logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Thomas Chauchefoin Vulnerability Researcher @ Sonar, Paul Gerste Vulnerability Researcher @ Sonar
2023-08-01

Developers are threat actors' targets of choice because of their access to business-critical services. After compromising a single developer, they could push code changes or obtain sensitive information. For instance, a recent campaign attributed to North Korea set up social network profiles to social engineer and infect prominent figures of the developer community with malicious Visual Studio projects and browser exploits. At the same time, modern development tools offer increasingly advanced features and deep integration with ecosystems, sometimes at the cost of basic security measures. Code editors tried to counterbalance it by introducing new lines of defense (e.g., "Workspace Trust"), leading to a cat-and-mouse game to restrict access while keeping most features available by default. In this talk, we present the state of the art of Visual Studio Code's security. We go in-depth into its attack surface, how its extensions work, and the technical details of two vulnerabilities we found in Visual Studio Code. These findings, CVE-2021-43891 and CVE-2022-30129, led to a $30.000 bounty with an unexpected twist. We also present 1-days discovered by other researchers to develop the audience's intuition. These concepts apply to most IDEs of the market so everybody will now think twice before opening third-party code!
Authors: Eve Ben Ezra
2023-04-20

tldr - powered by Generative AI

The presentation discusses the importance of continuous feedback and policies in DevOps and cybersecurity using openconf test and Rego.
  • Continuous feedback is crucial in the development life cycle to ensure compliance and prevent drift from the declarative state.
  • Policies should be easy to access and start giving feedback early and continuously.
  • Openconf test and Rego can be used to write policies and enforce compliance.
  • An example policy is prohibiting the use of latest tags for container images in non-dev environments.
  • An anecdote is given about the difficulty of convincing developers to onboard a shared cluster if the process is too complicated.
Authors: Altaz Valani
2022-11-17

tldr - powered by Generative AI

The importance of threat modeling in cybersecurity and the need for developers to prioritize security in their projects
  • Developers often prioritize functional aspects over security in their projects, but security should be given equal importance
  • Threat modeling is a continuous learning experience that requires effort and investment
  • Developers should use the search modeling approach to understand potential risks and prevent attacks
  • Experience is fundamental in threat modeling and developers should apply it to real-life scenarios
  • Investing in security allows for the reduction of potential losses as a result of a compromise of the solution
Authors: Mohan Atreya
2022-10-24

tldr - powered by Generative AI

The presentation discusses the challenges of managing RBACs and access control in Kubernetes at scale and introduces an open-source project called Periscope to automate the process.
  • Managing RBACs and access control in Kubernetes at scale is a challenge for organizations with hundreds of clusters and developers.
  • Manual management of RBACs is impractical and requires automation to ensure the right people have access to the right things.
  • Periscope is an open-source project that automates RBAC management and access control in Kubernetes.
  • Periscope allows for secure access to clusters behind a firewall and dynamically injects RBACs just in time.
  • Periscope also provides strong authentication for all user access and allows for governance and compliance by tracking commands run against clusters.
Authors: David Wheeler, Brian Behlendorf, Trey Herr, Amelie Koran
2022-06-22

tldr - powered by Generative AI

The panel discussion summarizes the OpenSSF summit held in May 2022, which aimed to develop a mobilization plan for securing the open source ecosystem. The discussion focuses on the attitudes and progress of open source software security in the federal government and the input of developers and maintainers to the OpenSSF summit and mobilization plan.
  • The panelists introduce themselves and their backgrounds in technology and policy.
  • The Cyber Statecraft Initiative at the Atlantic Council has been working on software supply chain issues since 2019 and is collaborating with OpenSSF to bring more policy attention to open source security.
  • The OpenSSF mobilization plan includes ten work streams that prioritize different areas of open source security.
  • The panelists discuss the importance of prioritization and government demand signals in the mobilization plan.
  • The panelists also emphasize the need for more community engagement and volunteer contributions to the work streams.
  • The panelists reflect on the historical context of open source security and the usefulness of an S-bomb in incident response.
Authors: Naveen Srinivasan, Laurent Simon
2022-06-21

tldr - powered by Generative AI

Scorecard is a tool that helps users assess the security of their open source projects and dependencies on GitHub.
  • Scorecard checks for good practices, authentication, and over-privileged CI runs.
  • Scorecard flags empty patterns and warns about secrets in pull requests.
  • Scorecard can be installed as a GitHub action for projects and dependencies.
  • Scorecard alerts users to potential risks, such as unmaintained dependencies.
  • Scorecard is configurable and can be used to enforce policies at scale.
  • Scorecard plans to add support for more languages and improve configurability.
Authors: Ben Hale
2022-05-19

tldr - powered by Generative AI

The talk focuses on the core values of a great developer experience on Kubernetes based on the speaker's multi-decade career building application development tools and working with one of today’s most thriving open source developer communities, Spring. The speaker emphasizes the need for PlatformOps teams to build, run, and manage platforms that lead with developer experience.
  • Reduce complexity without sacrificing flexibility
  • Shift outcomes left without shifting the burden left
  • Ensure consistency and security without giving up agility
Authors: Daniel Bryant
2022-05-18

tldr - powered by Generative AI

The presentation discusses the importance of treating platforms as products and focusing on the developer experience. It emphasizes the need for a developer-led control plane and the use of standards and automation to remove friction.
  • Treating platforms as products is crucial for providing a good developer experience
  • Good user experience is necessary for good developer experience
  • Focus on workflows and tooling interop
  • Invest in a developer-led control plane
  • Use standards and automation to remove friction
Authors: Tushar Kulkarni
2021-09-24

Abstract:We have seen developers move from traditional 2 tier application architecture to a 3 tier architecture which involves an API talking to front end and backend services.The API used or developed might ease the development process but a lot of vulnerabilities can come up if not developed or configured properly. vAPI is a Vulnerable Interface in a Lab like environment that mimics the scenarios from OWASP API Top 10 and helps the user understand and exploit the vulnerabilities according to OWASP API Top 10 2019.It might be useful for Developers as well as Penetration Testers to understand the type of vulnerabilities in APIs. The lab is divided into 10 exercises that sequentially demonstrate the vulnerabilities and give a flag if exploited successfully.