I gave this talk during first Infosec meetup in Kraków/Poland on 13th March 2014. After viewing this presentation you'll know how and why you should use SELinux (or others LSMs).
Is Red Hat / Fedora / Centos ready for lightweight Docker containers? Is Docker secure enough? How about SELinux? How could we deploy Jboss or Django within Docker / RHEL?
I gave this talk at DevOPS meetup in Krakow at 2014-02-26.
Kernel Recipes 2013 - Linux Security Modules: different formal conceptsAnne Nicolas
This conference proposes to browse the differences between the models that make up the security modules of Linux kernels.
An introduction to implementation will be presented in order to understand how to develop a security module.
Practical Approaches to Container SecurityShea Stewart
This presentation was a discussion on how bringing container technology should be addressed with regards to security. It is focused on setting expectations that can achieve success when rolling out a new platform in enterprise environments.
This document discusses container security. It outlines the advantages and disadvantages of containers, including their small footprint, fast provisioning time, and ability to enable effective microservices. However, containers also pose security risks like reduced isolation and potential for cross-container attacks. The document then examines different approaches to container security, including host-based methods using namespaces, control groups, and Linux Security Modules, as well as container-based scanning and third-party security offerings. It provides examples of configuring security controls and evaluating containers for vulnerabilities.
This document discusses secrets management in containers and recommends solutions like Kubernetes Secrets, Docker Swarm Secrets, DC/OS Secrets, Keywhiz, and Hashicorp Vault. It highlights Hashicorp Vault's purpose-built focus on secrets, key rolling capabilities, comprehensive access control, expiration policies, and extensibility. The document then provides a case study of Aqua Security's integration with Hashicorp Vault, which allows for central secret management without persisting secrets to disk, secured communications, control over user/group secret access, usage tracking, and runtime secret rotation/revocation without container restarts.
This document provides an overview of Security Enhanced Linux (SELinux). It discusses what SELinux is, how it implements mandatory access control on Linux systems, and some basic SELinux concepts like types, users, roles, and the policy. It also covers installing SELinux on CentOS 7 and checking the mode.
Rancher et Kubernetes sont le moteur de la majorité des applications modernes en production. Mais la chaine d'automatisation permettant de livrer du code l'esprit léger commence bien plus en amont grace à un outillage Open Source.
Au programme :
- Commit Code : Avec Gitlab et les outils de collaboration
- Build Image : Toujours plus de fiabilité avec les images SLE Base Container Image
- Store in Registry : Archivage et scan de vulnérabilité avec Harbor
- Test & Go : Livraison en continue avec le mode GitOps et Rancher Fleet
A (fun!) Comparison of Docker Vulnerability ScannersJohn Kinsella
The document is an introduction to a talk on information security scanning and vulnerability management. It provides biographical information about the speaker, an overview of the topics to be covered including scanning tools and minimizing vulnerabilities in container images. It also includes examples of security product logos and discusses challenges in assessing vulnerabilities across image layers and databases tailored to specific operating systems.
This document discusses using Kubernetes and Vault together to manage secrets. It summarizes that Kubernetes is an open-source system for automating deployment, operations, and scaling of containerized applications, while Vault provides a single source for secrets, access via API and CLI, leasing and renewal of secrets, auditing, access control lists, and secure secret storage. It notes that while Kubernetes has native secrets functionality, Vault is useful for separately managing secrets from applications for improved security and process. An example is provided of using Vault to fetch and renew SSL certificates for a MongoDB deployment in Kubernetes.
How to use SELINUX (No I don't mean turn it off)Chuck Reeves
Why do we turn off NSA-grade security features? Well early on, SELINUX was complex and confusing. However, the pains of dealing with SELINUX are long gone. In fact, the tools for working with SELINUX have long improved are now so easy, anyone can configure the security layer. Even one bad chmod on a server can leave you vulnerable. However, when SELINUX is running, rogue processes will be prevented from running havoc. You'll learn how easy it is to use SELINUX and how (with little effort) you can configure and troubleshoot this amazing security feature. Stop leaving gaps in your infrastructure and turn it back on.
This document discusses parsing and customizing Nessus vulnerability scan reports. It provides an overview of different Nessus report formats, demonstrates opening reports in Excel, and shares PHP code for parsing Nessus XML reports and extracting key fields. The document also discusses building a database to store scan results, developing customized reports, and identifying false positives and common vulnerabilities. It aims to provide a framework for integrating Nessus data into existing security tools and inventory systems.
Vulnerability Exploitation in Docker Container EnvironmentsFlawCheck
Docker container environments face security risks from vulnerabilities and malware. While containers isolate processes, compromised web applications could still exfiltrate data. Many pre-built containers from Docker Hub contain known vulnerabilities, as Docker does not inspect images for security. Enterprises have been slow to adopt containers due to these cybersecurity concerns over vulnerabilities, malware, and lack of policy enforcement and auditability within containers.
