Video in TIB AV-Portal: CyberSecurity.bootcamp()

Formal Metadata

Title of Series
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
CyberSecurity.bootcamp() [EuroPython 2017 - Talk - 2017-07-11 - Arengo] [Rimini, Italy] Cyber-security is a critical part of all distributed applications. By understanding and implementing proper security measures, you guard your own resources against malicious attackers as well as provide a secure environment for all relevant parties. The purpose of the talk is to show starting points on how to improve security in python applications by destroying a few servers during the presentation. It will provide the most important information and will cover: Threat modeling Common attack vectors on Python applications. Why python is not vulnerable to some kinds of attacks. Why is eval so dangerous? Improving server deployment and security management. Automated security testing. Pentesting. Who is a CISO and why is cyber-security awareness in the company so important nowadays. Basic knowledge of networking, python and REST is advised
Presentation of a group Open source Software developer Feedback Cybersex Open set Mereology Focus (optics) Graph coloring Vector graphics Endliche Modelltheorie Information security Cybersex Presentation of a group Source code Email Link (knot theory) Projective plane Bit Cartesian coordinate system Product (business) Process modeling Perspective (visual) Particle system Speech synthesis Software testing Information security
Point (geometry) Service (economics) Software engineering Software Bit Student's t-test
Server (computing) Service (economics) Cybersex Source code Cartesian coordinate system Leak Approximation Number Computer hardware Software Computer hardware Data structure Software architecture Communications protocol Information security
Server (computing) Group action Service (economics) Graph (mathematics) Connectivity (graph theory) Data recovery Cartesian coordinate system Event horizon Number Hypothesis Mathematics Root Ring (mathematics) Software Password 5 (number) Window Computer architecture
Cybersex Email Information Multiplication sign Projective plane Model theory Process modeling Uniform resource locator Message passing Process (computing) Operator (mathematics) Endliche Modelltheorie Information security Information security Address space Physical system Task (computing) Identity management Form (programming) Address space
Web page Frame problem Application service provider Game controller Group action Service (economics) INTEGRAL Authentication Data storage device Mereology Power (physics) Data management Different (Kate Ryan album) Authorization Ranking Software testing Information Configuration space Mathematical optimization Exception handling Authentication Service (economics) Multiplication Software developer Electronic mailing list Interactive television Data storage device Group action Control flow Cartesian coordinate system Frame problem Data management Process (computing) Software Data flow diagram Phase transition Software framework Configuration space Software testing Energy level Authorization Information security Diagram Exception handling Communications protocol Identity management
Point (geometry) Proxy server Divisor INTEGRAL Mereology Computer configuration Personal digital assistant Ranking Kolmogorov complexity Computer-assisted translation Oracle Physical system Task (computing) Interactive television Mathematical analysis Volume (thermodynamics) Basis <Mathematik> Line (geometry) Cartesian coordinate system Flow separation Perspective (visual) Subset Type theory Process (computing) Film editing Computer configuration Personal digital assistant Password Natural language Physical system Imaginary number
Point (geometry) Model theory Software developer Electronic mailing list Infinity Dreizehn Cartesian coordinate system Power (physics) Fluid statics Internetworking Gamma function Hydraulic jump Vacuum
Application service provider Keyboard shortcut Presentation of a group Injektivität Scripting language Code Model theory Multiplication sign Source code Solid geometry Quality of service Mereology Vibration Web 2.0 Data management Medical imaging Inference Sign (mathematics) Object (grammar) Forest Oval Software framework Series (mathematics) Website Information security Position operator Injektivität Scripting language Area Software developer Keyboard shortcut Electronic mailing list Data storage device Bit Flow separation Open set Web application Data management Process (computing) Telecommunication output Website Right angle Energy level Quicksort Information security Session Initiation Protocol Spacetime Web page Trail Game controller Functional (mathematics) Server (computing) Divisor Token ring Authentication Event horizon Power (physics) Template (C++) Zugriffskontrolle Term (mathematics) Natural number Well-formed formula Energy level Directed set Software testing Form (programming) Authentication Information Projective plane Model theory Code Line (geometry) Cartesian coordinate system Cross-site scripting Component-based software engineering Function (mathematics) Object (grammar) Table (information) Window Library (computing)
Implementation Code Multiplication sign Weight Planning Compiler Sign (mathematics) Data stream Different (Kate Ryan album) Velocity Energy level Nichtlineares Gleichungssystem Nichtlineares Gleichungssystem Loop (music) Programmschleife Resultant
Injektivität Code Model theory Replication (computing) Mereology Data management Blog Computer configuration Object (grammar) Personal digital assistant Cuboid Website Position operator Social class Injektivität View (database) Software developer Data storage device Drop (liquid) Orbit Data management Arithmetic mean Vector space Database output Configuration space Website Right angle Energy level Information security Wage labour Event horizon Zugriffskontrolle Revision control Database Directed set Validity (statistics) Information Server (computing) Projective plane Code Basis <Mathematik> Line (geometry) Exploit (computer security) Function (mathematics) Blog Optics Object (grammar) Table (information) Library (computing)
