Reducing Risk of Credential Compromise at Netflix

•

0 j'aime•212 vues

Building a secure system is like constructing a good pizza – each individual layer adds flavor that ultimately builds to the perfect bite. At Netflix we have hand-crafted ingredients that by themselves are scrumptious, but when placed together strategically on the crust (read: cloud), constructs a pizza so large that any pizza lover (read: attacker) would be challenged to finish. Attendees will learn the secret to the sauce that is Netflix Infrastructure Security and how even defensive appsec tooling like Signal Sciences can be used in the mix to be better equipped to start baking pizza in their own kitchen, and leave satisfied.

Technologie

Netflix’s Layered Approach
to Reducing Risk of
Credential Compromise
Will Bengston
Sr. Security Engineer, Netflix
Travis McPeak
Sr. Security Engineer, Netflix

The picture can't be displayed.
Next-gen WAF and RASP
Defensive Technology
Designed to unify the efforts of engineering, security
and operations to increase security and maintain site
reliability without sacrificing speed or scale.

Web App Attacks Are the #1 Source of Data Breaches
Attacks are Up 300% from 2014 – Incumbent Products Aren’t Solving the
Problem
Less Than 5% of
data center security budgets
are spent on AppSec
Web App Attacks
POS Intrusions
Miscellaneous Errors
Privilege Misuse
Cyber-Espionage
Everything Else
Payment Card
Skimmers
Physical Theft / Loss
Crimeware
Denial Of Service
90
852
519
717
215
512
58
6
1
4
9
5
6
20
%
10
%
40
%
30
%
Percent of
Breaches
Sources: Gartner,
Verizon

The Security Problem
You Can’t Secure
New App Tech with
Legacy App Sec
Account Takeover
Direct Object Reference
Forceful Browsing
Feature Abuse
Evasion Techniques
Subdomain Takeover
Misconfiguration
• Legacy WAFs focus on the
same threats as 15 years ago
• False positives result from generic
signatures without context
• Rarely used in blocking mode
OWASP Injection
Attacks
Real-World Problems

Power Rules
A powerful platform with an
intuitive UI to define,
monitor, and take action on
any transaction
• Use cases address application logic
beyond OWASP attacks
• ATO attacks
• Application and feature abuse
• Auto-blocking OFAC traffic
• Application CVEs
• Virtual patching
• …and more

Active Protection Everywhere
See, Secure and Scale Across:
Any App
Cloud Containers, PaaS
& Serverless
Web Servers & Languages
Gateways & Proxies
Any Attack
OWASP Injection Attacks
PLUS:
Application DDoS
Brute Force Attacks
Application Abuse & Misuse
Request Rate Limiting
Account Takeover
Bad Bots
Virtual Patching
Any DevOps Toolchain
INCLUDING:
Generic Webhooks & Any Custom
Tools via Full RESTFul/JSON API

If the account gets
compromised, damage is
contained.

Useful when
broad permissions
are required.

Useful for sensitive
applications and data.

Reduce friction by
investing in tooling to
C.R.U.D. AWS accounts.

Static keys never expire
and have led to many
compromises.

Short-lived keys,
delivered securely,
rotated automatically.

We continuously and
automatically remove
unused permissions.

Applications converge
to least privilege.

Prevent instance
credentials from
being used off-
instance

If attacker tries to steal
creds, they don’t work.

We applied tags that
restrict roles to specific
applications.

We applied application
specific AuthZ controls
(Fiat).

Together: these two
controls prevent privilege
escalation.

Detect instance
credentials used off-
instance

We already block it.
An attempted use is a
signal.

Detect anomalous
behavior in
environment

We track baseline behavior
for an account.

Some
shouldn’t be used.
regions , services, resources

A perk of continuously
watching CloudTrail.

Same idea, but at the
application/role level.

Applications have
relatively consistent
behavior.

Look for common first
attacker steps:
● s3:ListBuckets
● iam:ListAccessKeys
● sts:GetCallerIdentity

User roles
become unique
as a fingerprint.

This can be used to detect
unusual behavior.

Future:
Remove users
from accounts
they don’t use

Reduces the risk of user
workstation compromise.

