Dates
Conferences
Tags
Sort by:
Most recent
Conference: Defcon 31
Authors: STÖK Hacker / Creative - Truesec
2023-08-01
Logs are a vital component for maintaining application reliability, performance, and security. They serve as a source of information for developers, security teams, and other stakeholders to understand what has happened or gone wrong within an application. However, logs can also be used to compromise the security of an application by injecting malicious content.
In this presentation, we will explore how ANSI escape sequences can be used to inject, vandalize, and even weaponize log files of modern applications. We will revisit old terminal injection research and log tampering techniques from the 80-90s. Combine them with new features, to create chaos and mischief in the modern cloud cli’s, mobile, and feature-rich DevOps terminal emulators of today.
We will then provide solutions on how to avoid passing on malicious escape sequences into our log files. By doing so, we can ensure that we can trust the data inside our logs, making it safe for operators to use shells to audit files. Enabling responders to quickly and accurately investigate incidents without wasting time cleaning, or having to gather additional data, while reconstructing events.
Welcome to this "not so black and white," but rather quite colorful ANSI adventure, and learn how to cause, or prevent a forensic nightmare.
Conference: Global AppSec Dublin 2023
Authors: Magno Logan
2023-02-15
tldr - powered by Generative AI
The presentation discusses the vulnerabilities, attacks, and countermeasures related to GitHub Actions, a continuous integration tool used in DevOps methodology.
- GitHub Actions automate tasks in software development life cycle
- The presentation demonstrates the risks of using Runners, the servers provided by GitHub to run Actions
- Attackers can leverage Runners to mine cryptocurrencies, pivot into other targets, and distribute backdoors into different repositories
- The problem of third-party dependencies via the GitHub Actions Marketplace is highlighted
- Creating a fake GitHub Action can make runners act as bots to target other victims and be used in supply-chain attacks
Conference: Global AppSec Dublin 2023
Authors: Chris Romeo
2023-02-15
tldr - powered by Generative AI
The presentation discusses common failures in DevOps security and provides solutions to address them.
- Failure to prioritize security in DevOps
- Lack of collaboration between security and development teams
- Inadequate training and education on application security
- Inefficient use of tools and technology
- Lack of integration of threat modeling in DevOps process
- Vulnerable code in the wild
Conference: Cloud Native SecurityCon North America 2022
Authors: Michael Foster
2022-10-24
tldr - powered by Generative AI
The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies. The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes. The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated. The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
- Identifying the right networking requirements of individual workloads is challenging, and operationalizing the task across Dev, Sec, and Ops is not trivial.
- The MP Guard project proposes a flexible workflow for DevSec organizations to simplify the experience of creating and maintaining Kubernetes Network policies.
- The project aims to automate the generation of policies and integrate them into the application's CI/CD pipeline, ensuring that policies get updated whenever required cluster connectivity changes.
- The proposed network activity is presented to the DevOps team for review, and changes can be automatically updated.
- The resulting Kubernetes network policies become part of the GitOps process to provision Kubernetes clusters, helping organizations cross the Kubernetes network policy chasm.
Conference: SupplyChainSecurityCon 2022
Authors: Bill Bensing
2022-06-22
tldr - powered by Generative AI
The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
- The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
- The concept of software factories to remind us of the importance of delivery
- The importance of establishing open visibility within the organization to drive trust
- The implementation of modern governance and automated governance in software delivery capabilities
- The automation of control gates to remove the cognitive load of understanding tools in depth
- The externalization of policy application from the tools themselves to other centralized systems
Conference: SupplyChainSecurityCon 2022
Authors: Hritik Vijay, Philippe Ombredanne
2022-06-22
tldr - powered by Generative AI
The presentation discusses the challenges of package and dependency management in software development and proposes solutions such as using package URLs and a universal versioning system.
- The complexity of package and dependency management in software development makes it difficult to express boundaries between dependencies and automate the process.
