Hi [[ session.user.profile.firstName ]]

Signal Sciences

  • Date
  • Rating
  • Views
  • Secure Development Lessons from Purposely Insecure Applications
    Secure Development Lessons from Purposely Insecure Applications Jason White, Application Security Consultant, Astech Consulting Recorded: Nov 8 2017 41 mins
    Security pros and developers often use insecure apps to teach or demonstrate application vulnerabilities. The main activity is 'hacking' or showing how exploiting a given vulnerability works. WebGoat was (as far as we know) the first purposely insecure app for teaching web application security. Many other goats' can have also come about and now we even have a Juice Shop. Until now, there is no purposely secure [example] application for developers to model from. So, let's work with what we have and pull out some some secure coding and secure SDLC lessons from the insecure applications.
  • ChaoSlingr: Introducing Security Based Chaos Testing
    ChaoSlingr: Introducing Security Based Chaos Testing Aaron Rinehart, Chief Enterprise Security Architect and Grayson Brewer, Security Engineer, UnitedHealth Group Recorded: Oct 18 2017 51 mins
    This Modern Security episode introduces a security based chaos testing tool and methodology. ChaoSlingr is a Security Chaos Engineering Tool focused primarily on the experimentation on AWS Infrastructure to bring system security weaknesses to the forefront.
  • Innovation and the Future of Information Security- One Cool Panel
    Innovation and the Future of Information Security- One Cool Panel Jacob Katz, Signal1; Jess Parnell, Centripetal Networks, Zane Lackey, Signal Sciences Recorded: Oct 3 2017 57 mins
    In this panel, led by three of Gartner's 2017 Cool Vendors in Security for Technology and Service Providers, we dive into where the industry is heading, where enterprises can innovate, and how security can be in the value creation business.

    This panel share their thoughts on the following topics and questions:

    * What larger security trends do you see happening in the industry in 2018?
    * What are the shifts that are creating opportunity for innovation in security?
    * What is the biggest risk in security today?
    * What can enterprises do to solve this risk?

    This lively discussion covers DevOps to digital transformation to cyberwar to the shifting security landscape. Whether you are a senior security pro or new to the industry, you don’t want to miss this panel.
  • Application Denial of Service In Microservice Architectures
    Application Denial of Service In Microservice Architectures Scott Behrens, Senior Application Security Engineer, Netflix Recorded: Sep 27 2017 44 mins
    This webinar will introduce you to one of the most devastating ways to cause service instability in modern micro-service architectures: application DDoS. Unlike traditional network DDoS that focuses on network pipes and edge resources, this talk focuses on identifying and targeting expensive calls within a micro-services architecture, using their complex interconnected relationships to cause the system to attack itself — with massive effect.
  • Security In The Land of Microservices
    Security In The Land of Microservices Jack Mannino, CEO, nVisium Recorded: Aug 30 2017 41 mins
    Microservices are a great way to build software, but they bring their own security problems to the table. Compared to monolithic applications, microservice architectures are often significantly more complex, requiring us to think a little differently about how to build security in. Services are highly decoupled and governance is decentralized, often blurring the line for security duties between teams. This makes it really important to build the proper security controls into your architecture early, before things spin out of control (because, they will). Your team is empowered to move faster than ever and your mission is to help them do it securely.

    In this presentation, we will discuss the challenges with securing microservices and present secure design tips to make security a seamless and frictionless part of scaling your architecture. Using real-world examples of successes and failures while building a microservice architecture, we will discuss what translates well from monolithic design to microservices, and the bad habits you should leave behind. At the end of this presentation, you’ll understand what separates microservices from traditional monolithic applications and understand the problem space from a secure architectural perspective.
  • Practical Tips For Defending Web Applications In The Age Of DevOps
    Practical Tips For Defending Web Applications In The Age Of DevOps Zane Lackey, Founder and Chief Security Officer, Signal Sciences Recorded: Aug 10 2017 56 mins
    This encore of Zane Lackey's Black Hat presentation covers the most effective application security techniques, helping you avoid development bottlenecks while staying secure.

    The standard approach for web application security over the last decade and beyond has focused heavily on slow gatekeeping controls like static analysis and dynamic scanning. However, these controls was originally designed in a world of Waterfall development and their heavy weight nature often cause more problems than they solve in today's world of agile, DevOps, and CI/CD.

    This talk will share practical lessons learned at Etsy on the most effective application security techniques in todays increasingly rapid world of application creation and delivery. Specifically, it will cover how to:

    * Adapt traditionally heavyweight controls like static analysis and dynamic scanning to lightweight efforts that work in modern development and deployment practices
    * Obtain visibility to enable, rather than hinder, development and DevOps teams ability to iterate quickly
    * Measure maturity of your organizations security efforts in a non-theoretical way
  • Twubhubbook - It’s Like An AppSec Program, But For Startups
    Twubhubbook - It’s Like An AppSec Program, But For Startups Neil Matatall, Senior Security Engineer, GitHub Recorded: Mar 1 2017 57 mins
    It’s 2025. Many of the problems in appsec in have mitigations, maybe even solutions. The value of an appsec program is widely accepted as a requirement for any successful company. Yet XSS and other common vulnerabilities are still occupying the time of many engineering teams. Twubhubbook, a fictitious startup from the future, has the benefit of being a new startup: it’s mostly a blank slate situation. This is the story of how Twubhubbook rolled out their program without skipping a beat or breaking the bank. The purpose of this imaginary story is to provide practical advice that you can take to a current or future startup (sorry enterprise people) based on the successes and failures of today’s startups.
  • Protect Containerized Applications With System Call Profiling
    Protect Containerized Applications With System Call Profiling Dr. Chenxi Wang - Chenxi Wang - Founder, Jane Bond Project; Startup advisor & Angel investor Recorded: Dec 20 2016 40 mins
    Container technologies like Docker are gaining mainstream interest from development and operations teams. Unlike virtual machines, containers running on the same host share the underlying OS kernel. As such, a malicious container can influence the execution of other containers through the common kernel by either exploiting a kernel vulnerability or simply leveraging the privileges of the compromised container.

    In this talk we describe an approach to harden and isolate containerized applications via system call profiling. We show that one can develop accurate system call profiles via static analysis of the container images and knowledge of the host system. Using this profile in runtime, one can monitor for and protect against malicious behavior that deviates from the profile. We show that one can build these profiles automatically from analyzing information within the container image and Dockerfiles. We show that runtime profiling and monitoring adds approximately 5-8% performance overhead for running applications. We demonstrate system call profiling on a sample micro-service application and show that it is a non-intrusive and effective method to detect behavioral anomalies with low false positives.
  • Dangers of DevOps Monotheism
    Dangers of DevOps Monotheism Jim Manico, Founder, Manicode Security Recorded: Oct 27 2016 33 mins
    The DevOps gods rule the AppSec universe. However, like any form of human worship to divine entities, that worship is often flawed due to the limits of man compared to the perfection of divinity. This was first noted by Plato during his discussion of Platonic Forms, one of the fundamental concepts that drove the philosophy behind western religion and divinity. While acknowledging many of the great things that DevOps has brought to software development and application security, there are giant pitfalls to those who put all of their faith in this man-made construct. This talk will focus on the many challenges DevOps worshipers and implementors will face and what you can do to prepare for and convert those gaps into opportunity for excellent and a piece of divinity in this human existence. You may even learn a tiny bit about Philosophy along the way.

Embed in website or blog