Prevent compromise at the
credential source

Contenu connexe

Tendances

The Intersection of Security & DevOps

Alert Logic

API Security with Postman and Qualys

Postman

Did you know that the web is the most common target for application-level attacks? That being said, if you have ever been tasked with securing a web application for one reason or another, then you know it’s not a simple feat to accomplish. When securing your applications, it’s critical to take a strategic approach. This web application security testing checklist guides you through the testing process, captures key testing elements, and prevents testing oversights. Tailor your approach and ensure that your testing strategy is as effective, efficient, and timely as possible with these six steps:

The Complete Web Application Security Testing Checklist

Cigital

Security Implications of the Cloud

Alert Logic

High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks. Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack. The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running. Let us guide you through your application security testing journey with more key differences between SAST and DAST:

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Cigital

Internal network traffic in an organization can be as nefarious as an outside hacker trying to gain access to sensitive information. Every organization needs visibility into their network, both internal and external, in order to detect and respond to threats. Recently, we had an organization that needed a way to detect and block suspicious internal network traffic using SmartResponse from LogRhythm to block shady activity. View the presentation to see how SmartResponse was enabled to quickly detect suspicious internal network activity against a Web server.

Detecting and Blocking Suspicious Internal Network Traffic

LogRhythm

Web applications are commonly used to transmit, accept and store data that is personal, company confidential and sensitive. More enterprises are spending more time testing web applications, but many still do not integrate security testing into an application's overall test plan. In this presentation, we explore ways to integrate security testing into an end-to-end test plan, exercise security features in unit tests, integration tests, acceptance tests.

Testing Web Application Security

Ted Husted

Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

Ajin Abraham

Android security testing

VodqaBLR

Owasp top 10 & Web vulnerabilities

RIZWAN HASAN

Security Testing Training With Examples

Alwin Thayyil

OTG - Practical Hands on VAPT

shiriskumar

Abstract: SAST, DAST, and WAF have been around for almost 15 years — they’re almost impossible to use, can’t protect modern applications, and aren’t compatible with modern software development. Recent studies have demonstrated that these tools miss the majority of real vulnerabilities and attacks while generating staggering numbers of false positives. To compensate, these tools require huge teams of application security experts that can’t possibly keep up with the size of modern application portfolios. Fortunately, the next generation of application security technology uses dynamic software instrumentation to solve these challenges. Gartner calls these products “Interactive Application Security Testing (IAST)” and “Runtime Application Self-Protection (RASP).” In this talk, you’ll learn how IAST and RASP have revolutionized vulnerability assessment and attack prevention in a massively scalable way. Bio: A pioneer in application security, Jeff Williams is the founder and CTO of Contrast Security, a revolutionary application security product. Contrast is an application agent that enables software to both report vulnerabilities and prevent attacks. Jeff has over 25 years of security experience, speaks frequently on cutting-edge application security, and has helped secure code at hundreds of major enterprises. Jeff served as the Global Chairman of the OWASP Foundation for eight years, where he created many open-source standards, tools, libraries, and guidelines - including the OWASP Top Ten.

Continuous Application Security at Scale with IAST and RASP -- Transforming D...

Jeff Williams

Gartner’s statement that “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications.” is often quoted, but what does an API abuse attack actually look and feel like? At last year’s Platform Summit, I described 3 different types of API abuse at a high level, summarizing who abuses and why. The year I will go into anatomical and forensic detail on one specific API abuse attack based on our real experiences, explaining what it looked and felt like through the exploration and probing phase, into the setup and test stage, and finally into the at scale exploitation.

API Abuse - The Anatomy of An Attack

Nordic APIs

Reality Check: Security in the Cloud

Alert Logic

Security Testing

Qualitest

Android App Security Solution

Jay Li

we45 - Web Application Security Testing Case Study

we45

Introduction to security testing

Nagasahas DS

Security testing presentation

Confiz

Tendances (20)

The Intersection of Security & DevOps

API Security with Postman and Qualys

The Complete Web Application Security Testing Checklist

Security Implications of the Cloud

SAST vs. DAST: What’s the Best Method For Application Security Testing?

Detecting and Blocking Suspicious Internal Network Traffic

Testing Web Application Security

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF

Android security testing

Owasp top 10 & Web vulnerabilities

Security Testing Training With Examples

OTG - Practical Hands on VAPT

Continuous Application Security at Scale with IAST and RASP -- Transforming D...