This document provides an agenda and instructions for a Cisco Cloud Networking Workshop. The agenda includes demonstrations of the Cisco Meraki dashboard, MX security appliances, MS switches, MR wireless access points, and SM device management. Attendees are given instructions to log into the Meraki dashboard for a hands-on lab exploring configuration of MX firewalls, MS switches, wireless SSIDs on MR access points, and network policies. The document also provides overviews of Cisco Meraki's cloud-managed networking portfolio and features for network security, management, and device mobility.
Docker containers are the most popular containerisation technology. Used properly can increase level of security (in comparison to running application directly on the host). On the other hand some misconfigurations can lead to downgrade level of security or even introduce new vulnerabilities.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
This document summarizes a talk given on DevOps infrastructure security. It discusses how various DevOps tools like GitHub, Jenkins, AWS config files, Chef, and in-memory databases like Redis and Memcache can expose sensitive information if not properly secured. Specific issues covered include exposed Git repositories, weak default credentials, plaintext storage of secrets, and lack of authentication. The document provides recommendations on securing these tools such as enabling authentication, upgrading versions, and segmenting tools from public access.
This "mini" version of my CSA Congress talk about building a secure cloud was given at the San Francisco Cloud Security Meetup in November, 2011.
I got some great feedback while giving this talk, and will be applying it to an updated version of this deck which will be released during the CSA Congress, November 15th and 16th 2011.
The SElinux Notebook :the foundations - Vol 1Eliel Prado
This document provides copyright information and revision history for "The SELinux Notebook - The Foundations". It contains information on the author, logo designer, and abbreviations used. The document provides an index of contents for the notebook.
This document presents an unusual portfolio that represents the author's creative thinking through drawings. Most portfolios synthetically represent a career path, but the author's path was different as their passion for art and design has remained constant. This portfolio closely reflects the author's creative thinking process which they will never stop. It contains drawings.
Start With Strengths - Canadian Association of Principals 2015Chris Wejr
Workshop facilitated at the 2015 Canadian Association of Principals conference in Whistler, BC.
This session focused on the WHY of strength-based education and how using this lens can change the stories of students. It also included discussions and ideas on how to determine the strengths of our students as well as ways to bring the strengths of our students into our schools.
The New UI - Staying Strong with Flexbox, SASS, and {{Mustache.js}}Eric Carlisle
The document discusses a presentation on using Flexbox, SASS, and Mustache templating for building user interfaces. The presentation covers general best practices, using SASS for variables, nesting, mixins and extends, Flexbox for responsive design, and Mustache templating. The presenter is Eric Carlisle, a UI/UX architect who will demonstrate coding techniques with these tools.
Project Petersburg: An Xbox Kinect Ballet Videogame ProposalJohn Scott Tynes
In 2012 I wrote this proposal for an Xbox Kinect videogame intended for grade-school girls. The project went nowhere but has always remained a personal favorite. If anyone wants to use these ideas, go for it!
First-time users, longtime strategies: Why Parkinson’s Law is making you less...Rosenfeld Media
Fredrik Matheson: "First-time users, longtime strategies: Why Parkinson’s Law is making you less effective at work – and how to design a fix."
Enterprise UX 2016 • June 8, 2016 • San Antonio, TX, USA
http://2016.enterpriseux.net
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Lightning Talk #11: Designer spaces by Alastair Simpsonux singapore
You can’t take creative people, stick them in sterile, lowest cost per square foot spaces, and expect them to achieve the best work of their lives. Atlassian has been focussing heavily on the design of their work spaces, to create flexible, engaging, delightful, and yes productive places for their teams to work in.
Hear Alastair Simpson from Atlassian talk about the creative spaces they’ve designed that have scaled with the changing needs of their teams and what they’ve learned about the benefits of creating better environments through thoughtful design.
16 Reasons Why You Need to Address Payment SecurityCognizant
Card fraud and data breaches cost organizations a pretty penny. Moreover, customers refrain from doing business with retailers that have been victimized by data breaches or fraud. The damage to organizations’ reputations and brand value can be very difficult to repair. We surveyed 509 U.S. consumers, 50 issuers and 52 merchants and acquirers to understand the steps they are taking to keep up with fraudsters’ increasing sophistication.
http://cogniz.at/29ZtpXZ
Deck from the Sketchnotes-SF meetup in April at Neo [http://neo.com/]. We practiced people, scenarios and faces. We started with a quick warm-up, then jumped into rapid practice, sketching from word prompts and photo prompts. We shared work at a collaborative critique and learned a lot from each other. The evening wrapped up with links to resources to explore.
