SlideShare a Scribd company logo

First Software Security Netherlands Meet Up - Delft - 18 May 2017

G
gmaran23

The document summarizes a meetup for the Software Security Netherlands group. The agenda includes an introduction to what's new in the OWASP Top 10 2017 report, including additions and changes to vulnerabilities. It also includes an introduction to Docker security, covering how Docker provides isolation between containers through mechanisms like process, network, file system, user and registry isolation. The document demonstrates some of these isolation techniques.

Technology
Related topics:
Software Security
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Welcome bij First Software Security Netherlands meet up Delft, May 18, 2017 Sponsored by: https://www.meetup.com/SoftwareSecurityNetherlands
Goal of this group Make Software Security challenges visible Collaborate and learn together the practices across organizations that help them deliver secure software Promote defensive programming strategies
Introductions Name : Role at work : Work background : How did you hear the group / event ? How do you like to contribute to the group ? What are your expectations ?
Today’s Agenda What’s new in OWASP Top 10 2017? Introduction to Docker Security Web Security Automation Strategies / Open House
What’s new in OWASP Top 10
The OWASP Top 10 2017 ……… from the beginning of time 2010 2013 2017 …. To raise awareness about application security by identifying some of the most critical risks facing organizations
The Data for OWASP Top 10 2017 11 large datasets: 8 consulting companies, 3 product vendors Vulnerabilities gathered from over 50,000 real world applications and APIs Prioritized with exploitability, detectability, and impact Still in beta stages, the Top 10 list presented here is highly subjected to change based on community feedback
First Software Security Netherlands Meet Up - Delft - 18 May 2017
Additions, Deletions, and Merges 2017-A7: Insufficient Attack Protection 2017-A10: Unprotected APIs 2013-A10: Unvalidated Redirects and Forwards 2013-A4: Insecure Direct Object References + 2013-A7: Missing Funtion Level Access Control  2013-A4: Broken Access Control
Application Security Risks
2017 - A4 – Broken Access Control Demo
2017 - A7 Insufficient Attack Protection Demo
2017 - A7 Unprotected APIs Case Study
2013 – A10 Unvalidated Redirects and Forwards Case Study
:q!
Introduction to Docker Security
Docker – What is this containerization?
Docker – Challenges with downloading and installing software Is there a documentation, tutorials, inconsistent documents Where is it located? Do I need to run it with a different working directory How to start, stop? Is it a service? Do I need to change configuration files? Dependencies Security Shared library updates Which platform? Which Operating System? Portable format? Executable Source code download and building it?
Hardware Kernel, Drivers Libraries (Win32) OS Applications (CMD, powershell) Applications mysql, dotnet Libraries (Win32) OS Applications (CMD, powershell) Applications mysql, dotnet Libraries (Win32) OS Applications (CMD, powershell) Applications mysql, dotnet Libraries (Win32) OS Applications (CMD, powershell) Applications mysql, dotnet Hardware Kernel, Drivers Libraries (Win32) OS Applications (CMD, powershell) Applications mysql, dotnet Isolation is approximately equal to security
Process isolation Network Isolation File System Isolation Users Isolation Registry Isolation Environment Variables Docker security – Isolation models *
Linux isolations • http://man7.org/linux/man-pages/man7/namespaces.7.html
Isolation – Process • Get-Process
Isolation – File System • ls C:
Isolation – Network • ipconfig
Isolation – Environment Variables • ls env:
Isolation – Registry • ls hkcu: • Get-PSDrive
Isolation – Users and Groups • Get-LocalUser
Scanning docker images for known vulnerabilities https://dockerbench.com/

More Related Content

PDF
DevSecOps Everything You Need To Know
Centextech
 
PDF
Dev week cloud world conf2021
Archana Joshi
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
Wouter Bloeyaert
 
PPTX
DevSecOps outline
Nickleus Jimenez
 
PDF
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
PDF
Certifiable Linux Integration Platform (CLIP)
Tresys
 
DevSecOps Everything You Need To Know
Centextech
 
Dev week cloud world conf2021
Archana Joshi
 
PIACERE - DevSecOps Automated
PIACERE
 
The Challenges of Scaling DevSecOps
WhiteSource
 
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...
Wouter Bloeyaert
 
DevSecOps outline
Nickleus Jimenez
 
DevOps & DevSecOps in Swiss Banking
Aarno Aukia
 
Certifiable Linux Integration Platform (CLIP)
Tresys
 

What's hot (20)

PDF
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
PDF
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
PDF
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
PPTX
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
PDF
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
PDF
A detailed guide about dev secops.docx
Enov8
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
PDF
What Is DevOps? | Introduction To DevOps | DevOps Tools | DevOps Tutorial | D...
Edureka!
 
PPTX
We've Got Docker & Cloud, Now What?
XebiaLabs
 
PDF
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
PDF
Talk DevSecOps to me
Michelle Ribeiro
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
PPTX
DevSecOps
Joel Divekar
 
PDF
How to automate your DevSecOps successfully
Manuel Pistner
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PDF
Managing FOSS in DevOps
Vaidyanathan Sivasubramanian
 
PDF
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
PDF
DevSecOps for the DoD
JamesHarmison
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Microsoft DevOps Forum 2021 – DevOps & Security
Nico Meisenzahl
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Software Integrity Group
 
Security evaluation of_libraries_lascon_2017_v2
Trupti Shiralkar, CISSP
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days
 
Automating Security Compliance on AWS with DevSecOps
Tushar Gupta
 
A detailed guide about dev secops.docx
Enov8
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
What Is DevOps? | Introduction To DevOps | DevOps Tools | DevOps Tutorial | D...
Edureka!
 
