

Threat Modeling All Day!

Threat Modeling All Day!

Amazon WorkSpaces provides businesses with secure, managed desktops in the Amazon cloud, and offers an enhanced security posture, the ability to support the needs of a modern mobile workforce, and the flexibility to scale globally. In this session, you’ll hear about how organizations can simplify end user computing by moving desktops to the cloud. The session will cover identity and access management, network access and design, integration with on-premises IT infrastructure, application delivery, and the end user experience. Generalized deployment model and office in the box with a deconstructed network. You will also hear first-hand from customers who have implemented WorkSpaces and best practices for deploying Amazon WorkSpaces at scale. Topics will include security and network access, identity and access management, application delivery, and end user experience.

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Amazon Web Services

Ähnlich wie IT security for all. Bootcamp slides (20)

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

RightScale Webinar: Security Monitoring in the Cloud: How RightScale Does It

Bugbounty Programs - Codemotion

Bugbounty Programs - Codemotion

Bugbounty Programs - Codemotion

Life as an enterprise security geek from underground. (What enterprises want ...

Life as an enterprise security geek from underground. (What enterprises want ...

Life as an enterprise security geek from underground. (What enterprises want ...

Protect your Database with Data Masking & Enforced Version Control

Protect your Database with Data Masking & Enforced Version Control

Protect your Database with Data Masking & Enforced Version Control

ProdSec: A Technical Approach

ProdSec: A Technical Approach

ProdSec: A Technical Approach

Understanding Zero Trust Security for IBM i

Understanding Zero Trust Security for IBM i

Understanding Zero Trust Security for IBM i

What Does a Full Featured Security Strategy Look Like?

What Does a Full Featured Security Strategy Look Like?

What Does a Full Featured Security Strategy Look Like?

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

Omar Benbouazza | Bugbounty Programs | Codemotion Madrid 2018

Security Training: Making your weakest link the strongest - CircleCityCon 2017

Security Training: Making your weakest link the strongest - CircleCityCon 2017

Security Training: Making your weakest link the strongest - CircleCityCon 2017

AppSec in an Agile World

AppSec in an Agile World

AppSec in an Agile World

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Functionality, security and performance monitoring of web assets (e.g. Joomla...

Cybersecurity Roadmap for Beginners

Cybersecurity Roadmap for Beginners

Cybersecurity Roadmap for Beginners

User management - the next-gen of authentication meetup 27012022

User management - the next-gen of authentication meetup 27012022

User management - the next-gen of authentication meetup 27012022

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

Open Secrets of the Defense Industry: Building Your Own Intelligence Program ...

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

EMFcamp2022 - What if apps logged into you, instead of you logging into apps?

Shift Left Security

Shift Left Security

Shift Left Security

Alexey Sintsov- SDLC - try me to implement

Alexey Sintsov- SDLC - try me to implement

Alexey Sintsov- SDLC - try me to implement

Threat Modeling All Day!

Threat Modeling All Day!

Threat Modeling All Day!

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Kürzlich hochgeladen

Food safety_Challenges food safety laboratories_.pdf

Food safety_Challenges food safety laboratories_.pdf

Food safety_Challenges food safety laboratories_.pdf

Holdier Curriculum Vitae (April 2024).pdf

Holdier Curriculum Vitae (April 2024).pdf

Holdier Curriculum Vitae (April 2024).pdf

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University of Engineering & Technology, Jamshoro

On National Teacher Day, meet the 2024-25 Kenan Fellows

On National Teacher Day, meet the 2024-25 Kenan Fellows

On National Teacher Day, meet the 2024-25 Kenan Fellows

REMIFENTANIL: An Ultra short acting opioid.pptx

REMIFENTANIL: An Ultra short acting opioid.pptx

REMIFENTANIL: An Ultra short acting opioid.pptx

Dr. Ravikiran H M Gowda

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Jamworks pilot and AI at Jisc (20/03/2024)

Jamworks pilot and AI at Jisc (20/03/2024)

Jamworks pilot and AI at Jisc (20/03/2024)

Sociology 101 Demonstration of Learning Exhibit

Sociology 101 Demonstration of Learning Exhibit

Sociology 101 Demonstration of Learning Exhibit

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Dr Vijay Vishwakarma

ICT Role in 21st Century Education & its Challenges.pptx

ICT Role in 21st Century Education & its Challenges.pptx

ICT Role in 21st Century Education & its Challenges.pptx

Salient Features of India constitution especially power and functions

Salient Features of India constitution especially power and functions

Salient Features of India constitution especially power and functions

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

Graduate Outcomes Presentation Slides - English

Graduate Outcomes Presentation Slides - English

Graduate Outcomes Presentation Slides - English

𝐋𝐞𝐬𝐬𝐨𝐧 𝐎𝐮𝐭𝐜𝐨𝐦𝐞𝐬: -Discern accommodations and modifications within inclusive classroom environments, distinguishing between their respective roles and applications. -Through critical analysis of hypothetical scenarios, learners will adeptly select appropriate accommodations and modifications, honing their ability to foster an inclusive learning environment for students with disabilities or unique challenges.