Details on the meetup at: http://www.meetup.com/Sketchnotes-SF/events/221860010/
Ballet legend Maya Plisetskaya is collaborating with Forgrace Golfinger Productions. Plisetskaya is one of the greatest ballet dancers of the 20th century and is still performing at age 85. The collaboration will celebrate Plisetskaya's illustrious career through a new production.
The document discusses acids and alkalis. It defines alkalis as bases with a pH over 7 and describes their characteristics as soluble in water, slippery feeling, and ability to cause chemical burns. Alkalis are formed from group 1 and 2 metals and are often hydroxides. Acids are defined as having a pH under 7, sour taste, and containing hydrogen and an oxide. Most acids are hydrogen compounds. When acids and alkalis are mixed, a neutralization reaction occurs where they cancel each other out, forming a salt and water. Carbonates react with acids in the same way, forming a salt, water, and releasing carbon dioxide.
This document discusses getting apps ready for the Salesforce Lightning Experience. It announces a goal of getting all apps lightning ready by February 2017. It defines what it means for an app to be lightning ready, noting the single requirement is that 100% of end-user use cases must work in Lightning Experience. Resources are provided for getting started on becoming lightning ready, including re-styling the app or building it with Lightning Components. A lightning product roadmap is also presented, outlining features coming in Winter and Spring 2017 releases like customizing record home pages, kanban views on all objects, and improved developer tools.
- Lighter metals like sodium, potassium, and calcium react vigorously with acids, while heavier metals like magnesium, aluminum, zinc, and lead react more slowly.
- Dilute acids are weaker as they are mixed with water, while concentrated acids are strong and pure.
- Most reactions of metals with dilute acids are single replacement reactions where the metal replaces hydrogen in the acid, producing hydrogen gas.
- Reactions of metals with concentrated acids can involve both single replacement and decomposition reactions.
- Lighter metals like sodium react vigorously with cold water, producing hydroxides and hydrogen gas, while their reaction with steam produces metal oxides and hydrogen gas.
The document provides information about the euro currency and the European monetary union in 3 paragraphs:
1) The euro is the official currency of the European Union and is used by 19 of its member states. It was introduced in 1999 and adopted in 2002 to increase economic integration and stability across the EU.
2) The Maastricht Treaty led to the creation of the euro and outlined convergence criteria for EU members to qualify for the eurozone. The European Central Bank was established to implement monetary policy for the eurozone.
3) Implementing the euro involved complex financial and economic changes across many markets and sectors. Member states transitioned from national currencies to the euro at different speeds, while ensuring contracts and obligations were
Throughout the semester, the advanced English class completed three projects, each with their own challenge and purpose. The first project was an autobiography where students shared their lives with classmates. The second was creating a news program combining videos. The third involved presenting the musical High School Musical for children.
This document contains a list of various tools related to terminals, privacy, communication, productivity, and mobile topics. It discusses terminal emulators like guake and iterm2, VPN services like OpenVPN, messaging clients like IRC and XMPP, note taking apps like Evernote and Geeknote, and more. It concludes by inviting questions about any of the topics mentioned.
Do Real Company Stuff - Mozcon 2012 Version Wil Reynolds
http://www.seerinteractive.com - As SEO's its time we live up to a higher standard, this presentation is not about Link Juice, or Do Follow blogs, its about what we should aspire to be, now lets go DO THAT!
Johannes Segitz from SUSE introduced SELinux and provided an overview of its basic concepts and components. The presentation covered installing and configuring SELinux on openSUSE Tumbleweed, including setting the SELinux mode to enforcing. Attendees were instructed to mislabel files to cause SELinux denials and shown how to use tools like audit2allow, sestatus, and restorecon to debug issues.
Orchestrating docker containers at scale (PJUG edition)Maciej Lasyk
Slightly changed version (original is here http://www.slideshare.net/d0cent/orchestrating-docker-containersatscale). This version was presented during Polish Java User Group meetup JavaCamp#13 in Kraków / Poland.
Lukas Macura - Employing Zabbix to monitor OpenWrt (Beesip) devices with UciprovZabbix
Beesip (Bright Efficient Embedded Solution for IP Telephony) is platform based on OpenWrt, primarily made for IP telephony purposes. The aim of the project is the development and implementation of embedded SIP communication server with an easy integration into the computer network based on open-source solutions. Beesip uses uciprov for remote management and provisioning. Next to this, it uses Zabbix for inventory and monitoring utilizing auto-discovery and auto-registration. Even if it is used primarily for IP telephony, it is common to use Beesip build system for other purposes like monitoring probes distribution or Eduroam AP management. Talk will be practically oriented showing possibilities of provisioning and auto inventory in OpenWrt world.
Zabbix Conference 2015
Orchestrating Docker containers at scaleMaciej Lasyk
Many of us already poked around Docker. Let's recap what we know and then think what do we know about scaling apps & whole environments which are Docker - based? Should we PaaS, IaaS or go with bare? Which tools to use on a given scale?