Group action Code Java applet System administrator Execution unit Source code Mereology Roundness (object) Blog Semiconductor memory Cuboid Software framework Information Information security Logic gate Multiplication Sanitary sewer Exception handling Physical system Control system Source code Service (economics) Theory of relativity Point (geometry) Moment (mathematics) Transport Layer Security Open source Range (statistics) Mereology Price index Lattice (order) Latent heat Arithmetic mean Exterior algebra Malware Software testing Pattern language Energy level Whiteboard Server (computing) Freeware Service (economics) Link (knot theory) Variety (linguistics) Authentication Motion capture Mathematical analysis Number Revision control Goodness of fit Term (mathematics) Business model Energy level Ranking Software testing Configuration space Divisor Data structure Traffic reporting Form (programming) Motif (narrative) Time zone Focus (optics) Key (cryptography) Projective plane Interactive television Mathematical analysis Code Usability Denial-of-service attack Cartesian coordinate system Blog Network topology Password Backup Natural language Table (information) Library (computing)
Axiom of choice Context awareness Scripting language Digital electronics Multiplication sign Covering space Source code Archaeological field survey Port scanner Replication (computing) Mereology Information technology consulting Social engineering (security) Data management Type theory Ontology Cuboid Information Process (computing) Data conversion Office suite Information security Position operator Physical system Vulnerability (computing) Source code Boss Corporation Service (economics) Data recovery Keyboard shortcut Open source Computer Sound effect Port scanner Data management Root Software testing Cycle (graph theory) Information security Physical system Point (geometry) 12 (number) Server (computing) Freeware Service (economics) Dependent and independent variables Maxima and minima Mathematical analysis Plastikkarte Product (business) Architecture Frequency Internetworking Average Software Vector graphics Drill commands Energy level Software testing Traffic reporting Condition number Vulnerability (computing) Dependent and independent variables Information Validity (statistics) Server (computing) Projective plane Interactive television Code Usability Computer network Continuous function Cartesian coordinate system Similarity (geometry) Perspective (visual) Maize Circle Communications protocol Identity management Window Computer worm Library (computing)
Point (geometry) Email Authentication Projective plane Electronic mailing list Password Number Internetworking Computer hardware Website Key (cryptography) Gamma function Information security Communications protocol Information security
Web 2.0 Presentation of a group Service (economics) Different (Kate Ryan album) Software testing Black box Resultant Physical system Product (business)
of the morning I we are all enjoying your particle now let's talk a little bit about the cyber security as soon as and before we start I have 4 disclaimers uh 1st of 1 uh this is all my opinion the following provisions my opinion and I'm not getting paid by any of the companies for open source project for mentioning them and 3rd I had to cut out some parts for develops from my speaking part but they will be in still in the presentation and the blue color you can ask me after the presentation of open so I'll start with briefly describe myself then I will talk a little bit about what this the cyber security and why we should focus on that currently and then we would do we'll do together of threat modeling of an application and I will finish with some more keeps for where to start with the cyber security and I have 1 request was asked questions after the presentations and I will also appreciate feedback face-to-face or by e-mail after the presentation was over so my name
is good for the but you can also call me is fine I'm from Poznan Poland which is 2 and
a half drive from bearing other because at the end of all the 50 hour drive from hearing me
I work at a secure point where I want to meet the and a software engineer in the protocol that that directly detection service and I'm also leading mental
qualities and where we are currently having up to 220 students which is our achievement that's who we are and over 3 years now and will was something for the EU this year and probably et al talk a little bit about it more on the flushed of
and so let's start from the structure what this cybersecurity security ice means and protocols to defend your resources and devices from out UCLA that much or so cybersecurity doesn't start at application of the it starts out hardware so the policies and protocols for your employees how to handle equipment how to handle servers what are the servers Boise access and what can handily brings to the company so as that of the haven't that police should be bound to bring their own pens rice so there won't be our for example source critique and then we can go to hardened aware uh the software architecture so for services uh which will focus on in this book OK cybersecurity
is becoming more and more important as you're seeing the number of leaks and approx is growing exponentially their biggest lake happened this year and it was over 1 . 3 billion user utterance data it's more than that of most of the years beforehand and it's still interesting and who remember discrete
from just 2 weeks ago the up and up that young laid waste so many companies across the globe and just in 1 day and some companies are still recovering from it's there are 2 very known publicly known will cover cases like in the so that and career at the company and event that corporate component Bregman this up really nice example while executed recovery during which and less than 24 hours company changed the server architecture from Windows to Linux in less than 24 hours so sounds very but there where we assume there were prepared for something like this happens and
