SlideShare a Scribd company logo

Securing and automating your application infrastructure meetup 23112021 b

lior mazor
lior mazor

Stay safe, grab your favorite food and join us virtually for our upcoming "Securing and Automating your application infrastructure" meetup to hear about the vast changes modern application deployment, application security in containers, ways to find vulnerabilities in your code and how to protect your application infrastructure.

1 of 115
Join Us: https://www.linkedin.com /company/application- security-virtual-meetups QR Link:
Erez Yashar Director of Product Management
3 © Fortinet Inc. All Rights Reserved. utoesthesia
4 © Fortinet Inc. All Rights Reserved. Agenda • Application Deployment Evolution • Monolithic Vs. Microservices • Pros and Cons • Uber case study • Into CI/CD pipeline • Pros and Cons • Application Security Challenges • The Fortinet Way
5 © Fortinet Inc. All Rights Reserved. Application Evolution Deployment https://cd.foundation/blog/2020/03/27/comparing-monolithic-pipeline-to-microservice-pipeline/
6 © Fortinet Inc. All Rights Reserved.
7 © Fortinet Inc. All Rights Reserved. Monolithic Vs Microservice Applications https://medium.com/hengky-sanjaya-blog/monolith-vs-microservices-b3953650dfd
8 © Fortinet Inc. All Rights Reserved. Microservices Computing Pros: • Fast Service Provision - easy to build and deploy • Increased agility - each individual can build a module and deploy a module independently • Scalability - since your services are separate, you can more easily scale the most needed ones Cons: • Complexity – microservices can add complexity to an application delivery workflow • Security - dynamic changes may leads to a security problems • Performance – A microservice-based application may have to make multiple different API calls to other microservices to load one UI screen
9 © Fortinet Inc. All Rights Reserved.
10 © Fortinet Inc. All Rights Reserved. From Monolithic to Microservices - Uber https://blog.dreamfactory.com/microservices-examples/ Here’s how Uber’s monolithic structure worked at the time: • Passengers and drivers connected to Uber’s monolith through a REST API. • There were three adapters – with embedded API for functions like billing, payment, and text messages. • There was a MySQL database. • All features were contained in the monolith. Moving to Microservice architectural style: • Assigned clear ownership of specific services to individual development teams, which boosted the speed, quality, and manageability of new development. • Facilitated fast scaling by allowing teams to focus only on the services that needed to scale. • Ability to update individual services without disrupting other services. • Achieved more reliable fault tolerance.
11 © Fortinet Inc. All Rights Reserved. Uber’s microservice architecture mid-2018 https://eng.uber.com/microservice-architecture/
12 © Fortinet Inc. All Rights Reserved. Into CI/CD Pipeline https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch CI/CD Pipeline is a set of methods that enables developers to deliver code changes more frequently to customers through the use of automation.
13 © Fortinet Inc. All Rights Reserved. Into CI/CD Pipeline - Pros & Cons • Pros: • Speed of deployment • Faster testing and analysis • Smaller code changes • Better and faster fault isolation • Automatic deploy to production • Tons of open source tools available • Cons: • Devops skills must be learned • Steep learning curve to implement automation • Big upfront investment • Legacy systems rarely support CI/CD
Application Security Challenges
15 © Fortinet Inc. All Rights Reserved. Attacks on Web Applications Increasing “43% of breaches (in 2020) were attacks on web applications, more than double the results from last year.” Source: “2020 Data Breach Investigations Report: Official,” Verizon Enterprise Solutions, https://enterprise.verizon.com/en-gb/resources/reports/dbir/
16 © Fortinet Inc. All Rights Reserved. How often do your applications change? Source: “2021 APPLICATION SECURITY REPORT” Fortinet: https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/report-cybersecurity-insiders-application-security-fortinet.pdf
17 © Fortinet Inc. All Rights Reserved.
18 © Fortinet Inc. All Rights Reserved. Web Applications are Evolving and Expanding Constant design/application changes requires constant validation to match your changes in design/applications Applications are Extremely Dynamic  How do you keep security policies up to date?  How to react to real-time events?  Support Scalable solution to cope with performance growth  How the changes affect application availability and security? Application Anywhere  Availability is crucial for any organization  The Application MUST be accessible from anywhere response (𝑓)
19 © Fortinet Inc. All Rights Reserved. Web Application validation DevSecOps teams need to validate every new deployment/New App version • Fast release - less focus on security • No full regression tests • Auto testing (new libraries/services) • Miss-configuration • Vulnerable 3rd party dependencies • Authentication validation
20 © Fortinet Inc. All Rights Reserved. OWASP Top 10 - 2021 • Applications running in a serverless environment still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks. • OWASP Top 10 report: • Examines the differences in attack vectors, security weaknesses, and the business impact of application attacks in the serverless world • Suggests ways to prevent those attacks
The Fortinet Way
22 © Fortinet Inc. All Rights Reserved. Fortinet Security Fabric Broad visibility and protection of the entire digital attack surface to better manage risk Integrated solution that reduces management complexity and shares threat intelligence Automated self-healing networks with AI-driven security for fast and efficient operations Security-Driven Networking Zero Trust Access Adaptive Cloud Security FORTIOS FortiGuard Threat Intelligence Open Ecosystem Fabric Management Center NOC SOC
23 © Fortinet Inc. All Rights Reserved. Fortinet Application Security Solution SAP Kubernetes Cluster Application Connector • Web Application Firewall • User Authentication • SSL Services • Cloud Connector • Machine Learning Application Automation • Autoscaling • Auto Security • Performance Boost Web App Key Benefits: • Application Security & Availability • Cloud Connector for visibility and dynamic changes • Fabric Connector to multiple application for automation and service scaling • Multi Service solution - SLB, WAF, DDoS, ZTNA, GSLB, API Protection and more… • Automation actions based on application events • Business continuity (Application Anywhere) Action (𝑓) Fabric Driven Application services Adaptive Cloud Security