API Abuse - The Anatomy of An Attack

Reality Check: Security in the Cloud

Security Testing

Android App Security Solution

we45 - Web Application Security Testing Case Study

Introduction to security testing

Security testing presentation

Similaire à Reducing Risk of Credential Compromise at Netflix

Top Application Security Threats

ColumnInformationSecurity

Demand for Penetration Testing Services.docx

Aardwolf Security

Discovering the Value of Verifying Web Application Security Using IBM Rationa...

Alan Kan

After the completeness of over 50 Penetration Testing and Application Security projects during the 2020 year and many more since 2014, the BSG team shares its expertise in finding security vulnerabilities across many business verticals and industries. On the webinar, we will talk about: 1. Typical threat model of a modern business organization. 2. How the COVID-19 pandemic has changed that threat model? 3. What is Threat Modeling, and how it works for the BSG clients? 4. What is DARTS and how we secure sensitive customer data? 5. What is the BSG Web Application Pentester Training and why? 6. Top 10 critical cybersecurity vulnerabilities we found in 2020. We help our customers address their future security challenges: prevent data breaches and achieve compliance. *Slides - English language *Webinar - Ukrainian language The link on the webinar: https://youtu.be/fkdafStSgZE BSG 2020 Business Outcomes and Security Vulnerabilities Report: https://bit.ly/bsg2020report Contact details: https://bsg.tech hello@bsg.tech

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...

Berezha Security Group

Security by the numbers

Eoin Keary

The Web AppSec How-To: The Defender's Toolbox

Checkmarx

Building an AppSec Team Extended Cut

Mike Spaulding

Mike Spaulding - Building an Application Security Program

centralohioissa

5 step plan to securing your APIs

💻 Javier Garza

Novinky F5

MarketingArrowECS_CZ

Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase. In this session, Dulanja will discuss the following: The importance of application security - why network and OS security is insufficient. Challenges in securing your application. Making security part of the development lifecycle.

Application Security - Your Success Depends on it

WSO2

mastering_web_testing_how_to_make_the_most_of_frameworks.pptx

sarah david

Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go? Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why. She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies. Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.

Security engineering 101 when good design & security work together

Wendy Knox Everette

Hide and seek - Attack Surface Management and continuous assessment.

Eoin Keary

Java Application Development Vulnerabilities

Narola Infotech

apidays Helsinki & North 2023 API Ecosystems - Connecting Physical and Digital June 5 & 6, 2023 API Security in the era of Generative AI Matt Feigal, Partner Engineering Manager at Google Cloud Sweden ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...

apidays

00. introduction to app sec v3

Eoin Keary

mastering_web_testing_how_to_make_the_most_of_frameworks.pdf

sarah david

Mobile Enterprise Application Platform

Nugroho Gito

C01461422

IOSR Journals

Similaire à Reducing Risk of Credential Compromise at Netflix (20)

Top Application Security Threats

Demand for Penetration Testing Services.docx

Discovering the Value of Verifying Web Application Security Using IBM Rationa...

Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...

Security by the numbers

The Web AppSec How-To: The Defender's Toolbox

Building an AppSec Team Extended Cut

Mike Spaulding - Building an Application Security Program

5 step plan to securing your APIs

Novinky F5

Application Security - Your Success Depends on it

mastering_web_testing_how_to_make_the_most_of_frameworks.pptx

Security engineering 101 when good design & security work together

Hide and seek - Attack Surface Management and continuous assessment.

Java Application Development Vulnerabilities

apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...

00. introduction to app sec v3

mastering_web_testing_how_to_make_the_most_of_frameworks.pdf

Mobile Enterprise Application Platform

C01461422

Plus de SBWebinars

Mobile devices are becoming increasingly better hardened. App stores are helping by vetting apps to weed out malicious behavior. Servers are protected by sophisticated security systems. In the end, the mobile apps themselves remain the most vulnerable elements in a modern application architecture. Once downloaded, they can be reverse engineered and even modified. They may contain or provide gateways to valuable assets, in-app purchases, hidden features or defects, and more, which organizations and developers need to protect. Luckily, protecting Android and iOS apps has also come a long way since the early days of name obfuscation. Have a specific question on Mobile App Protection?