this graph shows that number of attacks their day uh from our public kind network which lot which I am developing in with my it's tool to 16 million so far apart per day so who knows what the hypothesis whereas entities a quite fuel and for the I will explain how put this on a server that that is a trap and Anderson further because it should be easy to access where we can monitor and to look at the actions of the application so and but it won't affect our server architecture as of this possible server of truck where we all services like SSH as in the p H U B at such rock and the knowledge that our team we're doing written by Durán and this is the data we are also that the ring so that user name and password I'm amazed how many uh it's mostly data problem we assume nobody's trying to local you're looking over ssh tool-using using root root was sort but because the intensity of the scanning with those traditional so we assume that some people don't change so they are still standing using the uh additional data for some services like raspberry Pi is quite high things 5th place it it and so
currently we established that cyber security is important paraphrasing this uh this nice comics it's important that we start to develop the incorporating the cyber security at the beginning of the project not after we detect OK 1 of the basic things
that we should stop doing uh when we approach the security it's true modeling it's an approach for analyzing a secure job of obligation our system uh it's should be structured and identify quantifying and address the security risk uh associated with the target of the model now let's imagine we're about month everybody knows about mindfulness who doesn't know was about the what the person I think historically and anyway uh we have for mining assets we have our base of operations so uh how about paved with Alfred our bottlers who have lost everything for us and give informations in form of e-mails and text now we have threats we have 3 and my interest which as police at our archenemy Joker and the press uh this quantified address so offered this irreplaceable is a human being and he also has access to all of our systems and assets so he will be our highest priority uh when the funding and the risk of the same time then we have about but we can put it's just equipment and left me with that information so e-mails and text messages that uh and uh . can show where are we going what are we doing but honestly we can mitigate the press and that Jordan and the police because we can handle them the lastly let's try mitigating those issues so we can obscure our front location and his identity what concurrent wanted is so really hard to do then the but this is much simpler task because there's there are security systems drops misleading this of operations we have a ton of possibilities to uh to handle the problems concerning know about but and for that e-mails and messages we can start encouraging them which is the basic approach and obviously we should be cautious when typing something that may be delicate for us
now we will start working about that on our application that will try to make secure and so as the now about an example will start from identified our assets purpose of the users and the next step will be added find in our interactions with the with the paired party software and other parts of our Services and then I will this is 1 of the most important things that ACL so access control list so who can do exactly what I and just by specifying this and and using those ACLs or during the whole obligation development you can uh defend goes yourself against many other things and 1 the if you are already started developing your application and you have a proper little chemicals you may your use your data flow diagrams or application animals as a base of the uh the composition of the application phase the have a test and integration those are also used for for just about there are a few frame most of like
strike or obligation those for frame is that should give us or a bold but should include looking and uh 0 thing and just to be 1 1 page of the getting is who did what and possibly white and loading is what's happening and those are 2 different things that we should distinguish and probably have the data in different services afterwards then we have further authentication and authorization and again to be on the same page because it's also often misleading multiplication S. uh asserting that the person who who claims to be it's the person for the included and optimization is a process of the determining cold it's all to do what aggression in yeah so uh controversial management so where do we start the configuration and who has access to then so uh . storing and that of course the the uh and that the storage and the power our transit so if we are certain that our security and and if the data and the transit is also a and protect so if use the for example and lastly monadic and handling exceptions and the what we should do uh when an exception occurs the protocols the in
now we need to measure the the severity of the threat so we may encounter with cost of about ourselves using our mind using in your own line and the and what is the most important but we can also use a CDSS become of abilities scoring system this is visible few factors like a product or at the complexity and privileges user interaction scope confidentiality integrity and availability of good can give us our reference point the book as for example hard to measure how much to how well uh held article ball will be complex usually don't know that so it's why school would both volumes and the take of average orally does arranged for comparisons and do we need to remember that this school is just a tool to help not an oracle what you should do the and as mentioned before use cases who miles and abuse cases especially abuse cases you most will greatly help us that do creating what we should do and whether we should stop and what our model for at least