24 © Fortinet Inc. All Rights Reserved. Fortinet Application Security Suite Application Expansion App/Net protection • Lift and shift from DC • Connect applications • Protect resources, applications and data against Apps threats • Simplify hybrid / multi- cloud deployments Web Application Firewall Protecting organization-deployed web applications & APIs with Machine Learning Application delivery Improve application experience, security, and availability based on Application events Embeds security throughout container lifecycle, builds CI/CD pipeline, enhances compliance to Security best practices and visibility into runtime container activities Penetration-testing-as-a- service tool based upon the OWASP Top 10 list of application vulnerabilities, which can be used to find issues before they’re exploited. FortiGate FortiWeb FortiADC FortiCWP FortiPenTest Fabric API Extended Fabric Ecosystem Automation Action
25 © Fortinet Inc. All Rights Reserved. Open Fabric Ecosystem -Application Security 470+ Best-in-Class integrated solutions for comprehensive protection
Questions?
A P P L I C A T I O N S E C U R I T Y I N C O N T A I N E R N I S H A N T R A J P U T
$ W H O A M I N I S H A N T R A J P U T S E N I O R S E C U R I T Y E N G I N E E R @ S N O W F L A K E 28 Disclaimer : Presentation is intended for Education purpose only. Statements of fact and opinions expressed are my own. No affiliation to the related practices of current or past organizations
A G E N D A • C O N T A I N E R S O V E R V I R T U A L M A C H I N E S • T R O U B L E A R E A S - T R U S T I S S U E S W I T H C O N T A I N E R S • M I T I G A T I O N - A S O L V A B L E W A Y - C O N T A I N E R I S O L A T I O N - C O N T A I N E R I M A G E S E C U R I T Y - V U L N E R A B I L I T Y C H E C K S I N I M A G E S - S E C R E T S & N E T W O R K S E C U R I T Y • D O C K E R B E S T P R A C T I C E S
C O N T A I N E R S O V E R V I R T U A L M A C H I N E S
V I R T U A L M A C H I N E S • Compute Resource : Advantage of Software over Physical Hardware • Platform Independent programming environment Advantages : • Multiple OS environments on a single physical server • Integrated Disaster Recovery & Application Provisioning options 31
F R O M A N O N - P R E M T O V M D E P L O Y M E N T M A C H I N E 32
F I R E P O W E R O F C O N T A I N E R S • Compute Resource : Works on OS Virtualization • Include only the binaries, libraries and other required dependencies, and the apps • Containers : On the same host share the same operating system kernel, making containers much smaller than virtual machines • Boot faster, Maximize Server Resources, and make delivering Apps easie r 33
I N N E R L O O P O F D E V E L O P M E N T 34
O U T E R L O O P D E V E L O P M E N T 35
T H E B I G P I C T U R E
T R U S T I S S U E S W I T H C O N T A I N E R S
I S S U E S W I T H C O N T A I N E R S : T H E T H R E A T M O D E L W A Y • Vulnerable App Code • Badly Configured Container Images • Build Machine Attacks • Supply Chain Attacks • Badly Configured Containers • Vulnerable Hosts • Exposed Secrets • Insecure Networking 38
M I T I G A T I O N : A S O L V A B L E W A Y
C O N T A I N E R I S O L A T I O N
D O C K E R K E R N E L N A M E S P A C E • Docker makes use of kernel namespaces to provide the isolated workspace called the container. • On spinning a Container, Docker creates a set of namespaces for that container. • Provide an extra layer of isolation. • Each aspect of a container runs in a separate namespace and its access is limited to that namespace. • E.g : Network Namespace, Cgroup Namespace, etc 41
C O N T A I N E R I M A G E S S E C U R I T Y
M E A S U R E S • Identifying Images - <Registry URL>/<Organization or user name>/<repository>@sha256:<digest> • Image Integrity • Build time Security – - Dockerfile to Image formation • Image Storage Security - Running in own registry - Signing Images 43
V U L N E R A B I L I T Y C H E C K S I N I M A G E S
V U L N E R A B I L I T Y C H E C K S D U R I N G D E V • Application Level Vulnerabilities – Packages and Patches • Out of Date Sources • Won’t Fix Vulnerabilities • Subpackages Vulnerabilities • Zero-Days 45
C O D E B U I L D F A I L U R E I N A W S
S E C R E T S & N E T W O R K S E C U R I T Y
S E C R E T S S T O R A G E • Storing the Secrets in the Container Image • Passing over the network • Passing the Secrets in Environment Variables • Passing Secrets through files 48
N E T W O R K C H E C K S • Container Firewalls • Network Isolation • Network Policy Best Practices • Default Deny • Default Deny Egress • Restrict Pod to Pod Traffic • Restrict Ports 49
D O C K E R B E S T P R A C T I C E S
D O C K E R B E S T P R A C T I C E S • Prefer Minimal Base Image • Least Privilege • Sign & Verify Images to mitigate MiTM attacks • Find, Fix & Monitor for Open Source Vulnerabilities • No Sensitive Info in Docker Images • Use fixed tags for immutability • Use scanning tools like Claire, Twistlock, etc • Securing the network 51
W I S E W O R D S O F T H E S A I N T S : S E C U R I T Y P R I N C I P L E S • Least Privileges • Defense in Depth • Reduce Attack Surface • Segregation of Duties
T H A N K Y O U ! Q U E S T I O N S ?
Vulnerable VS Code extensions are now at your front door Application Security Meetup 🌍 By Raul Onitza-Klugman, Security Researcher@ Snyk
Why VS Code? VS Code? Developers?
SECURITY TESTING Security is shifting left... DEVELOPERS
Notable Examples
Raul Onitza-Klugman ● Security Researcher@ Snyk ● Studied Electrical Eng. + Physics ● Started as C/C++ embedded dev ● Love web, binary and growing vegetables
EDIT BUILD DEBUG IDE
https://pypl.github.io/IDE.html most popular ides
Visual Studio Code https://marketplace.visualstudio.com/ Extension marketplace Used by more than 4k companies worldwide Industry Adoption (out of 24M worldwide) One of the most popular code editors ~14M Active Users
Editor Extensions Turn this Into this! Out-of-the-box features Add langs, debuggers, parsers...
Extension Basics Essentially : Extension = NPM + VS Code Extension API 1. Javascript/Typescript and package.json manifest 2. https://code.visualstudio.com/api 3. Packaged in *.vsix file - Zip archive 4. Most of them are open-source (and on Github)!
Lets see some examples shall we?
Instant Markdown 127,538 installs
Securing and automating your application infrastructure meetup 23112021 b
Path Traversal
Securing and automating your application infrastructure meetup 23112021 b
GET http://localhost:8888/index.html /Users/kirill/server/public-html/index.html