Securing Mobile Apps, From the Inside Out

SBWebinars

The journey of cloud migration isn’t a straight and narrow path, and enterprise DevSecOps teams generally use a variety of tools to reach their goal. In this webinar, we will deep dive into SAP Concur’s journey, and how they are leveraging Contrast Security’s embedded application security model and AWS in tandem to “shift left”, create a seamless developer experience, and deliver secure application workloads on the cloud. Join key executives from SAP Concur, AWS and Contrast Security as they discuss how to avoid the pitfalls and pioneer a secure cloud path to success. In this webinar, you will learn: The start: Why SAP Concur moved to AWS The next step: Cloud enables increased velocity The chutes and ladders: Security challenges with increased software velocity The resolution: Design Architectures and Deployment Models between Contrast Security and AWS The lessons learned: Continuous Improvement & Best Practices.

SAP Concur’s Cloud Journey

SBWebinars

Everyone has become increasingly aware of the danger hackers pose—they can steal data, dismantle systems, and cause damage that can take years to recover from. However, organizations often have a false sense of safety when it comes to their security environments. There are countless ways that businesses are making it easier for a threat actor to find their way in undetected. Join cybersecurity expert Bob Erdman, senior security product manager, as he outlines the most common ways organizations unintentionally put themselves at risk against threats like: Insider attacks Alert and console fatigue Shortage of security staff Misconfigurations Excessive access By better understanding what and where the challenges are, organizations can be better equipped to find solutions. This webinar will also highlight different strategies for mitigating risk, from specific Security Information and Event Management (SIEM) tools to employee education.

Top Cybersecurity Threats and How SIEM Protects Against Them

SBWebinars

Recently there has been a realization that traditional methods of segmentation like VLANs and Firewalls are not suitable for today’s rapidly changing enterprise environments. In this webinar come learn about how modern software-defined segmentation solutions: Start with visibility. Provide enterprises with easy ways to identify and label workloads. Provide easy to implement, granular enforcement that goes way beyond IP address and port but is able to lock down by process, user and domain. Enables DevOp automation, provisioning and management. Is decoupled from and works in an agnostic fashion across every enterprise platform. Provides unparalleled security while enabling compliance and ongoing compliance validation.

Software-Defined Segmentation Done Easily, Quickly and Right

SBWebinars

New TLS encryption standards puts security at the forefront, but what about the visibility issue? Join us for a “How To” webinar covering the newest possibilities for decryption in the cloud to enable incident response, network detection and response and other key security and DevOps use cases . During the session, Steve Perkins, chief product officer and Erik Freeland, director of customer success at Nubeva, will discuss the complications and opportunities surrounding the new TLS 1.3 protocols. They will walk through how organizations can evolve with new encryption standards and also gain full decrypted traffic visibility for intrusion detection, threat hunting, incident response and beyond with Amazon native packet acquisition technology, Amazon VPC traffic mirroring and industry-leading open source monitoring tools.

Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...

SBWebinars

Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future. Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.

Taking Open Source Security to the Next Level

SBWebinars

Application security is an effective tool for defending against attacks. But as IT infrastructures shift to “software-defined everything” and move to the cloud, traditional appsec models no longer are enough to protect the application. This webinar takes a look at how companies are addressing new models to address more dispersed and dynamically connected applications, from traditional web and mobile APIs to containers and microservices.

The Next Generation of Application Security

SBWebinars

While companies are stuck knee-deep responding to alarms within the environment, the supply chain is typically overlooked. Yet, a supply chain attack can have deep repercussions on a company - from data theft and brand tarnishing to regulatory fines. As a security professional, you have the responsibility of safeguarding your company’s data and assets. But how can you control an environment that you don’t even have visibility into? In this webinar, we will: Present techniques to unveil your supply chain’s attack surface Pinpoint warning signs of a supply chain breach Provide a practical strategy to increase the cyber resilience of your supply chain