Understanding Accommodations and Modifications

Understanding Accommodations and Modifications

Understanding Accommodations and Modifications

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

Klinik_ Apotek Onlin 085657271886 Solusi Menggugurkan Masalah Kehamilan Anda Jual Obat Aborsi Asli KLINIK ABORSI TERPEECAYA _ Jual Obat Aborsi Cytotec Misoprostol Asli 100% Ampuh Hanya 3 Jam Langsung Gugur || OBAT PENGGUGUR KANDUNGAN AMPUH MANJUR OBAT ABORSI OLINE" APOTIK Jual Obat Cytotec, Gastrul, Gynecoside Asli Ampuh. JUAL ” Obat Aborsi Tuntas | Obat Aborsi Manjur | Obat Aborsi Ampuh | Obat Penggugur Janin | Obat Pencegah Kehamilan | Obat Pelancar Haid | Obat terlambat Bulan | Ciri Obat Aborsi Asli | Obat Telat Bulan | Pil Aborsi Asli | Cara Menggugurkan Konten | Cara Aborsi Tuntas | Harga Obat Aborsi Asli | Pil Aborsi | Jual Obat Aborsi Cytotec | Cara Aborsi Sendiri | Cara Aborsi Usia 1 Bulan | Cara Aborsi Usia 2 Tahun | Cara Aborsi Usia 3 Bulan | Obat Aborsi Usia 4 Bulan | Cara Abrasi Usia 5 Bulan | Cara Menggugurkan Konten | Kandungan Obat Penggugur | Cara Menghitung Usia Konten | Cara Mengatasi Terlambat Bulan | Penjual Obat Aborsi Asli | Obat Aborsi Garansi | Kandungan Obat Peluntur | Obat Telat Datang Bulan | Obat Telat Haid | Obat Aborsi Paling Murah | Klinik Jual Obat Aborsi | Jual Pil Cytotec | Apotik Jual Obat Aborsi | Kandungan Dokter Abrasi | Cara Aborsi Cepat | Jual Obat Aborsi Bergaransi | Jual Obat Cytotec Asli | Obat Aborsi Aman Manjur | Obat Misoprostol Cytotec Asli. "APA ITU ABORSI" “Aborsi Adalah dengan membendung hormon yang di perlukan untuk mempertahankan kehamilan yaitu hormon progesteron, karena hormon ini dibendung, maka jalur kehamilan mulai membuka dan leher rahim menjadi melunak,sehingga mengeluarkan darah yang merupakan tanda bahwa obat telah bekerja || maksimal 1 jam obat diminum || PENJELASAN OBAT ABORSI USIA 1 _7 BULAN Pada usia kandungan ini, pasien akan merasakan sakit yang sedikit tidak berlebihan || sekitar 1 jam ||. namun hanya akan terjadi pada saatdarah keluar merupakan pertanda menstruasi. Hal ini dikarenakan pada usiakandungan 3 bulan,janin sudah terbentuk sebesar kepalan tangan orang dewasa. Cara kerja obat aborsi : JUAL OBAT ABORSI AMPUH dosis 3 bulan secara umum sama dengan cara kerja || DOSIS OBAT ABORSI 2 bulan”, hanya berbedanya selain mengisolasijanin juga menghancurkan janin dengan formula methotrexate dikandungdidalamnya. Formula methotrexate ini sangat ampuh untuk menghancurkan janinmenjadi serpihan-serpihan kecil akan sangat berguna pada saat dikeluarkan nanti. APA ALASAN WANITA MELAKUKAN ABORSI? Aborsi di lakukan wanita hamil baik yang sudah menikah maupun belum menikah dengan berbagai alasan , akan tetapi alasan yang utama adalah alasan-alasan non medis (termasuk aborsi sendiri / di sengaja/ buatan] MELAYANI PEMESANAN OBAT ABORSI SETIAP HARI, SIAP KIRIM KESELURUH KOTA BESAR DI INDONESIA DAN LUAR NEGERI. HUBUNGI PEMESANAN LEBIH NYAMAN VIA WA/: 085657271886

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Towards a code of practice for AI in AT.pptx