GET http://localhost:8888/?/../../../../../etc/passwd /Users/kirill/server/public-html/?/../../../../../etc/passwd /etc/passwd
http://localhost:8888/../../../../etc/passwd http://localhost:8888/?/../../../../etc/passwd query parameters path path
Why should I care about a local web server?!
VS Code Instant Markdown extension Preview HTTP server Chrome Markdown preview Path Traversal
Cross-Site Request 🔥 Browser http://localhost:8888/ Markdown preview http://evil.com GET
Browser http://localhost:8888/ Markdown preview http://evil.com GET
How to bypass CORS? Top 10 answers from Google: “you need XSS on the website you wanna hack”
XSS (cross-site scripting)
GET GET http://evil.com http://localhost:8888/ ❌ http://localhost:8888/?xss= http://localhost:8888/ ✅ http://evil.com ✅ GET/POST <payload>
Securing and automating your application infrastructure meetup 23112021 b
1. Open 2. Download XSS Payload payload.html <iframe> http://localhost:8888/?/../../../Download s/payload.html http://localhost:8888/?/../../.. /../../../etc/passwd 4. (same-origin) GET ❗3. XSS happens here❗ http://evil.com localhost CORS disabled <script>...</script>
DEMO!
XSS + PATH TRAVERSAL .ssh key
LaTeX Workshop 1,449,449 installs
LaTeX Workshop is an extension for Visual Studio Code, aiming to provide core features for LaTeX typesetting with Visual Studio Code.
Command Injection
VS Code LaTeX Workshop extension PDF preview HTTP Chrome PDF preview page Websocket server http://evil.com
Securing and automating your application infrastructure meetup 23112021 b
Handles a click by a URL in PDF file
Securing and automating your application infrastructure meetup 23112021 b
file:///System/Applications/Calculator.app/Contents/MacOS/Calculator 🤔
Securing and automating your application infrastructure meetup 23112021 b
Ephemeral port bruteforce (about 16,000 ports)
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
1. Open http://evil.com localhost WebSocket doesn’t come with CORS built-in <script>...</script> Port #1 Port #2 Port #n 2. Bruteforce port ... OS Command 3. Execute command
DEMO!
COMMAND INJECTION execute commands
Why is this a big deal?!
Marketplace ssh .env source code configs THE ORG Private Data Persistence Supply Chain 1 - Exploit 3 - Compromise 2 - Obtain Installs (vulnerable) extension
Mitigations Similar hygiene to 3rd-party packages: 1. Developer ○ Use only maintained and popular extensions ○ Don’t use extensions with unfixed security issues 2. Extension maintainer ○ Use security best practices when developing your extensions ○ Test your code with a vulnerability scanner ○ Fix disclosed vulnerabilities in a timely fashion
THANK YOU! 🤗 Questions?
Yair Shaya Systems Engineer
105 © Fortinet Inc. All Rights Reserved. NOC/SOC Challenges Challenges DO MORE WITH LESS COMPLIANCE REPORTING MANUAL OPERATIONS SINGLE PANE VISIBILITY DEPLOYMENT FLEXIBILITY INTEGRATE WITH EXISTING TOOLS
106 © Fortinet Inc. All Rights Reserved. Fortinet Security Fabric Broad visibility and protection of the entire digital attack surface to better manage risk Integrated solution that reduces management complexity and shares threat intelligence Automated self-healing networks with AI-driven security for fast and efficient operations Security-Driven Networking Zero Trust Access Adaptive Cloud Security FORTIOS FortiGuard Threat Intelligence Open Ecosystem Fabric Management Center NOC SOC 02012021
Fabric-Ready and Fabric Connectors
108 © Fortinet Inc. All Rights Reserved. Fabric-Ready Partner Program - objectives • Increase Fortinet brand value via partnerships with industry-leading partner companies • Demonstrates Openness of Security Fabric to analysts & industry • Revenue generation – sell with, sell through partners • Reduce sales timeline with pre-validated integrated solutions • Updated partner list: • https://www.fortinet.com/partners/partnerships/alliance-partners.html
109 © Fortinet Inc. All Rights Reserved. Types of partner integrations Fabric Connectors • Fortinet develops specific code in our products • Explicitly referenced in our GUI/CLI • Mainly based on APIs • Feature development made by FTNT • Validation usually require testing with the partner Fabric-Ready (Fabric APIs) • Partner developed solutions to integrate with FTNT products • Based on existing APIs and/or standard protocols(RADIUS, SYSLOG, SSH, etc) • (usually) no specific code development from FTNT side • FTNT tests solution to assure it works as expected
110 © Fortinet Inc. All Rights Reserved. • AWS • API • Azure • API • Cisco ACI • API Fortinet Fabric Connectors • SPLUNK • SYSLOG • Arista • APIs (standard FOS APIs) Fabric-ready Integrations Fabric-ready vs Fabric Connectors - examples Internal and Confidential – Do not distribute
External Fabric Connectors Connectors to partner products and solutions
112 © Fortinet Inc. All Rights Reserved. External Fabric Connectors - types Fabric Connector Type Description Public SDN Integration with multi-cloud platforms (PaaS, IaaS) for dynamic policy objects Private SDN Integration with SDN platforms (private, public) for dynamic policy objects IaaS Visibility Fabric visibility into cloud infrastructure service resources Automation Action Integration of Fabric Automation rules to automatically trigger actions based on events ITSM Integration with IT service management and incident response Threat Feeds Integration to obtain external sources of threat feeds and automate security remediation for workloads Endpoint/Identity Integration to leverage existing directory & identity servers to centrally manage user information and automatically apply security protection profiles assigned to each user Endpoint CVE Integration to invoke auto quarantine of compromised endpoints when IOC is suspected Storage Integration to store FAZ logs directly into Cloud Storage locations
113 © Fortinet Inc. All Rights Reserved. 400+ Best-in-class integrated solutions for comprehensive protection And many more… Note: Logos are a representative subset of the Security Fabric Ecosystem Fabric Connectors Fabric DevOps Fabric APIs Extended Ecosystem Wireless Switching Firewalls Endpoint Security Open Ecosystem Fortinet-developed deep integration automating security operations and policies Partner-developed integration using Fabric APIs providing broad visibility with end-to-end solutions Community-driven DevOps scripts automating network and security provisioning, configuration, and orchestration Integrations with threat sharing initiatives and other vendor technologies
Questions?
• Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups
Ad