a next week to address the issue at hand so we have 4 ways to look for ways to do that first one was completely removed that's the nice way but not of always possible because of the a task at hand we may not be able to mitigate tool removed at all but when we may need to mitigate because for example it's too expensive to remove it 4 of many different issues and then the 3rd option is we can take the is uh and others later for example because of some because if there as an issue for example and and also the and was user controversy over a 5 editorial with some random names the our users cats of pictures of our cut so we don't really care if you get the picture is probably our users don't care also and you need to type some job no random gibberish just to get the picture so there's much more work and the attackers side analysis to achieve anything and the for option is and pretend there's no issue I don't recommend that and so for example if our personal also person kindled Oracle fixed or a password basis and so we don't do anything about it we are just asking to be effective the so let's start making up for the mother of our simple imaginary applications in Ph.D. so as everyone knows PHP is very secure and part of language
uh probably as secure as I the per was a few years but it was not maybe the best grocer forcing the infinite but it was definitely the best also for Internet as you
so uh of course we will not be using PHP because these should stand only for quite a scholar and sold as good an application using for from standing for walking and the positivist cruel and then the next for other things and on will be having our homework and points for serving the HTML and uh just to uh will also have uh running and when dedicated just about and some list and 1 is use for other other books and users so How can we Fackler up Costa they know from and there are possibly there are many possibilities that we should think of uh every developer and its use just you may find some witnesses but probably someone did that for us already and of course there is a
huge forest power coal to open with Application Security project always short and it's good to remember this name because it will be many times in this presentation and it's called collaboratively developed by thousands of obligor thousands of users it consists not only examples of a park measures the severity but also includes the business level communication so also on the copper solid get project manager can handle and uh toll but tell the uh upwards so that we need to really do that sort of something about it uh was much Europe moeten only
the tracks but also crosses information regarding tools books events and other interesting sites and projects the and what's 1 thing is very important to about was that publishes a list of most commonly used at the cost uh in the past years the last 1 we're seeing here is from 2 thousand 13 and the 2nd then was 1 should come up this year quite soon they were and from July they have sentences and so I will go briefly by all the uh but the cost of and explain some of them that are uh less obvious so injection couldn't hear something about this injection a QoS model you model so as to so is basically to inject your own as called into the uh as well so that these are run by our API for example dropped tables users and then we have book authentication position management and they should here is that the many applications don't store properly there users so it is easy to hide recorded user a social Christians script this 1 is really fun because the dollar goes up I'll sign a factor to run a straight on others users source so it will not affect us directly but it may make our other users build some similar or send the traditional store web page to our Atlantic a server and a secure direct object reference to yeah who doesn't understand is 1 there are a few fit for offensive not on so many people understand that and the we just move on security disconfirmations obvious uh sensitive that exposure so if we are exposing something more than we want to uh making function level access control lists ACLs I will talk about it a bit more later uh across request forgery so close jungle OK so I think everyone and when you lose you should remember that when you're using can with which and designed your test forms you were in putting our uh Cieza of tokens in the beginning of the form that someone did not include that in the templates Presley's rise inference that's right wonderful because this uh that minimizes the chances of your form to being abused and is very good but if you're not doing that we should start doing that is just 1 line of code hinges on the agenda Timberland which already and that will save you from well the struggle and using components with overall this was obvious and on vibrate at the very center for what's you should buy for once with just the used this and if you want to play with any of this in the the probabilities by yourself there are 2 project the the books project and all was broken broken the web application projects that allows you to run our image of an application that has all these probabilities and there's even a scoring a test and there you can choose you an and level how hot the reliability should be to notice and to that their applications of obviously written in PHP so is that's why it's series is the fact that is also a bit more the prominent as mother and I would look about that soon what now so for our and large areas and would there may be an injection coming there but the we should validate the injection the bark and so uh injection won't happen on our front and they're too uh broke out education session Najman may happen and Jarvis too so and it's the Markov completely the course the cross-site scripting so it's as definitely may happen and it often happens on