Security Testing Webinar Series

Florin is a Product Manager in the AppScan portfolio.

He previously worked as a pre sales engineer focusing on the AppScan portfolio and worked with customers from various industries and of various sizes.

He enjoys keeping up to speed with the latest technologies and try as many of them as I can. In his spare time you can find him playing computer games and breaking stuff.

As companies write more code and built more applications, there is more pressure on security teams to provide developers with the right tools that allow them to check for security issues. However, application security is more than just scanning. This session will discuss the other aspects of an application security program that can make you successful. We will explore topics such as measuring risk and identifying areas of focus, and how to utilize the data to plan for the future.

Aleksei is an expert in cybersecurity with experience in both the scientific, financial and commercial fields. He embarked on his career in a software development company as a security analyst, used to work in the banking and financial industries, and continued working in a specialized company and academic organizations. Aleksei specializes in penetration testing, digital forensics and technical audit. Candidate of Technical Sciences in Information Technology. Associate Professor of National Technical University of Ukraine » Igor Sikorsky Kyiv Polytechnic Institute». Certified trainer of recognized international cybersecurity certificates. Dean of Kyiv Cyber Academy.

Compliance testing: from requirement development to implementation

Общий опыт в тестировании больше 7 лет

• Занимаюсь поиском Веб уязвимостей больше 4 лет
• Спикер множественных конференций по тестированию
• В данный момент работаю в Evo.company, на проекте Prom+, в команде Core, которая занимается разработкой:
  — CMS для продавцов
  — Онлайн чатом покупатель-продавец
  — API, для тех кому нужно подключение к своей CRM системе
  — API для мобильных приложений на IOS и Android
• Провожу практические тренинги по тестированиею безопасности https://svyat.tech/OWASP-TOP-10-Training/
• Веду блог https://svyat.tech/

Думаю, вы сталкивались с проблемой, когда вам приходила таска на тестирования Uploader file. Вы долго собирали все форматы файлов, долго нарезали размеры этих файлов, долго искали файлы разных объемов. Я расскажу как можно протестировать это без боли, да и еще проведем тестирование на безопасность загрузчик файлов. Да-да, в загрузчике файлов присутствуют критические уязвимости, они остаются до сих пор недооцененной областью для тестирования безопасности. К нему можно отнести такие виды уязвимостей как:
— Injection
— XSS
— XXE
— SSRF
В своем докладе я расскажу, что надо делать, на что надо обращать внимание, а также покажу как с помощью плагина Upload Scanner и инструмента Burp Suite можно найти уязвимости в вашем Uploader file.

Alexander Adamov is the head of the research laboratory NioGuard Security Lab with more than 10 years of experience in the antivirus industry. He teaches 5 courses on cybersecurity at Kharkiv National University of Electronics and conducts research in the areas of malware analysis and AI applications in cybersecurity. He participated in the development of the EU cybersecurity master program within the Tempus project called ENGENSEC as well as trained the Cyberpolice of Ukraine.

We all use security solutions to protect our personal and corporate information against potential cyber threats. In this regard, the question arises how to choose the best one. To answer that question, we need to define the evaluation criteria and test the products against them. Here we come to comparative testing of security solutions. In the webinar, we’ll discuss: 1) the test types for security solutions; 2) the conflict of interests of the testing lab and vendors; 3) best practices in conducting comparative testing of security solutions.

Shawn is a application security consultant for the AppScan portfolio at HCL. He has worked as a consultant in the network security space for several years prior to moving to the application security space. He works with some of AppScan’s largest customers in all industries to help with deployment, strategic implementation, creating application security programs, automating processing, incorporating SAST and DAST into SDLC, and many more.

In his free time, he loves to travel!

We all have heard the term “Shifting Left” but when most people or companies start planning and implementing, they focus on SAST. It may seem more natural and easier to include SAST earlier in the SDLC but security as we all know it is a layered approach. So, shifting left should not only include SAST but DAST as well. We will talk about how we can achieve that and what we need to focus on to be able to include DAST in the shift left approach. We will also look at different maturity models as organizations develop more mature processes for both SAST and DAST.

Сергей — Senior Test Engineer в компании GlobalLogic, также тренер курса ISTQB Security Tester в Code Space.

Сергей долгое время проработал системным администратором и своим главным преимуществом считает опыт использования и администрирования различных OС и ПО. Обладает опытом тестирования embedded, telecommunication, gambling, banking и finance продуктов на Windows и Linux, frontend и backend.

В теории биометрия удобна и безопасна. Насчёт удобства никто не спорит, но к безопасности есть вопросы. Мы рассмотрим как и когда использовать биометрику, как ее хранить, передавать ну и конечно как тестировать Biometric security

Общий опыт в тестировании больше 7 лет

• Занимаюсь поиском Веб уязвимостей больше 4 лет
• Спикер множественных конференций по тестированию
• В данный момент работаю в Evo.company, на проекте Prom+, в команде Core, которая занимается разработкой:
  — CMS для продавцов
  — Онлайн чатом покупатель-продавец
  — API, для тех кому нужно подключение к своей CRM системе
  — API для мобильных приложений на IOS и Android
• Провожу практические тренинги по тестированиею безопасности https://svyat.tech/OWASP-TOP-10-Training/
• Веду блог https://svyat.tech/

Ни для кого не секрет, что при разработке проекта мало кто уделяет достаточное внимание проверке безопасности программы. Даже когда и задумываются об этом, то очень часто не принимают во внимание уязвимости железа и ОС, которое коммуницирует с вашим приложением. В своем докладе я расскажу и покажу на что следует обращать внимание при тестировании безопасности вашего продукта. А также, насколько важно применять тестирование безопасности. Ну, и как всегда, свои доклады я сопровождаю не только теорией, но и практическими примерами. На этот раз специальными гостями будут: Nmap Metasploit

Vitaly Davidoff has 15 + years’ experience as a developer and more than 7 years in application security. He is an Applications Security Lead at Citi Bank Innovations Lab TLV Israel. In this position he is responsible for providing Application Security solutions for many products including analyzing security risks to multidisciplinary systems according to the customers’ system characterization, review new technologies and solutions, defining required security controls to handle identified security threats, performing code and design reviews, threat modeling and etc. Vitaly hold CISSP and CSSLP Certifications.
LinkedIn: https://www.linkedin.com/in/vitaly-davidoff-07039a1/
Previous talks: https://www.devseccon.com/tel-aviv-2018/session/end-2-end-containers-ssdlc-process/

Modern software is assembled using third-party and open source components, combined together in complex and unique ways, and integrated with original code to provide the desired functionality.
However, by using open source components, organizations eventually take responsibility for code they did not write. This situation can lead to big potential risk if not taken to consideration during creation of modern CI/CD process.
Component or Composition Analysis (SCA) is the process of identifying potential areas of risk from the use of third-party and open-source software components as part of supply chain flow.
In this seminar we’ll talk about importance of SCA scanning, how to define a process for implement it in to the pipeline. I’ll describe the vendors choosing flow from success criteria definition, market research and to definition of deployment strategy in production.