Recommended

User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
lior mazor
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload SecuritySam Herath - Six Critical Criteria for Cloud Workload Security
Sam Herath - Six Critical Criteria for Cloud Workload Security
centralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World CasesOfer Maor - Security Automation in the SDLC - Real World Cases
Ofer Maor - Security Automation in the SDLC - Real World Cases
centralohioissa
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
IBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmapIBM Q-radar security intelligence roadmap
IBM Q-radar security intelligence roadmap
DATA SECURITY SOLUTIONS
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
Enterprise Management Associates
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Ad

More Related Content

What's hot (20)

Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
Enterprise Management Associates
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Preventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from CodePreventing Code Leaks & Other Critical Security Risks from Code
Preventing Code Leaks & Other Critical Security Risks from Code
DevOps.com
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
Kaspersky
 
Robert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software DesignRobert Hurlbut - Threat Modeling for Secure Software Design
Robert Hurlbut - Threat Modeling for Secure Software Design
centralohioissa
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
Enterprise Management Associates
 
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At OddsJervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
Jervis Hui - No Tradeoffs: Cloud Security & Privacy Don't Need To Be At Odds
centralohioissa
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
centralohioissa
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
Sameer Paradia
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
BSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity ModelBSIMM-V: The Building Security In Maturity Model
BSIMM-V: The Building Security In Maturity Model
Cigital
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
The Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICSThe Subversive Six: Hidden Risk Points in ICS
The Subversive Six: Hidden Risk Points in ICS
Tripwire
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Black Duck by Synopsys
 
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity FrameworkAchieving Visible Security at Scale with the NIST Cybersecurity Framework
Achieving Visible Security at Scale with the NIST Cybersecurity Framework
Kevin Fealey
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
Network Intelligence India
 
Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...Flight East 2018 Presentation–You've got your open source audit report, now w...
Flight East 2018 Presentation–You've got your open source audit report, now w...
Synopsys Software Integrity Group
 

Similar to Securing and automating your application infrastructure meetup 23112021 b (20)

Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
 
software engineering introduction is a gateway of engineer
software engineering introduction is a gateway of engineersoftware engineering introduction is a gateway of engineer
software engineering introduction is a gateway of engineer
rajajacobc
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
Cristian Garcia G.
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
DevOps.com
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Testing with a Rooted Mobile Device
Testing with a Rooted Mobile DeviceTesting with a Rooted Mobile Device
Testing with a Rooted Mobile Device
TechWell
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real World
Brooks Garrett
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
Jim Nickel
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
Balwinder Kaur
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
eG Innovations
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
IRJET Journal
 
Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...Government and Education Webinar: How the New Normal Could Improve your IT Op...
Government and Education Webinar: How the New Normal Could Improve your IT Op...
SolarWinds
 
software engineering introduction is a gateway of engineer
software engineering introduction is a gateway of engineersoftware engineering introduction is a gateway of engineer
software engineering introduction is a gateway of engineer
rajajacobc
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
Soirée du Test Logiciel - Présentation de Kiuwan (Jack ABDO)
TelecomValley
 
2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a2019 10-app gate sdp 101 09a
2019 10-app gate sdp 101 09a
Cristian Garcia G.
 