the job was to part and made it can often on the button spots uh because it's not exposed and the mother and the 1st of them is more obvious uh I will move forward to and the summary and that is the angular triose mitigates most of them by itself all of the books and even handles uh some of them completely so as long as our developers don't do anything really stupid we are fine when using the basic formula Js but it's important when we are extending without external libraries from that will review the culture and I will also mention of years later so some something is applied on the web framework that using is using a single you and you feel so what can go wrong there and Of course there can be some Python code injection but not really and unless you're using evil or exact or pickled uh was because quite a lot of space because even in the recommendation is that's explicitly said not to speak ill of user input the eggs a kind of all also there are not that this idea so for quite a long uh that problem usually exist between nature and the keyboard so the developer so is on your hands to make your application security and by level not many people wonder why would like to use PsExec or evil well 1 thing that I will get what sorry and therefore the Commission on of beautiful explanation why we should a new way the people is so uh fragile uh in terms of security and there was a marked increase that in 2011 and that you could exploit easily it's the center but this is a very good example of how people can be exploited in your eyes if you're more interested in this part uh there is something and to minimize my 1 window because sports information OK now willing to evil and exact
and you can see the 2 coats and should my ponderous would no uh the book lived a boat do the same thing the first one is just simple called the 2nd 1 is compiled and executed cold as you can see addressed 30 or even 40 times faster and when executing the compiler cold uh then and normally around cold in 40 times faster on patent-free followed for 3 . 5 this is a huge difference and called execution plans that can be used but it can also be abused so we have issue here but also have advantages so and we can use of velocity exec and level and our code but we just need to do it carefully and for the overall
example uh and as you can see implementability data streams and and the single question even a simple equation evidence Morton antennas are called problem can be those simple just to show at all just think that equation and give you the result of the questions so it's much easier and the local so can handle much uh more complicated the equations but the beaches in the past
and so we have a school injections and a should not happen when you're developing of the replication frightened unless you are implementing as global yourself the jungle or an honest look ahead mean are quite secure With this them are additionally and we didn't find any way of exploitation uh by Oracle soliciting uh and duct with all of you to exploit and think would in this orange a box there is offered option uh by tone injection and a school injection and it's possible and it's doable and manageable doesn't know about that and many who do use because of object storage and postprocessed girl or other school of a basis and when you are using a scroll databases and store optical the then you are a user can input your Python called for example this 1 nice line there which will be deleted also all things on your motion when it's thrown and just for doing that we can like post an object like post and then the 1st approach to read the post and it will be executed and as possible and to you it's hard to mitigate this problem as you can a part of the issue and to waste by not using optical and using Jason for storing the information that will be needed for a class the later on if worst 1 to who would like to store a class uh and uh for storing uh um dicks and these just then it's but use Jason purely we can also tried mitigating the vertical to cover all antepartum optical injection and validation but usually it's hard because this code you can make into base 64 and then import base 64 and develop the old pulled off the base 64 encoding decoding so it's hard blow is a simple uh SQLinjection that will drop users that table and most people use the table many events so if not they can also run all the problems occasionally will tell them your so that of its human just by adding the apples from the beginning
and so as you can see by has more polar orbit is then uh and then there's some the front end interested but most of them are already mitigated all to the books by title as size as and as I told you before that most of the main issue is with the local or sold on the southern your site and it's important that you will care for the careful development and uh proper means and I will tell you now how we can do that the 1st thing is when choosing a library try to choose the more common 1 because that's already been used for for more users and if you're not using a common library Python project uh you should go through the code yourself and see if the data is not being sent on each post for example to KGB or an aside and then add good the you look so a user goal they could labor is also lead to some issues the will example uh you boom tool 1404 which has Europe free uh already started but this version has the no part in SSL configuration and that that can be exploited so just updating will save you from being from those are the summaries for that develops yeah the that's way because and next and up watching the food we or positives growth has much more much less of vectors but they are still blink being fed a fact quite often so let's good back to curable applications so that we have for users and everyone can exercise our blog posts and read them a registered user can uh additional right to the book of means can manage the users and the 2 posts so uh when we are the