Lxc – next gen virtualization for cloud intro (cloudexpo)Boden Russell
This document provides an introduction and overview of Linux containers as next-generation virtualization for cloud computing. It discusses how Linux containers provide better performance and flexibility than traditional virtual machines through the use of cgroups and namespaces. It also covers how containerization is gaining industry momentum and provides lower total cost of ownership through integration with modern Linux kernels and open source tooling. Finally, it defines key Linux container technologies, compares containers to hypervisors, and discusses building and securing Linux containers.
SELinux provides mandatory access control to containers and isolates privileged containers to prevent container breakouts and attacks between containers. Udica is a tool that generates customized SELinux security profiles for containers to allow necessary access while still providing isolation between the container and host and between containers. It does this by combining rules from template policy blocks based on the container configuration to produce a new targeted policy type.
Secure development on Kubernetes by Andreas FalkSBA Research
"Secure development on Kubernetes"
With the rise of Kubernetes, the Java developer has arrived in the DevOps age as well. By the multitude of complex tasks, the necessary security is often neglected. Even in managed clusters of well-known cloud providers, there are many traps and points of attack lurking.
In this presentation, essential security-critical components of a Kubernetes cluster will be presented. Security problems and corresponding measures to mitigate these will be shown. All steps are described using live demos with an exemplary Spring Boot Java application, that is deployed as a docker container in a Kubernetes cluster, taking into account recommended security patterns.
Speaker:
Andreas Falk, Novatec Consulting
Talk language: English
About the Speaker:
*********************
Andreas Falk has been working in enterprise application development projects for more than twenty years. Currently, he is working as a managing consultant for Novatec Consulting located in Germany.
In various projects, he has since been around as consultant, architect, coach, developer, and tester. His focus is on the agile development of cloud-native enterprise java applications using the complete Spring platform. As a member of the Open Web Application Security Project (OWASP), he likes to have a closer look at all aspects of application security as well. Andreas is also a frequent speaker at conferences like Spring I/O, CloudFoundry Summit, Devoxx, and OWASP AppSec.
Containerizing your Security Operations CenterJimmy Mesta
AppSec USA 2016 talk on using containers and Kubernetes to manage a variety of security tools. Includes best practices for securing Kubernetes implementations.
This document provides an overview of security features in UNIX and Linux operating systems. It discusses permissions, access control lists, mandatory access control, password hashing, system patching, sandboxing users and services, and other security concepts. The document aims to educate readers on basic and advanced security techniques available in UNIX/Linux to protect systems from threats.
This document discusses SE-PostgreSQL, which enables controlling access to database objects using SELinux security policies. It aims to provide system-wide consistent access control across filesystems and databases. The architecture hooks into PostgreSQL to allow SELinux plugins to make access control decisions. It introduces a pg_seclabel catalog and SECURITY LABEL statement. A demonstration shows how SE-PostgreSQL works with SELinux policies to enforce access controls on database queries and objects. Future work includes improving security hook coverage and supporting additional PostgreSQL features.
The document discusses running existing software on Android by either running the binary directly on Android, rebuilding the software for Android, or running the Android system on an existing Linux environment. It provides examples of copying dependency libraries to run an existing binary on Android. It also discusses creating an Android.mk file or using a configure script to rebuild software for the Android environment. Finally, it outlines a process to run the entire Android system framework within a chroot on an Ubuntu Linux system on the target hardware.
Working with AKS for more then 3 months, I want to share my experience. I discuss benefits of AKS and some issues you might have. K8S is damn close to a silver bullet in regards of the simplicity to work with.
Linux Kernel Security: Adapting 1960s Technology to Meet 21st Century ThreatsJames Morris
Unix was not designed with security primarily in mind. It was initially developed in the late 1960s -- before the Internet was invented. While relatively simple, the Unix security model is inadequate for protecting against common security threats. Its designers identified fundamental design flaws over thirty years ago. As Linux is modeled on Unix, it inherits this traditional Unix security model. Meeting modern security requirements has required significant enhancements to Linux, which are ongoing, but well-advanced. While many new security ideas have emerged, Linux developers have necessarily been constrained by decades of operating system standards and conventions. Aimed at admins, developers and technical managers, the talk will cover:
* The historical context of Linux security
* Modern security OS requirements
* How these requirements are being addressed (or not) by various enhancements made to Linux security
* Areas of ongoing and future work. We'll also consider how FOSS culture contributes to security.
Container Security: How We Got Here and Where We're GoingPhil Estes
A talk given on Wednesday, Nov. 16th at DefragCon (DefragX) on a historical perspective on container security with a look to where we're going in the future.