How to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at ScaleHow to Operate Kubernetes CI/CD Pipelines at Scale
How to Operate Kubernetes CI/CD Pipelines at Scale
DevOps.com
 
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021
Teemu Tiainen
 
Testing with a Rooted Mobile Device
Testing with a Rooted Mobile DeviceTesting with a Rooted Mobile Device
Testing with a Rooted Mobile Device
TechWell
 
Runtime Protection in the Real World
Runtime Protection in the Real WorldRuntime Protection in the Real World
Runtime Protection in the Real World
Brooks Garrett
 
Agile Development in Aerospace and Defense
Agile Development in Aerospace and DefenseAgile Development in Aerospace and Defense
Agile Development in Aerospace and Defense
Jim Nickel
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Going Beyond the Device Heart Beat
Going Beyond the Device Heart BeatGoing Beyond the Device Heart Beat
Going Beyond the Device Heart Beat
Balwinder Kaur
 
End to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOpsEnd to-End Monitoring for ITSM and DevOps
End to-End Monitoring for ITSM and DevOps
eG Innovations
 
Managing Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix EcosystemManaging Your Application Security Program with the ThreadFix Ecosystem
Managing Your Application Security Program with the ThreadFix Ecosystem
Denim Group
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Ad

More from lior mazor (20)

Bridging The Cloud and Application Security Gaps Meetup 15102024
Bridging The Cloud and Application Security Gaps Meetup 15102024Bridging The Cloud and Application Security Gaps Meetup 15102024
Bridging The Cloud and Application Security Gaps Meetup 15102024
lior mazor
 
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdfThe Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
lior mazor
 
Securing the Future of Applications Meetup 18092024
Securing the Future of Applications Meetup 18092024Securing the Future of Applications Meetup 18092024
Securing the Future of Applications Meetup 18092024
lior mazor
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
lior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
lior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Bridging The Cloud and Application Security Gaps Meetup 15102024
Bridging The Cloud and Application Security Gaps Meetup 15102024Bridging The Cloud and Application Security Gaps Meetup 15102024
Bridging The Cloud and Application Security Gaps Meetup 15102024
lior mazor
 
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdfThe Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
The Hacking Games - Hybrid Cloud Attack Surface Reduction Meetup 09102024.pdf
lior mazor
 
Securing the Future of Applications Meetup 18092024
Securing the Future of Applications Meetup 18092024Securing the Future of Applications Meetup 18092024
Securing the Future of Applications Meetup 18092024
lior mazor
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
lior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
lior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
lior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Ad

Recently uploaded (20)

Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes Partner Innovation Updates for May 2025
ThousandEyes
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
Mobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi ArabiaMobile App Development Company in Saudi Arabia
Mobile App Development Company in Saudi Arabia
Steve Jonas
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxProcurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptx
Jon Hansen
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 