You're Bleeding. Exposing the Attack Surface in your Supply Chain

SBWebinars

If your organization is developing a payment app or even just using one in your product, then this webinar is for you. The Payment Card Industry (PCI) Security Standards Council recently released a new security framework to replace the previous standard (PCI PA-DSS). The new framework is set to better address the changes that the software development industry has seen in the past few years. Agile and DevOps methodologies, cloud and containerized environments and widespread open source usage have become the new normal and with this, present new AppSec challenges. To ensure that users of payment apps remain safe, the new framework aims to lay a substantial value on continuous application security. Join Alexei Balaganski (Lead Analyst at KuppingerCole) as he discusses: the new framework and standards, and the difference between them and the previous version the practical steps organizations need to take in order to follow the new framework how organizations can leverage automated vulnerability management tools to ensure application security and compliance with the new standards

Demystifying PCI Software Security Framework: All You Need to Know for Your A...

SBWebinars

The vast majority of cloud security threats are from misconfigured IaaS instances, compromised accounts, and insider threats but there's emerging threats on the rise as well. And you’ll need deep visibility into your workloads and containers to fight back. Join us for a live webinar with James Condon, Director of Research at Lacework on the current and emerging threats to public cloud and how best to automate security and compliance across AWS, Azure, and GCP, including: Current and emerging threats to AWS, Azure, and Google Cloud environments Recommendations on how to prevent, detect, analyze, and respond to cloud cyber attacks How to move away from a network-centric mindset and adopt a cloud approach How Lacework can help you automate security and compliance across AWS, Azure, GCP, and private clouds

Top 10 Threats to Cloud Security

SBWebinars

Software development is changing. It is now measured in days instead of months. Microservice architectures are preferred over monolithic centralized app architecture, and cloud is the preferred environment over hardware that must be owned and maintained. In this webinar, we examine how these new software development practices have changed web application security and review a new approach to protecting assets at the web application layer. Attendees will learn: The changes in development models, architecture designs, and infrastructure How these changes necessitate a new approach to web application security How development teams can effectively stay secure at the speed of DevOps

Deploying Secure Modern Apps in Evolving Infrastructures

SBWebinars

Implementing Identity and Access Management universally across multiple IT infrastructures and software platforms is a major challenge for any organization. IAM implementation is no longer about promoting efficiency during an onboarding process, rather it’s more about managing roles, ensuring compliance, and promoting security. To do their daily job successfully, users today expect to get access to information they need from anywhere at any time, regardless of the target system or application. IT departments are struggling to make this access frictionless for users yet maintain compliance with corporate and government-imposed security and privacy regulations. This task is even more complicated if business-critical platforms like SAP are involved – not only SAP has its own security and access governance requirements, it is usually managed by a completely separate team from the one responsible for enterprise-wide IAM program. In this webinar, we will cover the challenges of managing SAP environments in silos, and how One Identity can help overcomes these challenges, and reduce the burden of managing SAP. You will learn how One Identity Manager: Provides a unified view and enterprise management of SAP accounts on different systems, as well as the rest of the enterprise Associates an SAP account with standard user corporate identity, bringing everything under governance Scales to hundreds-of-millions of SAP objects Provides SAP-optimized SoD verification and enforcement Delivers SAP-specialized workflows and business logic within enterprise governance Integrates with SAP cloud applications through One Identity Starling Connect

Reduce the Burden Of Managing SAP With Enterprise Identity Management

SBWebinars

Digital Transformation and DevSecOps are the buzzwords du jour. Increasingly, organizations embrace the notion that if you implement DevOps, you must transform security as well. Failing to do so would either leave you insecure or make your security controls negate the speed you aimed to achieve in the first place. So doing DevSecOps is good... but what does it actually mean? This talk unravels what it looks like with practical, good (and bad) examples of companies who are: Securing DevOps technologies - by either adapting or building new solutions that address the new security concerns Securing DevOps methodologies - changing when and how security controls interact with the application and the development process Adapting to a DevOps philosophy of shared ownership for security In the end, you'll have the tools you need to plan your interpretation of DevSecOps, choose the practices and tooling you need to support it, and ensure that Security leadership is playing an important role in making it a real thing in your organization.