Towards a code of practice for AI in AT.pptx

Towards a code of practice for AI in AT.pptx

Fostering Friendships - Enhancing Social Bonds in the Classroom

Fostering Friendships - Enhancing Social Bonds in the Classroom

Fostering Friendships - Enhancing Social Bonds in the Classroom

Pooky Knightsmith

Micro-Scholarship, What it is, How can it help me.pdf

Micro-Scholarship, What it is, How can it help me.pdf

Micro-Scholarship, What it is, How can it help me.pdf

Kürzlich hochgeladen (20)

Food safety_Challenges food safety laboratories_.pdf

Food safety_Challenges food safety laboratories_.pdf

Food safety_Challenges food safety laboratories_.pdf

Holdier Curriculum Vitae (April 2024).pdf

Holdier Curriculum Vitae (April 2024).pdf

Holdier Curriculum Vitae (April 2024).pdf

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University Newsletter Vol-X, Issue-I, 2024

On National Teacher Day, meet the 2024-25 Kenan Fellows

On National Teacher Day, meet the 2024-25 Kenan Fellows

On National Teacher Day, meet the 2024-25 Kenan Fellows

REMIFENTANIL: An Ultra short acting opioid.pptx

REMIFENTANIL: An Ultra short acting opioid.pptx

REMIFENTANIL: An Ultra short acting opioid.pptx

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Exploring_the_Narrative_Style_of_Amitav_Ghoshs_Gun_Island.pptx

Jamworks pilot and AI at Jisc (20/03/2024)

Jamworks pilot and AI at Jisc (20/03/2024)

Jamworks pilot and AI at Jisc (20/03/2024)

Sociology 101 Demonstration of Learning Exhibit

Sociology 101 Demonstration of Learning Exhibit

Sociology 101 Demonstration of Learning Exhibit

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf

ICT Role in 21st Century Education & its Challenges.pptx

ICT Role in 21st Century Education & its Challenges.pptx

ICT Role in 21st Century Education & its Challenges.pptx

Salient Features of India constitution especially power and functions

Salient Features of India constitution especially power and functions

Salient Features of India constitution especially power and functions

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...

Graduate Outcomes Presentation Slides - English

Graduate Outcomes Presentation Slides - English

Graduate Outcomes Presentation Slides - English

Understanding Accommodations and Modifications

Understanding Accommodations and Modifications

Understanding Accommodations and Modifications

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...

Towards a code of practice for AI in AT.pptx

Towards a code of practice for AI in AT.pptx

Towards a code of practice for AI in AT.pptx

Fostering Friendships - Enhancing Social Bonds in the Classroom

Fostering Friendships - Enhancing Social Bonds in the Classroom

Fostering Friendships - Enhancing Social Bonds in the Classroom

Micro-Scholarship, What it is, How can it help me.pdf

Micro-Scholarship, What it is, How can it help me.pdf

Micro-Scholarship, What it is, How can it help me.pdf

IT security for all. Bootcamp slides

1. IT security for startups all Bootcamp, MIPT, 21/12/2013

2. BIO • Whitehat (Facebook, Google,Yandex rewards) • Security researcher • CEO • @d0znpp

3. Security? • Not for our budget now • Not affected revenue • We are not interesting for hackers • No one had hacked us before • Rocket science • QA job

4. Security! • We have ﬁrewall • We have admin • We have antivirus • All is OK

5. Security! • External network level • Application layer • Internal network layer • Staff awareness

6.

7. Best practice!

8. Security like bookkeeping • A process • Nondiscrete • You can not start it retroactively

9. Enterprise way • SDL - security development lifecycle • Works but hard to implement

10. All in clouds! ! For what i need security?

11. Typical cases • Marketing site (almost static content) • Cloud CRM • Cloud mail • Cloud dev (github/bitbucket private reps) • And what about DNS? • What about integration between it? • What about client-side security?

12. PCI DSS! ! Our payments protected

13. Typical cases • «These materials include a framework of speciﬁcations, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step» • And what about other information? • What about MY data/money? • Nothing...

14. Platform (CMS, framework, etc) based application ! Our security depends from platform security

15. Typical cases • On what basis did you choose the platform? • Is your platform have security guide? • Are you read it? • Do you all understand there? • Whether your application can run on the new version of the same?

16. A little from history • HTTP - 1991 for links at science articles • PHP - Personal Home Pages • ...

17. Typical questions after security audit • Why so easy to hack us? • Why this has not been done before? • How do we know whether it's someone did earlier?

18. What i can do now? • Scan your addresses using nmap -p1-65535 • Add nmap scanning to QA tests • Create «Security basics» page in your Wiki • http://en.wikipedia.org/wiki/Crosssite_scripting • http://en.wikipedia.org/wiki/Crosssite_request_forgery • ...

19. Q/A or QA ;) Contact anytime: • in@wallarm.com • @d0znpp