Securing and automating your application infrastructure meetup 23112021 b

  • 2. Erez Yashar Director of Product Management
  • 3. 3 © Fortinet Inc. All Rights Reserved. utoesthesia
  • 4. 4 © Fortinet Inc. All Rights Reserved. Agenda • Application Deployment Evolution • Monolithic Vs. Microservices • Pros and Cons • Uber case study • Into CI/CD pipeline • Pros and Cons • Application Security Challenges • The Fortinet Way
  • 5. 5 © Fortinet Inc. All Rights Reserved. Application Evolution Deployment https://cd.foundation/blog/2020/03/27/comparing-monolithic-pipeline-to-microservice-pipeline/
  • 6. 6 © Fortinet Inc. All Rights Reserved.
  • 7. 7 © Fortinet Inc. All Rights Reserved. Monolithic Vs Microservice Applications https://medium.com/hengky-sanjaya-blog/monolith-vs-microservices-b3953650dfd
  • 8. 8 © Fortinet Inc. All Rights Reserved. Microservices Computing Pros: • Fast Service Provision - easy to build and deploy • Increased agility - each individual can build a module and deploy a module independently • Scalability - since your services are separate, you can more easily scale the most needed ones Cons: • Complexity – microservices can add complexity to an application delivery workflow • Security - dynamic changes may leads to a security problems • Performance – A microservice-based application may have to make multiple different API calls to other microservices to load one UI screen
  • 9. 9 © Fortinet Inc. All Rights Reserved.
  • 10. 10 © Fortinet Inc. All Rights Reserved. From Monolithic to Microservices - Uber https://blog.dreamfactory.com/microservices-examples/ Here’s how Uber’s monolithic structure worked at the time: • Passengers and drivers connected to Uber’s monolith through a REST API. • There were three adapters – with embedded API for functions like billing, payment, and text messages. • There was a MySQL database. • All features were contained in the monolith. Moving to Microservice architectural style: • Assigned clear ownership of specific services to individual development teams, which boosted the speed, quality, and manageability of new development. • Facilitated fast scaling by allowing teams to focus only on the services that needed to scale. • Ability to update individual services without disrupting other services. • Achieved more reliable fault tolerance.
  • 11. 11 © Fortinet Inc. All Rights Reserved. Uber’s microservice architecture mid-2018 https://eng.uber.com/microservice-architecture/
  • 12. 12 © Fortinet Inc. All Rights Reserved. Into CI/CD Pipeline https://dzone.com/articles/learn-how-to-setup-a-cicd-pipeline-from-scratch CI/CD Pipeline is a set of methods that enables developers to deliver code changes more frequently to customers through the use of automation.
  • 13. 13 © Fortinet Inc. All Rights Reserved. Into CI/CD Pipeline - Pros & Cons • Pros: • Speed of deployment • Faster testing and analysis • Smaller code changes • Better and faster fault isolation • Automatic deploy to production • Tons of open source tools available • Cons: • Devops skills must be learned • Steep learning curve to implement automation • Big upfront investment • Legacy systems rarely support CI/CD
  • 15. 15 © Fortinet Inc. All Rights Reserved. Attacks on Web Applications Increasing “43% of breaches (in 2020) were attacks on web applications, more than double the results from last year.” Source: “2020 Data Breach Investigations Report: Official,” Verizon Enterprise Solutions, https://enterprise.verizon.com/en-gb/resources/reports/dbir/
  • 16. 16 © Fortinet Inc. All Rights Reserved. How often do your applications change? Source: “2021 APPLICATION SECURITY REPORT” Fortinet: https://www.fortinet.com/content/dam/maindam/PUBLIC/02_MARKETING/08_Report/report-cybersecurity-insiders-application-security-fortinet.pdf
  • 17. 17 © Fortinet Inc. All Rights Reserved.
  • 18. 18 © Fortinet Inc. All Rights Reserved. Web Applications are Evolving and Expanding Constant design/application changes requires constant validation to match your changes in design/applications Applications are Extremely Dynamic  How do you keep security policies up to date?  How to react to real-time events?  Support Scalable solution to cope with performance growth  How the changes affect application availability and security? Application Anywhere  Availability is crucial for any organization  The Application MUST be accessible from anywhere response (𝑓)
  • 19. 19 © Fortinet Inc. All Rights Reserved. Web Application validation DevSecOps teams need to validate every new deployment/New App version • Fast release - less focus on security • No full regression tests • Auto testing (new libraries/services) • Miss-configuration • Vulnerable 3rd party dependencies • Authentication validation
  • 20. 20 © Fortinet Inc. All Rights Reserved. OWASP Top 10 - 2021 • Applications running in a serverless environment still execute code. If this code is written in an insecure manner, it can still be vulnerable to application-level attacks. • OWASP Top 10 report: • Examines the differences in attack vectors, security weaknesses, and the business impact of application attacks in the serverless world • Suggests ways to prevent those attacks
  • 22. 22 © Fortinet Inc. All Rights Reserved. Fortinet Security Fabric Broad visibility and protection of the entire digital attack surface to better manage risk Integrated solution that reduces management complexity and shares threat intelligence Automated self-healing networks with AI-driven security for fast and efficient operations Security-Driven Networking Zero Trust Access Adaptive Cloud Security FORTIOS FortiGuard Threat Intelligence Open Ecosystem Fabric Management Center NOC SOC
  • 23. 23 © Fortinet Inc. All Rights Reserved. Fortinet Application Security Solution SAP Kubernetes Cluster Application Connector • Web Application Firewall • User Authentication • SSL Services • Cloud Connector • Machine Learning Application Automation • Autoscaling • Auto Security • Performance Boost Web App Key Benefits: • Application Security & Availability • Cloud Connector for visibility and dynamic changes • Fabric Connector to multiple application for automation and service scaling • Multi Service solution - SLB, WAF, DDoS, ZTNA, GSLB, API Protection and more… • Automation actions based on application events • Business continuity (Application Anywhere) Action (𝑓) Fabric Driven Application services Adaptive Cloud Security