composing the application uh inverse table we can see what the user can go from understand as I said before and now we need to project up until the relation of that on the the published interaction so looking on only at quite obvious look out it's important that doesn't need to even x is the the base and so on and for the rest of actions so either APA elections uh have could get both lead uh someone may need to use both look I will focus on the street this and from now for then and from the story you get is sufficient for uh all users for a given only costs and we can extend that only post from anonymous users all user cut shouldn't be able to look again at you again to your application and for a lot out it should be also only available for local users or other means the and for the rest of it will depend how the the structure of reported works looks like and what our company policies for uh ahead during an idea OK so we finish our
uh composition fizzled application uh we have everything we need we can now go tool in determining the online ranking the traits uh so what is the most valued uh part of our business it will depend um on our own business approach it may be aware of and the information so that the blog post the users are called the nationality so user analysis and their passwords depending on our business model may vary and how can they be targeted someone that's of been axis so he can do and I think in our application and export the data on the whole obligation etc. uh someone gets out user answers because from other users can't possibly may access to the amounts which can be also and others some other vector and next 1 for the so those are parks uh servers Server ownership so on the infrastructural that uh in our application source code can also be a part of a lot of talk yeah and when someone this access to lower emission control systems he can uh place some malicious called the and if we don't have a proper review it will pass trans quite easily even if we have a proper review here may still adjusting by himself because his own of the version control system uh and terms even if he gains or read access it will be much easier for him to find our ability and our source called then with all all knowing the source code itself OK then the Ch as mentioned in the beginning uh depending on a business level the business so approach we may and have different and the different to the JPEG then different varieties and the funding for example where uh users so couldn't our number Slovene possible may be much more important than the funding to our uh postal code base because usual we can recover when someone deletes them mind a base was crucial to have a backup but uh if we lose our username password or more of these parts we will not have any is any more will all go away so risk mitigation uh 1 of the basic things we can do is uh the motif of throat indication for the user of means of boxes and also we can try a new meeting during which of the APU IP that can access the B Panel at all and that is good approach if your application is out micro-services so you can move all the admin panel to another micro service it's also a good policy on term women for this bound I we can limit was paradise which maybe not convenient for our users and per our shorter sessions and I think capture usual is also a nice idea the always give the little spot because were in the local time of all thank all of thank and so part of the mitigation should be done already on need just level so when you're making cutest test don't focus only copy paths do that rumpus also so all exception handling and rising exception should also be done on the unit of level and will mitigate some of the security issues and there's 1 like 1 month for the guy will motion for a moment maybe more for levels as H H SS 80 dB that heights our SSH boxes and bubbling side so on the same board with have they should be and as toxins uh OK no cooling for automation and for quite a lot of dedicated to the library called bonded uh at analyze our code using up certain parts of tree but it can be easily integrated with Jenkins and it will find the most common form of it is in our application like exec and level should be highlighted it looks similar to explore or by link you will get nice report after running the applications that we have some argue this is much bigger project that from those over 20 languages like Java stripped of HTML and mark uh and so has a dedicated drink flooding was security gates that will all you to uh not costs the cold if you have found learnability and our coach this the other the common looking at some argue that because it's all in 1 tool out it's free you can a host of yourself or you can buy it as a service yeah next we have automatic scanning tools would have softened work as up this created by all was project uh it's free it has a accustomed to keys and abundance and it's that they cater to all the publication just the 1st round of the most common issues will probably make all we define some security box and work as more commercial alternative and it doesn't have footage from the pointing of the and so it should be coming up soon the both of them are what's come so they will not your site and try to execute CommandTalk metals and patterns and then we have forgiven M. Metasploit which is more based on movement Memorial infrastructure-based and system based on a park and framework