Maturing DevSecOps: From Easy to High Impact

SBWebinars

Addressing public cloud security and compliance is overwhelming given the lack of visibility and monitoring security teams have over their assets in the cloud. This problem is further compounded given the cloud’s benefits of speed and scale and that legacy security tools simply can’t keep pace. Alarmingly, Gartner predicts that through 2022, at least 95 percent of cloud security failures will be the fault of the customer. Join us for a live webinar with Dan Hubbard, Chief Product Officer at Lacework on how to overcome the challenges of protecting your cloud and how to automate security and compliance across AWS, Azure, and GCP, including: Where traditional security falls short and common threats start Why end-to-end visibility is critical across all of your cloud environments How to scale compliance and audit control as your cloud footprint expands What to consider when securing workloads and containers

How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds

SBWebinars

Curious about what hackers really think of your cyber defenses? Thycotic’s new 2018 Black Hat Conference survey conducted in Las Vegas in August reveals some disturbing answers. 75% hackers say companies fail at applying the principle of least privilege 50% of hackers say they easily compromised both Windows 10/8 within the past year More than 90% say they compromised Windows environments despite the use of Group Policy Objects (GPO) Join Thycotic’s Chief Cyber Security Scientist Joseph Carson as he dives into what hackers say about top vulnerabilities they exploit, and how companies are failing to control privileged account credentials. He will then guide you through action steps you can take to limit “overprivileged” users without impacting their productivity.

2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...

SBWebinars

The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018. Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality. It's time to for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses: the current state of open source vulnerabilities management; organizations' struggle to handle open source vulnerabilities; and the key strategy for effective vulnerability management.

The State of Open Source Vulnerabilities Management

SBWebinars

When it comes to assessing an IT transformation (such as Agile and DevOps), performance metrics have come under intense scrutiny. Traditional performance metrics, such as counting the number of lines of code and the number of software bugs should be used with caution, because there are bugs that are not worth fixing and code that is not worth maintaining. These old-school performance metrics represent activities, not outcomes. To visualize and optimize the business value of your software delivery, you need to find a way to measure business outcomes. To do that, we need flow metrics.

Flow Metrics: What They Are & Why You Need Them

SBWebinars

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats

SBWebinars

To keep pace with the increasing demands of software development and delivery, the need for developers to leverage open source components and third party libraries continues to grow. Coupled with the escalating number of vulnerabilities these practices introduce, the result is an increased number of vulnerable entry points for cyber-criminals to exploit. However, this does not mean that companies should or must stop using components in their development efforts. Any company that forbids the use of components would be putting itself at a severe disadvantage in the digital economy. Developers though do need to consider the security aspects of using open source libraries and components as part of their build and testing process.

Building Blocks of Secure Development: How to Make Open Source Work for You

SBWebinars

Every time you run a new assessment, you identify more and more risk that needs to be mitigated. The weight is crushing, and your to-do list never gets any shorter. Sound familiar? Join Jadon Montero, Product Manager, and Justin Buchanan, Solutions Manager, on October 10th where we will discuss processes and systems that equip you to take immediate action on newly identified vulnerabilities and take a bite out of your backlog of work.

Take a Bite Out of the Remediation Backlog

SBWebinars

Plus de SBWebinars (20)

Securing Mobile Apps, From the Inside Out

SAP Concur’s Cloud Journey

Top Cybersecurity Threats and How SIEM Protects Against Them

Software-Defined Segmentation Done Easily, Quickly and Right

Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...

Taking Open Source Security to the Next Level

The Next Generation of Application Security

You're Bleeding. Exposing the Attack Surface in your Supply Chain

Demystifying PCI Software Security Framework: All You Need to Know for Your A...

Top 10 Threats to Cloud Security

Deploying Secure Modern Apps in Evolving Infrastructures

Reduce the Burden Of Managing SAP With Enterprise Identity Management

Maturing DevSecOps: From Easy to High Impact

How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds

2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...