This document provides information about installing and configuring MySQL database. It discusses installing MySQL on Linux/UNIX and Windows platforms. It also covers adding users and granting privileges in MySQL, basic security guidelines for MySQL including securing connections, and troubleshooting common installation issues. Key topics include the GRANT command for adding users, common privilege types like SELECT, INSERT, and UPDATE, and the two-step authentication process in MySQL.
How to integrate modern containers into a classical system monitoring. This covers both LXC (System Containers) and Docker/Kubernetes (Application) containers.
It starts with a brief introduction into the world of containers and then uses two examples (check_lxc and check_rancher2) how to monitor the two types of containers.
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
The document outlines the steps to install various DevOps tools like AWS IAM, AWS CLI, EKSCTL, KUBECTL, Helm, Jenkins, Loki, Prometheus and Grafana on an EKS cluster. It includes creating an IAM user, configuring AWS CLI, installing EKSCTL to create an EKS cluster, installing KUBECTL to connect to the cluster, installing Helm for package management, deploying Jenkins using Helm charts, installing Loki and Grafana for log management and visualisation, and installing Prometheus for metrics collection and Grafana for visualisation.
This document discusses the history and development of Docker. It notes that Docker was originally created at dotCloud as the engine for their Platform as a Service (PaaS), but in 2013 as PaaS times were hard, Docker was open sourced. Docker was based on LXC and created for a single purpose. dotCloud then pivoted to create Docker Inc. and make Docker their main product. The document also discusses Docker 1.11's integration with runC and systemd, as well as the transition to using the Open Container Initiative specification.
Programowanie AWSa z CLI, boto, Ansiblem i libcloudemMaciej Lasyk
The document describes a session that demonstrates how to program AWS using the AWS CLI, Boto, and Ansible. It provides an agenda for the session that includes a short AWS introduction, demonstrations of the AWS console, AWS CLI, AWS shell, Boto library, Ansible configuration management tool, and Libcloud library. Contact information is also provided for learning more about AWS programming and joining the training organization.
Under the Dome (of failure driven pipeline)Maciej Lasyk
The document discusses various topics related to DevOps including:
1. Different types of shells (login, non-login, interactive, non-interactive, su, sudo su, sudo -i, sudo /bin/bash, sudo -s) and how they affect environment variables and profile files.
2. Stories of organizational "anti-types" that go against DevOps principles like not seeing the need for operations teams.
3. How automation, consistency, and reducing errors leads to stable environments and less unplanned work, allowing teams to focus on delivery.
This document discusses integrating security into DevOps practices through continuous delivery. It proposes including security automation and monitoring at each stage of the software development pipeline from development through production. Specific techniques mentioned include performing continuous security scanning, integrating security testing with other testing stages, automating security tasks using tools like Ansible, and sharing security data and lessons learned across teams to improve processes over time. The overall message is that security should be built into delivery rather than treated separately to avoid slowing software releases while still maintaining quality.
High Availability (HA) Explained - second editionMaciej Lasyk
I gave this talk at one of the biggest Linux conferences in Poland: 11 Liux Session that took place in Wrocław on 5/6-04-2014. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How could one create very sophisticated, open - source based monitoring solution that is very scalable and easy to deploy?
I gave this talk during on of the biggest Linux conferences in Poland: 11 Linux Session which took place in Wrocław on 5/6-04-2013
I gave this talk at Krakow/Poland DevOPS meetup. It was a lightning talk covering subject of High Availability solutions, architecture, planning and deploying.
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th Octomber 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way.
This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
GDG Cloud Southlake #34: Neatsun Ziv: Automating AppsecJames Anderson
The lecture titled "Automating AppSec" delves into the critical challenges associated with manual application security (AppSec) processes and outlines strategic approaches for incorporating automation to enhance efficiency, accuracy, and scalability. The lecture is structured to highlight the inherent difficulties in traditional AppSec practices, emphasizing the labor-intensive triage of issues, the complexity of identifying responsible owners for security flaws, and the challenges of implementing security checks within CI/CD pipelines. Furthermore, it provides actionable insights on automating these processes to not only mitigate these pains but also to enable a more proactive and scalable security posture within development cycles.
The Pains of Manual AppSec:
This section will explore the time-consuming and error-prone nature of manually triaging security issues, including the difficulty of prioritizing vulnerabilities based on their actual risk to the organization. It will also discuss the challenges in determining ownership for remediation tasks, a process often complicated by cross-functional teams and microservices architectures. Additionally, the inefficiencies of manual checks within CI/CD gates will be examined, highlighting how they can delay deployments and introduce security risks.
Automating CI/CD Gates:
Here, the focus shifts to the automation of security within the CI/CD pipelines. The lecture will cover methods to seamlessly integrate security tools that automatically scan for vulnerabilities as part of the build process, thereby ensuring that security is a core component of the development lifecycle. Strategies for configuring automated gates that can block or flag builds based on the severity of detected issues will be discussed, ensuring that only secure code progresses through the pipeline.