  • 24. 24 © Fortinet Inc. All Rights Reserved. Fortinet Application Security Suite Application Expansion App/Net protection • Lift and shift from DC • Connect applications • Protect resources, applications and data against Apps threats • Simplify hybrid / multi- cloud deployments Web Application Firewall Protecting organization-deployed web applications & APIs with Machine Learning Application delivery Improve application experience, security, and availability based on Application events Embeds security throughout container lifecycle, builds CI/CD pipeline, enhances compliance to Security best practices and visibility into runtime container activities Penetration-testing-as-a- service tool based upon the OWASP Top 10 list of application vulnerabilities, which can be used to find issues before they’re exploited. FortiGate FortiWeb FortiADC FortiCWP FortiPenTest Fabric API Extended Fabric Ecosystem Automation Action
  • 25. 25 © Fortinet Inc. All Rights Reserved. Open Fabric Ecosystem -Application Security 470+ Best-in-Class integrated solutions for comprehensive protection
  • 27. A P P L I C A T I O N S E C U R I T Y I N C O N T A I N E R N I S H A N T R A J P U T
  • 28. $ W H O A M I N I S H A N T R A J P U T S E N I O R S E C U R I T Y E N G I N E E R @ S N O W F L A K E 28 Disclaimer : Presentation is intended for Education purpose only. Statements of fact and opinions expressed are my own. No affiliation to the related practices of current or past organizations
  • 29. A G E N D A • C O N T A I N E R S O V E R V I R T U A L M A C H I N E S • T R O U B L E A R E A S - T R U S T I S S U E S W I T H C O N T A I N E R S • M I T I G A T I O N - A S O L V A B L E W A Y - C O N T A I N E R I S O L A T I O N - C O N T A I N E R I M A G E S E C U R I T Y - V U L N E R A B I L I T Y C H E C K S I N I M A G E S - S E C R E T S & N E T W O R K S E C U R I T Y • D O C K E R B E S T P R A C T I C E S
  • 30. C O N T A I N E R S O V E R V I R T U A L M A C H I N E S
  • 31. V I R T U A L M A C H I N E S • Compute Resource : Advantage of Software over Physical Hardware • Platform Independent programming environment Advantages : • Multiple OS environments on a single physical server • Integrated Disaster Recovery & Application Provisioning options 31
  • 32. F R O M A N O N - P R E M T O V M D E P L O Y M E N T M A C H I N E 32
  • 33. F I R E P O W E R O F C O N T A I N E R S • Compute Resource : Works on OS Virtualization • Include only the binaries, libraries and other required dependencies, and the apps • Containers : On the same host share the same operating system kernel, making containers much smaller than virtual machines • Boot faster, Maximize Server Resources, and make delivering Apps easie r 33
  • 34. I N N E R L O O P O F D E V E L O P M E N T 34
  • 35. O U T E R L O O P D E V E L O P M E N T 35
  • 36. T H E B I G P I C T U R E
  • 37. T R U S T I S S U E S W I T H C O N T A I N E R S
  • 38. I S S U E S W I T H C O N T A I N E R S : T H E T H R E A T M O D E L W A Y • Vulnerable App Code • Badly Configured Container Images • Build Machine Attacks • Supply Chain Attacks • Badly Configured Containers • Vulnerable Hosts • Exposed Secrets • Insecure Networking 38
  • 39. M I T I G A T I O N : A S O L V A B L E W A Y
  • 40. C O N T A I N E R I S O L A T I O N
  • 41. D O C K E R K E R N E L N A M E S P A C E • Docker makes use of kernel namespaces to provide the isolated workspace called the container. • On spinning a Container, Docker creates a set of namespaces for that container. • Provide an extra layer of isolation. • Each aspect of a container runs in a separate namespace and its access is limited to that namespace. • E.g : Network Namespace, Cgroup Namespace, etc 41
  • 42. C O N T A I N E R I M A G E S S E C U R I T Y
  • 43. M E A S U R E S • Identifying Images - <Registry URL>/<Organization or user name>/<repository>@sha256:<digest> • Image Integrity • Build time Security – - Dockerfile to Image formation • Image Storage Security - Running in own registry - Signing Images 43
  • 44. V U L N E R A B I L I T Y C H E C K S I N I M A G E S
  • 45. V U L N E R A B I L I T Y C H E C K S D U R I N G D E V • Application Level Vulnerabilities – Packages and Patches • Out of Date Sources • Won’t Fix Vulnerabilities • Subpackages Vulnerabilities • Zero-Days 45
  • 46. C O D E B U I L D F A I L U R E I N A W S
  • 47. S E C R E T S & N E T W O R K S E C U R I T Y
  • 48. S E C R E T S S T O R A G E • Storing the Secrets in the Container Image • Passing over the network • Passing the Secrets in Environment Variables • Passing Secrets through files 48
  • 49. N E T W O R K C H E C K S • Container Firewalls • Network Isolation • Network Policy Best Practices • Default Deny • Default Deny Egress • Restrict Pod to Pod Traffic • Restrict Ports 49
  • 50. D O C K E R B E S T P R A C T I C E S
  • 51. D O C K E R B E S T P R A C T I C E S • Prefer Minimal Base Image • Least Privilege • Sign & Verify Images to mitigate MiTM attacks • Find, Fix & Monitor for Open Source Vulnerabilities • No Sensitive Info in Docker Images • Use fixed tags for immutability • Use scanning tools like Claire, Twistlock, etc • Securing the network 51
  • 52. W I S E W O R D S O F T H E S A I N T S : S E C U R I T Y P R I N C I P L E S • Least Privileges • Defense in Depth • Reduce Attack Surface • Segregation of Duties
  • 53. T H A N K Y O U ! Q U E S T I O N S ?
  • 54. Vulnerable VS Code extensions are now at your front door Application Security Meetup 🌍 By Raul Onitza-Klugman, Security Researcher@ Snyk
  • 55. Why VS Code? VS Code? Developers?
  • 56. SECURITY TESTING Security is shifting left... DEVELOPERS
  • 58. Raul Onitza-Klugman ● Security Researcher@ Snyk ● Studied Electrical Eng. + Physics ● Started as C/C++ embedded dev ● Love web, binary and growing vegetables