The State of Open Source Vulnerabilities Management

Flow Metrics: What They Are & Why You Need Them

Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats

Building Blocks of Secure Development: How to Make Open Source Work for You

Take a Bite Out of the Remediation Backlog

Dernier

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Martijn de Jong

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Created by Mozilla Research in 2012 and now part of Linux Foundation Europe, the Servo project is an experimental rendering engine written in Rust. It combines memory safety and concurrency to create an independent, modular, and embeddable rendering engine that adheres to web standards. Stewardship of Servo moved from Mozilla Research to the Linux Foundation in 2020, where its mission remains unchanged. After some slow years, in 2023 there has been renewed activity on the project, with a roadmap now focused on improving the engine’s CSS 2 conformance, exploring Android support, and making Servo a practical embeddable rendering engine. In this presentation, Rakhi Sharma reviews the status of the project, our recent developments in 2023, our collaboration with Tauri to make Servo an easy-to-use embeddable rendering engine, and our plans for the future to make Servo an alternative web rendering engine for the embedded devices industry. (c) Embedded Open Source Summit 2024 April 16-18, 2024 Seattle, Washington (US) https://events.linuxfoundation.org/embedded-open-source-summit/ https://ossna2024.sched.com/event/1aBNF/a-year-of-servo-reboot-where-are-we-now-rakhi-sharma-igalia

A Year of the Servo Reboot: Where Are We Now?

Igalia

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

Top 10 Most Downloaded Games on Play Store in 2024

SynarionITSolutions

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

AWS Community Day CPH - Three problems of Terraform

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Artificial Intelligence Chap.5 : Uncertainty

Apidays New York 2024 - The value of a flexible API Management solution for O...

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

2024: Domino Containers - The Next Step. News from the Domino Container commu...

Powerful Google developer tools for immediate impact! (2023-24 C)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Automating Google Workspace (GWS) & more with Apps Script

Artificial Intelligence: Facts and Myths

A Year of the Servo Reboot: Where Are We Now?

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

Top 10 Most Downloaded Games on Play Store in 2024

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

Scaling API-first – The story of a global engineering organization

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Boost Fertility New Invention Ups Success Rates.pdf

Reducing Risk of Credential Compromise at Netflix

1. Netflix’s Layered Approach to Reducing Risk of Credential Compromise Will Bengston Sr. Security Engineer, Netflix Travis McPeak Sr. Security Engineer, Netflix

2. The picture can't be displayed. Next-gen WAF and RASP Defensive Technology Designed to unify the efforts of engineering, security and operations to increase security and maintain site reliability without sacrificing speed or scale.

3. Web App Attacks Are the #1 Source of Data Breaches Attacks are Up 300% from 2014 – Incumbent Products Aren’t Solving the Problem Less Than 5% of data center security budgets are spent on AppSec Web App Attacks POS Intrusions Miscellaneous Errors Privilege Misuse Cyber-Espionage Everything Else Payment Card Skimmers Physical Theft / Loss Crimeware Denial Of Service 90 852 519 717 215 512 58 6 1 4 9 5 6 20 % 10 % 40 % 30 % Percent of Breaches Sources: Gartner, Verizon

4. The Security Problem You Can’t Secure New App Tech with Legacy App Sec Account Takeover Direct Object Reference Forceful Browsing Feature Abuse Evasion Techniques Subdomain Takeover Misconfiguration • Legacy WAFs focus on the same threats as 15 years ago • False positives result from generic signatures without context • Rarely used in blocking mode OWASP Injection Attacks Real-World Problems

5. Power Rules A powerful platform with an intuitive UI to define, monitor, and take action on any transaction • Use cases address application logic beyond OWASP attacks • ATO attacks • Application and feature abuse • Auto-blocking OFAC traffic • Application CVEs • Virtual patching • …and more

6. Active Protection Everywhere See, Secure and Scale Across: Any App Cloud Containers, PaaS & Serverless Web Servers & Languages Gateways & Proxies Any Attack OWASP Injection Attacks PLUS: Application DDoS Brute Force Attacks Application Abuse & Misuse Request Rate Limiting Account Takeover Bad Bots Virtual Patching Any DevOps Toolchain INCLUDING: Generic Webhooks & Any Custom Tools via Full RESTFul/JSON API

10. Segment environment into accounts

11. If the account gets compromised, damage is contained.

12. Useful when broad permissions are required.

13. Useful for separation of duties.

14. Useful for sensitive applications and data.

15. Reduce friction by investing in tooling to C.R.U.D. AWS accounts.

16. Remove static keys

17. Static keys never expire and have led to many compromises.

18.

19. Short-lived keys, delivered securely, rotated automatically.

20. Permission Right Sizing

21. We continuously and automatically remove unused permissions.