and has grown up is for all as interactions so in our project that could be uh a park and lastly to have something this is a impact on the library but also us to prepare and the kind of and deceive you or I simply packages and also UDP the programs with and the payload lastly there's commercial solutions and 3rd diminish services like qualities is um maize nations which is 1 of the most popular thing and the security and advantage of many services that you will receive far apart that does not concern that should not contain any false positives from the uh from the scanners because some there's usually bring you some of false-positive still that ends in ch OK I'll need to go fast an ways of why do we need to happen and testing and what is and and and this and shirt is and what it tax on applications are up or if our infrastructure uh we should look pen-testing flora in removing all the security weaknesses and also for complying rival compliance with PCI compliance and it for for what's the target of apprentice so usually island and there is affecting the replication just 2 goals obtain interesting information or elevating his access to 1 of the notable uh best-case scenario should be done by a 3rd party and uh we should use also about tools I mentioned before emotional also it's uh when we and our developed cycle or when we have an newbie feature that may be vulnerable to a part of other parts of applications are not but of course a fantastic but as the quite obviously is a person who performs contest is not our method of and the thing is is the person and you can also call them uh security consultants populace whitefront does remember not to call and practice or blockhouse which means basically criminal because they will become self and you don't want to have us some fucker on your team really you don't want to have that and uh also there's something called a at the material that's more X more expensive than our normal pen-testing because it starts on the security level usually erecting you have budget for the physical damages like destroyed lots of broken windows and also it covers planting box uh 1 important thing is that that when I Red team Driel uh goes undetected that means you have really big issues because I'm not talking when he achieved his his Goals for example once about and record your conversation with your boss and being noisy to the well and some someone who should have the opposite again so there are 3 major approaches 1 testing uh that white box so our consultant has access to everything including our production servers configurations so the commentation source corpus of then we have a great book succinct we limit is access uh to the our infrastructure but here has access got occasion and possibly a moderate rocks if of where user and just to access toward a commendation and our source code that becomes an targeted because if you can find weaknesses in our source code and try to exploit them and then there's like books so a AppLocker does not know anything about the obligation except what is available on the internet but the internet as she doesn't have access to the source code book he may obtain if during doubt that also singles for the conditions then a last thing which is becoming more and more popular she saw a which is security for missions uh uses circuit cybersecurity for chief information security officer and that's responsible for many things like is the response things so before missionaries management uh information regulatory compliance so for example BCI but the protection act or GOTO in Poland and also for IT security and the security awareness in the company and the last 1 is currently very important because of the fission effects of may happen even of fall on our and technical stuff and if we add get in fact there are forced to close of being won't 1 being fact I buy a book or ask you kidding and being uttered by very known for ontology both of them are version for for a company you will be a mention on the internet and very not nice ways and uh for the security people they probably should surfing their career choices is that about further and then being affected by a quite new validity it may happen we didn't catch our system so we need to improve our protocols and lastly we're attacked by unknown probability of so-called survey uh which is also up proved that our security do this point where that would that there needed to use up something new yeah 2 important things and not seeing that the destructive wears out of talk doesn't mean that we are we're not fact or not be owned for longer periods of time because the target of a but maybe just to acquire some information and the less you got the report said that it takes 200 days on average for a company to notice an attack imagine what can happen to 100 days with your infrastructure being called bind on malicious user in
so did there is changing and this year's ago it was commonly advice for example to move a cessation a high for now we have must so we don't have to who there's no point of moving it and actually it may miss your firewall so if you move on uh protocol to a different number than it should be as mentioned now we are ordering strangers who bring us home the and this
is a creative list offer interesting killings and that may help you and going to security some of them were mentioned if something was not mentioned as a on also security would eat up or on that all was project site let's think just from today's the day there is a great talk talking about passports and why we should not use them for only come and hope I will see it again on you to assume that it was done by just uh yesterday in the morning
and it will be and remain talk and learn something I don't know how to someone the dark Lord yet again habit I will gladly answer questions and in the winter of 1 so if you have if you ask a pen-testers dependencies system uses the 3 ways get at which 1 because I mean the white you just give everything and like what I'm giving you think what we suggest that if you have a system and you want a pentane cancers like which of these approaches would you take honestly at their past and the present a bunch of and your ability to sustain your service during apprenticed 1 but boxing because of what the thing is quite demanding because this down on the production system so unless you can scale up to handle the black box testing may be great books will be and what a more of license and if not web existing also all the tests should be different results so when you are having for example periodically uh and this thing it's wise to change the metals so we will get a different outcome pro and in thank