Triaging Issues with Automation:
This segment addresses how automation can be leveraged to intelligently triage and prioritize security issues. It will cover technologies and methodologies for automatically assessing the context and potential impact of vulnerabilities, facilitating quicker and more accurate decision-making. The use of automated alerting and reporting mechanisms to ensure the right stakeholders are informed in a timely manner will also be discussed.
Identifying Ownership Automatically:
Automating the process of identifying who owns the responsibility for fixing specific security issues is critical for efficient remediation. This part of the lecture will explore tools and practices for mapping vulnerabilities to code owners, leveraging version control and project management tools.
Three Tips to Scale the Shift Left Program:
Finally, the lecture will offer three practical tips for organizations looking to scale their Shift Left security programs. These will include recommendations on fostering a security culture within development teams, employing DevSecOps principles to integrate security throughout the development
How to Avoid Learning the Linux-Kernel Memory ModelScyllaDB
The Linux-kernel memory model (LKMM) is a powerful tool for developing highly concurrent Linux-kernel code, but it also has a steep learning curve. Wouldn't it be great to get most of LKMM's benefits without the learning curve?
This talk will describe how to do exactly that by using the standard Linux-kernel APIs (locking, reference counting, RCU) along with a simple rules of thumb, thus gaining most of LKMM's power with less learning. And the full LKMM is always there when you need it!
Interaction Latency: Square's User-Centric Mobile Performance MetricScyllaDB
Mobile performance metrics often take inspiration from the backend world and measure resource usage (CPU usage, memory usage, etc) and workload durations (how long a piece of code takes to run).
However, mobile apps are used by humans and the app performance directly impacts their experience, so we should primarily track user-centric mobile performance metrics. Following the lead of tech giants, the mobile industry at large is now adopting the tracking of app launch time and smoothness (jank during motion).
At Square, our customers spend most of their time in the app long after it's launched, and they don't scroll much, so app launch time and smoothness aren't critical metrics. What should we track instead?
This talk will introduce you to Interaction Latency, a user-centric mobile performance metric inspired from the Web Vital metric Interaction to Next Paint"" (web.dev/inp). We'll go over why apps need to track this, how to properly implement its tracking (it's tricky!), how to aggregate this metric and what thresholds you should target.
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsLinda Zhang
This brochure gives introduction of MYIR Electronics company and MYIR's products and services.
MYIR Electronics Limited (MYIR for short), established in 2011, is a global provider of embedded System-On-Modules (SOMs) and
comprehensive solutions based on various architectures such as ARM, FPGA, RISC-V, and AI. We cater to customers' needs for large-scale production, offering customized design, industry-specific application solutions, and one-stop OEM services.
MYIR, recognized as a national high-tech enterprise, is also listed among the "Specialized
and Special new" Enterprises in Shenzhen, China. Our core belief is that "Our success stems from our customers' success" and embraces the philosophy
of "Make Your Idea Real, then My Idea Realizing!"
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/07/intels-approach-to-operationalizing-ai-in-the-manufacturing-sector-a-presentation-from-intel/
Tara Thimmanaik, AI Systems and Solutions Architect at Intel, presents the “Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” tutorial at the May 2024 Embedded Vision Summit.
AI at the edge is powering a revolution in industrial IoT, from real-time processing and analytics that drive greater efficiency and learning to predictive maintenance. Intel is focused on developing tools and assets to help domain experts operationalize AI-based solutions in their fields of expertise.
In this talk, Thimmanaik explains how Intel’s software platforms simplify labor-intensive data upload, labeling, training, model optimization and retraining tasks. She shows how domain experts can quickly build vision models for a wide range of processes—detecting defective parts on a production line, reducing downtime on the factory floor, automating inventory management and other digitization and automation projects. And she introduces Intel-provided edge computing assets that empower faster localized insights and decisions, improving labor productivity through easy-to-use AI tools that democratize AI.
Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threatsanupriti
In the rapidly evolving landscape of blockchain technology, the advent of quantum computing poses unprecedented challenges to traditional cryptographic methods. As quantum computing capabilities advance, the vulnerabilities of current cryptographic standards become increasingly apparent.
This presentation, "Navigating Post-Quantum Blockchain: Resilient Cryptography in Quantum Threats," explores the intersection of blockchain technology and quantum computing. It delves into the urgent need for resilient cryptographic solutions that can withstand the computational power of quantum adversaries.
Key topics covered include:
An overview of quantum computing and its implications for blockchain security.
Current cryptographic standards and their vulnerabilities in the face of quantum threats.
Emerging post-quantum cryptographic algorithms and their applicability to blockchain systems.
Case studies and real-world implications of quantum-resistant blockchain implementations.
Strategies for integrating post-quantum cryptography into existing blockchain frameworks.
