logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia
2023-05-11

In recent years, most countries and territories have put in place strict regulations for user privacy protection. Checking and monitoring the privacy policy compliance of mobile applications thus has become essential for users, app developers and device manufacturers. Nonetheless, this is a challenging task, as modern mobile operating systems like Android contain multiple channels through which third-party apps can obtain sensitive information. Besides the official APIs that are regulated by its permission system, the apps can exploit other channels such as native calls, Java reflection, Binder services, Webview and even vulnerabilities. Existing techniques based on static and dynamic analysis often fail to cover all possible channels. Network traffic analysis is also ineffective when the sensitive data are set over after encryption.In this session, we will address this challenging task using a low-level detection method. Our work is inspired by the fact that almost all sensitive information is encoded into a String before it is passed to application level. We thus hook the String constructor at the native level, where our approach is able to monitor and check all strings constructed on the mobile device. This strategy seems straightforward yet comprehensive, as any string that is constructed from sensitive information can be monitored regardless of the methods malicious apps obtained them. We implement this approach into a tool and use it to analyze pre-installed apps in some Android devices. Our tool finds that many of them collect user information in many scenarios, such as clipboard and wifi information. Some apps even use previously unknown channels to obtain sensitive user information. Our investigation finds that these channels are caused by OEM manufacturers' improper control over the permissions of their customized APIs. We have submitted these issues to relevant manufacturers, who have acknowledged our findings.
Authors: Brad Geesaman, Ian Coldwater, Rory McCune, Duffie Cooley
2023-04-21

tldr - powered by Generative AI

The presentation discusses the potential vulnerabilities and limitations of image scanning and S-bomb generation tools in DevOps and cybersecurity, and suggests ways to improve their effectiveness and prevent malicious attacks.
  • Image scanning and S-bomb generation tools are sensitive to changes in metadata and the quality of the steps involved in building images, and inconsistent results can cause problems for organizations
  • Malicious actors can manipulate the results of these tools, causing downstream effects and potentially compromising security
  • To prevent attacks, tool makers should adopt a more adversarial approach and provide a more restrictive mode with detection coverage as the focus
  • Users of these tools should check for unusual behavior, validate inputs and processes, and consider their threat model when making policy decisions
  • Teams should work together to achieve larger goals and reduce toil
Authors: Krishna Rajeesh Nallur Valiyaveettil, Brendan Kelly
2023-04-19

tldr - powered by Generative AI

The presentation discusses the risks and challenges in the software supply chain and how to combat them through a DevSecOps pipeline that includes continuous integration, continuous deployment, and continuous compliance.
  • The software supply chain is vulnerable to risks such as compromised source code management tools, build container platforms, and package reports like container registries.
  • The DevSecOps pipeline aims to shift security left by finding security problems as soon as possible before they reach production environments.
  • The pipeline is defined as code and supports multiple development languages, consistent testing approaches, and shared pipeline templates.
  • The pipeline includes continuous compliance based on gold to ensure continuous security and compliance with regulations.
  • The pipeline also addresses auditing challenges through automated evidence gathering and a dashboard for viewing vulnerabilities.
  • The pipeline aims to detect new vulnerabilities and zero-day bugs as soon as possible.
Authors: Adam Berman
2023-02-16

The growth in security threats has overwhelmed organizations. All too frequently, security teams are forced to prioritize compliance-related checkboxes, as opposed to work that makes a real dent in their organization’s security. Since few teams can afford to simply expand their teams to keep up — they must take a new approach to evaluating and prioritizing threats. This talk presents a counterintuitive approach to strengthening security: one that ignores over 90% of security vulnerability alerts. Using specific examples, it illustrates how organizations can ignore alerts with high confidence, and how this enables a marked shift in security workflows and behavior, thus significantly improving security posture.
Authors: Ben Hirschberg
2023-02-16