We've Got Docker & Cloud, Now What?
XebiaLabs
 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Talk DevSecOps to me
Michelle Ribeiro
 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
DevSecOps
Joel Divekar
 
How to automate your DevSecOps successfully
Manuel Pistner
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Managing FOSS in DevOps
Vaidyanathan Sivasubramanian
 
DevSecOps: Minimizing Risk, Improving Security
Franklin Mosley
 
DevSecOps for the DoD
JamesHarmison
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Ad

Similar to First Software Security Netherlands Meet Up - Delft - 18 May 2017 (20)

PPTX
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
PPTX
Software Security Assurance for Devops
Jerika Phelps
 
PPTX
Software Security Assurance for DevOps
Black Duck by Synopsys
 
PPTX
What_is_DevOps.pptx
mridulsharma774687
 
PDF
7 flavours of devops implementation
Aspire Systems
 
PPTX
Career opportunities in open source framework
edunextgen
 
PDF
Career opportunities in open source framework
edunextgen
 
PDF
Free and Open Business IT Innovation: An overview of IT trends for 2017
Maikel Mardjan
 
PPTX
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
PPTX
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
PDF
BDV Webinar Series - Lara - Deep Learning for Everybody
Big Data Value Association
 
PPTX
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
PPTX
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
PDF
5 Challenges of Moving Applications to the Cloud
tCell
 
PDF
Keep calms and Docker On ... Innotech
Boyd Hemphill
 
PPTX
Software 4.0 : “How” of Building Software Driven Business
India Scrum Enthusiasts Community
 
PPTX
DevOps by examples - Continuous Lifecycle London 2017
Giulio Vian
 
PPTX
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
PDF
Modern Application Development for the Enterprise
Juarez Junior
 
PDF
PaaS Anywhere - Deploying an OpenShift PaaS into your Cloud Provider of Choice
Isaac Christoffersen
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Black Duck by Synopsys
 
Software Security Assurance for Devops
Jerika Phelps
 
Software Security Assurance for DevOps
Black Duck by Synopsys
 
What_is_DevOps.pptx
mridulsharma774687
 
7 flavours of devops implementation
Aspire Systems
 
Career opportunities in open source framework
edunextgen
 
Career opportunities in open source framework
edunextgen
 
Free and Open Business IT Innovation: An overview of IT trends for 2017
Maikel Mardjan
 
What is DevOps And How It Is Useful In Real life.
anilpmuvvala
 
What_is_DevOps_how_it's_very_useful_in_daily_Life.
anilpmuvvala
 
BDV Webinar Series - Lara - Deep Learning for Everybody
Big Data Value Association
 
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...
Black Duck by Synopsys
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 
5 Challenges of Moving Applications to the Cloud
tCell
 
Keep calms and Docker On ... Innotech
Boyd Hemphill
 
Software 4.0 : “How” of Building Software Driven Business
India Scrum Enthusiasts Community
 
DevOps by examples - Continuous Lifecycle London 2017
Giulio Vian
 
How to get the best out of DevSecOps - a security perspective
Colin Domoney
 
Modern Application Development for the Enterprise
Juarez Junior
 
PaaS Anywhere - Deploying an OpenShift PaaS into your Cloud Provider of Choice
Isaac Christoffersen
 
Ad

More from gmaran23 (17)

PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
PPTX
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
PDF
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
PDF
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
PDF
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
ODP
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
PPTX
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
PPTX
What Can I Learn From You?
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
ODP
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
PPTX
Six steps for securing offshore development
gmaran23
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PPT
Devouring Security Sqli Exploitation and Prevention
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Six steps for securing offshore development
gmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
gmaran23
 

Recently uploaded (20)

PDF
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
PDF
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
PDF
REPORT: Heating appliances market in Poland 2024
SPIUG
 
PDF
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
PPTX
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
Doc9.....................................
SofiaCollazos
 
PDF
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
SparkLabs Primer on Artificial Intelligence 2025
SparkLabs Group
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Get More from Fiori Automation - What’s New, What Works, and What’s Next.pdf
Precisely
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
MASTERDECK GRAPHSUMMIT SYDNEY (Public).pdf
Neo4j
 
Unlocking the Future- AI Agents Meet Oracle Database 23ai - AIOUG Yatra 2025.pdf
Sandesh Rao
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
Cloud-Migration-Best-Practices-A-Practical-Guide-to-AWS-Azure-and-Google-Clou...
Artjoker Software Development Company
 
REPORT: Heating appliances market in Poland 2024
SPIUG
 
Accelerating Oracle Database 23ai Troubleshooting with Oracle AHF Fleet Insig...
Sandesh Rao
 
OA presentation.pptx OA presentation.pptx
pateldhruv002338
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
Doc9.....................................
SofiaCollazos
 
Responsible AI and AI Ethics - By Sylvester Ebhonu
Sylvester Ebhonu
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 

First Software Security Netherlands Meet Up - Delft - 18 May 2017