Join us as we navigate the complexities of securing blockchain networks in a quantum-enabled future. Gain insights into the latest advancements and best practices for safeguarding data integrity and privacy in the era of quantum threats.
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
AI_dev Europe 2024 - From OpenAI to Opensource AIRaphaël Semeteys
Navigating Between Commercial Ownership and Collaborative Openness
This presentation explores the evolution of generative AI, highlighting the trajectories of various models such as GPT-4, and examining the dynamics between commercial interests and the ethics of open collaboration. We offer an in-depth analysis of the levels of openness of different language models, assessing various components and aspects, and exploring how the (de)centralization of computing power and technology could shape the future of AI research and development. Additionally, we explore concrete examples like LLaMA and its descendants, as well as other open and collaborative projects, which illustrate the diversity and creativity in the field, while navigating the complex waters of intellectual property and licensing.
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
How Netflix Builds High Performance Applications at Global ScaleScyllaDB
We all want to build applications that are blazingly fast. We also want to scale them to users all over the world. Can the two happen together? Can users in the slowest of environments also get a fast experience? Learn how we do this at Netflix: how we understand every user's needs and preferences and build high performance applications that work for every user, every time.
Data Protection in a Connected World: Sovereignty and Cyber Securityanupriti
Delve into the critical intersection of data sovereignty and cyber security in this presentation. Explore unconventional cyber threat vectors and strategies to safeguard data integrity and sovereignty in an increasingly interconnected world. Gain insights into emerging threats and proactive defense measures essential for modern digital ecosystems.
In this follow-up session on knowledge and prompt engineering, we will explore structured prompting, chain of thought prompting, iterative prompting, prompt optimization, emotional language prompts, and the inclusion of user signals and industry-specific data to enhance LLM performance.
Join EIS Founder & CEO Seth Earley and special guest Nick Usborne, Copywriter, Trainer, and Speaker, as they delve into these methodologies to improve AI-driven knowledge processes for employees and customers alike.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
1. Maciej Lasyk, Stop Disabling SELinux
Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
1/32
Stop Disabling SELinux
2. Maciej Lasyk, High Availability Explained
● Business value and security
● Does stock price change after security fail?
● Apps or env? Which one should be 'secure'?
Does security matter?
Maciej Lasyk, Stop Disabling SELinux 2/32
3. Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
App
Env
3/32
4. Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux 4/32
5. Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
Security is based on layers!Security is based on layers!
NetworkNetwork
OSOS
App / DBApp / DB
HardwareHardware
LSMLSM
Maybe virt-sec?Maybe virt-sec?
4/32
6. Maciej Lasyk, High Availability Explained
How does security look like?
Maciej Lasyk, Stop Disabling SELinux
Such security..Such security..
Very fortress!!1Very fortress!!1
WOW :)WOW :)
5/32
7. Maciej Lasyk, High Availability Explained
● Think about it as an internal firewall
● Guarding procs, files, users
● Users don't manage security, admin does
SELinux – what?
Maciej Lasyk, Stop Disabling SELinux 6/32
8. Maciej Lasyk, High Availability Explained
- 2000: NSA, GPL
- 2001: Linux Kernel Summit, NSA vs Linus, LSM announced
(SELinux, Apparmor, Smack, and TOMOYO Linux)
- 2003: Merge with mainline Kernel 2.6.0-test3
- RHEL4
- Ubuntu LTS 8.04 Hardy Heron & rest (even Novell)
SELinux – short history recap
Maciej Lasyk, Stop Disabling SELinux 7/32
9. Maciej Lasyk, High Availability Explained
- hosting multiple services on one box / vps
- virtualization host (imagine containers)
- libvirt-sandbox FTW!
- any apps that are not secure or sec – aware
- SELinux sandbox
- root access for anyone :)
- DBAs, devs - whatever :)
- try it yourself: http://www.coker.com.au/selinux/play.html
- Gentoo Hardened: https://wiki.gentoo.org/wiki/Project:Hardened
- Desktops (yes!)
SELinux – use cases
Maciej Lasyk, Stop Disabling SELinux 8/32
10. Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux
syscalls work like interfaces for accessing some resources
9/32
11. Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux 10/32
12. Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux
DAC
MAC
upstream kernel has been fixed to report
check for mmap_zero for MAC AFTER DAC
(2014-03-05, http://danwalsh.livejournal.com/69035.html)
11/32
13. Maciej Lasyk, High Availability Explained
SELinux – how it works?
Maciej Lasyk, Stop Disabling SELinux 12/32
14. Maciej Lasyk, High Availability Explained
- http://www.nsa.gov/research/_files/selinux/papers/freenix01/node18.shtml#sec:perf:macro
SELinux – performance
Maciej Lasyk, Stop Disabling SELinux
Just test it yourself: git://git.selinuxproject.org/~serge/selinux-testsuite
13/32
avcstat
uptime: 10h
hit ratio: 99.94%!