  • 61. Visual Studio Code https://marketplace.visualstudio.com/ Extension marketplace Used by more than 4k companies worldwide Industry Adoption (out of 24M worldwide) One of the most popular code editors ~14M Active Users
  • 62. Editor Extensions Turn this Into this! Out-of-the-box features Add langs, debuggers, parsers...
  • 63. Extension Basics Essentially : Extension = NPM + VS Code Extension API 1. Javascript/Typescript and package.json manifest 2. https://code.visualstudio.com/api 3. Packaged in *.vsix file - Zip archive 4. Most of them are open-source (and on Github)!
  • 64. Lets see some examples shall we?
  • 72. Why should I care about a local web server?!
  • 73. VS Code Instant Markdown extension Preview HTTP server Chrome Markdown preview Path Traversal
  • 76. How to bypass CORS? Top 10 answers from Google: “you need XSS on the website you wanna hack”
  • 80. 1. Open 2. Download XSS Payload payload.html <iframe> http://localhost:8888/?/../../../Download s/payload.html http://localhost:8888/?/../../.. /../../../etc/passwd 4. (same-origin) GET ❗3. XSS happens here❗ http://evil.com localhost CORS disabled <script>...</script>
  • 81. DEMO!
  • 82. XSS + PATH TRAVERSAL .ssh key
  • 84. LaTeX Workshop is an extension for Visual Studio Code, aiming to provide core features for LaTeX typesetting with Visual Studio Code.
  • 86. VS Code LaTeX Workshop extension PDF preview HTTP Chrome PDF preview page Websocket server http://evil.com
  • 88. Handles a click by a URL in PDF file
  • 97. 1. Open http://evil.com localhost WebSocket doesn’t come with CORS built-in <script>...</script> Port #1 Port #2 Port #n 2. Bruteforce port ... OS Command 3. Execute command
  • 98. DEMO!
  • 100. Why is this a big deal?!
  • 101. Marketplace ssh .env source code configs THE ORG Private Data Persistence Supply Chain 1 - Exploit 3 - Compromise 2 - Obtain Installs (vulnerable) extension
  • 102. Mitigations Similar hygiene to 3rd-party packages: 1. Developer ○ Use only maintained and popular extensions ○ Don’t use extensions with unfixed security issues 2. Extension maintainer ○ Use security best practices when developing your extensions ○ Test your code with a vulnerability scanner ○ Fix disclosed vulnerabilities in a timely fashion
  • 105. 105 © Fortinet Inc. All Rights Reserved. NOC/SOC Challenges Challenges DO MORE WITH LESS COMPLIANCE REPORTING MANUAL OPERATIONS SINGLE PANE VISIBILITY DEPLOYMENT FLEXIBILITY INTEGRATE WITH EXISTING TOOLS
  • 106. 106 © Fortinet Inc. All Rights Reserved. Fortinet Security Fabric Broad visibility and protection of the entire digital attack surface to better manage risk Integrated solution that reduces management complexity and shares threat intelligence Automated self-healing networks with AI-driven security for fast and efficient operations Security-Driven Networking Zero Trust Access Adaptive Cloud Security FORTIOS FortiGuard Threat Intelligence Open Ecosystem Fabric Management Center NOC SOC 02012021
  • 108. 108 © Fortinet Inc. All Rights Reserved. Fabric-Ready Partner Program - objectives • Increase Fortinet brand value via partnerships with industry-leading partner companies • Demonstrates Openness of Security Fabric to analysts & industry • Revenue generation – sell with, sell through partners • Reduce sales timeline with pre-validated integrated solutions • Updated partner list: • https://www.fortinet.com/partners/partnerships/alliance-partners.html
  • 109. 109 © Fortinet Inc. All Rights Reserved. Types of partner integrations Fabric Connectors • Fortinet develops specific code in our products • Explicitly referenced in our GUI/CLI • Mainly based on APIs • Feature development made by FTNT • Validation usually require testing with the partner Fabric-Ready (Fabric APIs) • Partner developed solutions to integrate with FTNT products • Based on existing APIs and/or standard protocols(RADIUS, SYSLOG, SSH, etc) • (usually) no specific code development from FTNT side • FTNT tests solution to assure it works as expected
  • 110. 110 © Fortinet Inc. All Rights Reserved. • AWS • API • Azure • API • Cisco ACI • API Fortinet Fabric Connectors • SPLUNK • SYSLOG • Arista • APIs (standard FOS APIs) Fabric-ready Integrations Fabric-ready vs Fabric Connectors - examples Internal and Confidential – Do not distribute
  • 111. External Fabric Connectors Connectors to partner products and solutions
  • 112. 112 © Fortinet Inc. All Rights Reserved. External Fabric Connectors - types Fabric Connector Type Description Public SDN Integration with multi-cloud platforms (PaaS, IaaS) for dynamic policy objects Private SDN Integration with SDN platforms (private, public) for dynamic policy objects IaaS Visibility Fabric visibility into cloud infrastructure service resources Automation Action Integration of Fabric Automation rules to automatically trigger actions based on events ITSM Integration with IT service management and incident response Threat Feeds Integration to obtain external sources of threat feeds and automate security remediation for workloads Endpoint/Identity Integration to leverage existing directory & identity servers to centrally manage user information and automatically apply security protection profiles assigned to each user Endpoint CVE Integration to invoke auto quarantine of compromised endpoints when IOC is suspected Storage Integration to store FAZ logs directly into Cloud Storage locations
  • 113. 113 © Fortinet Inc. All Rights Reserved. 400+ Best-in-class integrated solutions for comprehensive protection And many more… Note: Logos are a representative subset of the Security Fabric Ecosystem Fabric Connectors Fabric DevOps Fabric APIs Extended Ecosystem Wireless Switching Firewalls Endpoint Security Open Ecosystem Fortinet-developed deep integration automating security operations and policies Partner-developed integration using Fabric APIs providing broad visibility with end-to-end solutions Community-driven DevOps scripts automating network and security provisioning, configuration, and orchestration Integrations with threat sharing initiatives and other vendor technologies
  • 115. • Thank You! • Questions? • To be continued… Join Us: https://www.linkedin.com/company/ap plication-security-virtual-meetups