tldr - powered by Generative AI

The presentation discusses the state of Kubernetes risk, compliance, and security vulnerabilities based on the analysis of telemetry data from Kubescape, an open source tool that has scanned over 10K+ unique Kubernetes clusters. The talk sheds light on the most common misconfigurations, known software vulnerabilities, and RBAC violations in Kubernetes deployments, and provides insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most. The presentation also offers simple measures to work towards eliminating these risks and improving overall cloud native security posture.
  • Telemetry data from Kubescape reveals a high number of misconfigurations, unpatched vulnerabilities, and overly-privileged users in Kubernetes systems
  • The talk highlights the most common misconfigurations across Kubernetes deployments according to multiple frameworks, known software vulnerabilities, and RBAC violations at early stages of the CI/CD pipeline
  • The presentation provides insights on why and where Kubernetes deployments mostly commonly fail and statistics on which controls fail most
  • Simple measures are offered to work towards eliminating these risks and improving overall cloud native security posture
Authors: Alejandro Saucedo
2022-10-28

tldr - powered by Generative AI

The presentation discusses the need for collaboration and standardization in metadata operations for end-to-end data and machine learning platforms.
  • The goal is to achieve end-to-end interoperability at scale through collaboration and standardization.
  • Practitioners at every stage of the MLOps and DataOps lifecycle should collaborate to come up with standards.
  • The creation of bad standards is worse than having no standards at all.
  • Standardization should focus on interfaces, metrics, and operational considerations.
  • Tools like ml server, seldom core, and kubernetes can help abstract data science from operations.
Authors: Chip Zoller, Brandt Keller
2022-10-27

Getting an environment approved for production can be a painful process, case in point government and Department of Defense (DoD) which require the strictest of controls be met, however this is true for other highly-regulated industries. Engineering and security teams must validate that the security controls are satisfied while continuing to audit, except these are often siloed teams. Reviewing these standards is still an archaic and painful process of managing a spreadsheet or checking text boxes. In this talk, we will share how the Department of Defense is solving this by ensuring compliance through policy in order to capitalize on the promise of DevSecOps. Using Big Bang, a tool for providing secure-by-default environments with pre-integrated tools, and Iron Bank, a DoD repository of signed and hardened application images, along with Kyverno, a Kubernetes-native policy engine, teams are able to get compliant faster and reach mission-ready status sooner.
Authors: Steve Wade
2022-10-25

tldr - powered by Generative AI

The presentation discusses the importance of asset inventory in Kubernetes clusters and highlights the need to stay updated with CVEs and API specifications. It also emphasizes the significance of networking and security in managed providers like EKS, GKE, and AKS.
  • Asset inventory is crucial in Kubernetes clusters to identify running applications and stay updated with CVEs and API specifications.
  • Managed providers like EKS, GKE, and AKS have limits and boundaries that need to be considered, especially in terms of networking and security.
  • Staying ahead of the curve of application developers is important for platform engineers responsible for Kubernetes clusters.
  • Links to official Kubernetes CVE streams are provided for reference.
Authors: Asaf Cohen
2022-10-25

tldr - powered by Generative AI

The presentation discusses best practices for managing policy in DevOps and cybersecurity, including decoupling policy from code, using GitOps for policy, and planning ahead for future demands.
  • Decoupling policy from code is important for flexibility and scalability
  • GitOps for policy allows for auditable and testable policy management
  • Planning ahead for future demands ensures that the system can grow without needing to be rewritten from scratch
Authors: Bill Bensing
2022-06-22

tldr - powered by Generative AI

The presentation discusses the implementation of modern governance and automated governance in software delivery capabilities. It highlights the importance of establishing open visibility within the organization to drive trust and reshape the socio-technical construct. The main thesis is to automate control gates and remove the cognitive load of understanding tools in depth to allow for a standard centralized understandable way for the organization.
  • The need for a next generation of software delivery capabilities beyond automation to autonomous and industrial scales
  • The concept of software factories to remind us of the importance of delivery
  • The importance of establishing open visibility within the organization to drive trust
  • The implementation of modern governance and automated governance in software delivery capabilities
  • The automation of control gates to remove the cognitive load of understanding tools in depth
  • The externalization of policy application from the tools themselves to other centralized systems