(57mln of lookups)
15. Maciej Lasyk, High Availability Explained
SELinux – learning curve
Maciej Lasyk, Stop Disabling SELinux 14/32
16. Maciej Lasyk, High Availability Explained
SELinux – installation
Maciej Lasyk, Stop Disabling SELinux
apt-get install selinux-basics selinux-policy-default auditd
Gentoo is.. like always – little complicated..
emerge hardened-sources
EC2? yum install libselinux* selinux-policy* policycoreutils
RHEL / CentOS / Fedora is rdy
11/3215/32
17. Maciej Lasyk, High Availability Explained
SELinux – need assistance?
Maciej Lasyk, Stop Disabling SELinux
- IRC: freenode, #selinux
- Mailing list: selinux@lists.fedoraproject.org
- URLs:
- http://stopdisablingselinux.com/
- http://www.nsa.gov/research/selinux/faqs.shtml
- https://fedoraproject.org/wiki/SELinux
- Books?
- SELinux System Administration, Sven Vermeulen,
2013, ISBN-10: 1783283173 ($15)
- SELinux by Example: Using Security Enhanced Linux,
Frank Mayer, Karl MacMillan,
David Caplan, 2006,
ISBN-10: 0131963694
16/32
18. Maciej Lasyk, High Availability Explained
SELinux and Android
Maciej Lasyk, Stop Disabling SELinux
- from 4.3 – permissive
- from 4.4 enforcing
- Will help us with BYOD :)
- No setuid/setgid programs (4.3)
http://selinuxproject.org/page/SEAndroid
http://source.android.com/devices/tech/security/se-linux.html
17/32
19. Maciej Lasyk, High Availability ExplainedMaciej Lasyk, Stop Disabling SELinux
- Currently RPM based (but could build from sources)
- Sandboxes for LXC / Qemu / KVM
- Rather with systemd
- virt-sandbox -c lxc:/// /bin/sh
- virt-sandbox-service create ... httpd.service myhttpd
- systemctl start myhttpd_sandbox.service
libvirt-sandbox!
18/32
20. Maciej Lasyk, High Availability Explained
libvirt-sandbox!
Maciej Lasyk, Stop Disabling SELinux
- The libvirt guest is created when the virt-sandbox command starts
- The libvirt guest is automatically deleted when the virt-sandbox
command completes, or dies from a signal
- The sandboxed command sees a read-only view of the entire host
filesystem
- Specific areas can be made writable by mapping in an alternative
host directory
- There is no network access inside the sandbox by default
- Virtual network interfaces can be associated with libvirt virtual
networks
- The stdin/stdout/stderr file handles of the sandbox command
will be connected to the controlling terminal.
19/32
21. Maciej Lasyk, High Availability Explained
So what about other LSMs?
Maciej Lasyk, Stop Disabling SELinux
http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html
20/32
22. Maciej Lasyk, High Availability Explained
So what about other LSMs?
Maciej Lasyk, Stop Disabling SELinux
- AppArmor identifies file system objects by path name
instead of inode
- There is no notion of multi-level security with AppArmor
- AppArmor user rather flat files based configuration
- SELinux supports the concept of a "remote policy server"
- There is no apparmor or grsec in android :)
21/32
23. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
stopdisablingselinux.com
or
http://opensource.com/business/13/11/selinux-policy-guide
22/32
24. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Everyone gets a label!
23/32
25. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
allow cat cat_chow:food eat;
allow dog dog_chow:food eat;
24/32
26. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
AVC (Access Vector Cache)
25/32
27. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
AVC (Access Vector Cache)
26/32
28. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
In real world...
process: httpd_t
files under Apache: httpd_sys_content_t
database data: mysqld_data_t
hacked Apache process can not access mysqld files!
27/32
29. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Can same type of process be confined differently?
28/32
30. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
Yes! With MCS enforcement!
29/32
31. Maciej Lasyk, High Availability Explained
SELinux primer
Maciej Lasyk, Stop Disabling SELinux
In real world...
2 processes: httpd_t
files under httpd: httpd_sys_content_t
So how to deny files from differ instances of httpd_t?
With MCS labels like s0:c1,c2 ; s0:c3,c4 etc
s0, s1, s2 – sensitivity levels
c1,c2,c3... - categories (up to 255)
30/32
32. Maciej Lasyk, High Availability Explained
So remember..
Maciej Lasyk, Stop Disabling SELinux
Every time you run setenforce 0, you make Dan Walsh
weep
Dan is a nice guy and he certainly doesn't deserve that.
31/32
33. Maciej Lasyk, High Availability Explained
Maciej Lasyk
Kraków, InfoSec meetup #1
2014-03-12
http://maciek.lasyk.info/sysop
maciek@lasyk.info
@docent-net
Stop Disabling SELinux
Thank you :)
32/32