- Solutions proposed include providing installation prerequisites, using a single package manager, and using general-purpose package managers such as Spack, Conda, Nix, and Guix.
- Package URLs can be used to name packages and a universal versioning system can be used to deal with version ranges.
- The universal versioning system can accommodate different versioning schemes and express version ranges in a universal way.
Tags:
Conference: SupplyChainSecurityCon 2022
Authors: Ronen Slavin, Alex Ilgayev
2022-06-22
tldr - powered by Generative AI
The presentation discusses the security landscape of Github Actions and the potential vulnerabilities that can arise from misconfigurations. The focus is on code injection as the main scenario of the exploit and the consequences that can result from such attacks.
- Github Actions is a popular CI/CD tool that allows developers to automate development workflows easily
- Misconfigurations in Github Actions can lead to potential vulnerabilities
- Code injection is a common exploit that can result from misconfigurations
- The consequences of such attacks can be disastrous, including exposing secrets and allowing attackers to commit malicious code
- Possible mitigations to stop such attacks are explored
Conference: OWASP 20th Anniversary Event
Authors: Riotaro OKADA
2021-09-25
tldr - powered by Generative AI
The presentation discusses the challenges of implementing AppSec in DevOps and CI/CD and proposes solutions based on the experience of organizing the Hardening Project in Japan.
- Shift left is important in integrating security early on in the development process
- Development and security teams need to work together to maximize mutual understanding and cooperation
- Risk profiling is important in designing effective security defenses
- The Hardening Project in Japan is an eight-hour security competition that helps participants update their knowledge about incident response and improve their defenses
- The competition involves dealing with technical failures, customer complaints, and public relations response
- The Softening Day is a session where teams and attackers give presentations to share and summarize their activities and strategies
Conference: OWASP 20th Anniversary Event
Authors: Marcin Szydłowski
2021-09-24
Abstract:Traditionally Change Management is a very well-defined process. You can find hundreds of articles on the Internet explaining how each change should be properly requested, developed, tested and approved before being moved to the production environment.Obviously, each of these steps requires documentation and formal approval (sign-off) from the appropriate person. This process was giving security engineers several chances to ensure that changes do not introduce any new vulnerabilities and infrastructure to which the application is deployed is hardened and patched.Security around the Change Management process gets a little bit more complicated for agile software development and DevOps methodologies where tens of small changes are introduced every day. Each of these small changes is being automatically tested from various perspectives and if everything goes as expected it gets deployed to the environment of your choice without human intervention.Without any manual review in place, change management and security controls rely heavily on the fact that:- humans cannot access sensitive environments in an uncontrolled manner- application’s and infrastructure’s code is independently reviewed to avoid unauthorized changes and detect flaws- pre-approved and verified artifacts are used while building applications to decrease the risk of insecure dependencies or malicious artifacts- automated tests are performed by pipeline to detect defects or security issuesIt goes without saying, that ability to circumvent any of the above mentioned controls may introduce unauthorized changes and security issues to the application.This presentation will describe often ignored area of application security which is related to security of development environment. Presenter will share some common misconfigurations of build/deployment environment which can have a significant negative impact on source code integrity and as an ultimate result on security of application itself.
Conference: OWASP 20th Anniversary Event
Authors: Gary Robinson
2021-09-24
tldr - powered by Generative AI
The presentation discusses the challenges of implementing DevSecOps and shifting left in organizations. It emphasizes the importance of planning and fitting security into the CI/CD process, as well as effective communication between security and development teams.
- Challenge #1: Starting in the right way by planning the approach and understanding the aim of DevSecOps
- Challenge #2: Fitting security into the CI/CD process and communicating effectively between security and development teams
- Importance of understanding the long-term goals and considering the impact on future DevSecOps processes
- Emphasis on efficiency and automation in DevSecOps
- Advice to do research and look for other solutions to DevSecOps challenges