Home
Search results “Multiple vulnerabilities in oracle products”
Oracle Java Deserialization Vulnerabilities
 
49:33
Java deserialization is a class of security vulnerabilities that can result in server-side remote code execution (RCE). As many Oracle products are based on Java, deserialization bugs are found in many Oracle environments especially those using Oracle WebLogic, Oracle Fusion Middleware, and Oracle E-Business Suite. As an example, in November 2015 Oracle released an out-of-cycle security fix (CVE-2015-4852) in order to fix a deserialization bug in Oracle WebLogic. This education webinar provides an understanding of Java deserialization vulnerabilities, the potential impact for Oracle environments, and strategies to protect an Oracle environment from this class of security vulnerabilities.
Views: 1875 Integrigy
Inside the Mind of a Database Hacker, by Oracle's Lead Security Architect
 
01:15:22
Inside the Mind of a Database Hacker by • Mark Fallon, Lead Security Architect, Oracle Database with • Penny Avril, VP of Oracle Database Server Technologies • Funny pre-event tech-trivia: https://youtu.be/vj9DDxUatp4 Enterprise data has become an extremely valuable commodity, and therefore must be protected against theft from unscrupulous hackers. But, faced with a multitude of potential security vulnerabilities, where do we start? If we can understand those vulnerabilities, as perceived by the mind of a hacker, then we can take a more practical approach to protecting our enterprise data. This fun and interactive session will take us into the mind of a cybercriminal, we will learn some interesting facts about data security and discover how we can best protect this valuable commodity. ••• Mark Fallon, Lead Security Architect, Oracle Database ••• Mark is the lead security architect for Oracle Database and its associated product families and cloud services. Mark drives software assurance activities that span the entire software lifecycle of Oracle Database products and services, from initial design phase security reviews through to functional testing, ethical hacking, deployments and incident response. As security lead for the last 11 years, Mark has a deep technical understanding of all hacking approaches taken against Oracle Database products and services. ••• Penny Avril, VP of Oracle Database Server Technologies ••• Based at Oracle's HQ in Redwood Shores, California, Penny leads Oracle's Database Product Management team. Penny's responsibilities include product planning, positioning, collateral, go-to-market strategy and field enablement. Penny also works closely with product release and development managers to take Oracle Database releases from design specs through development to production. Penny has been with Oracle since 1995, and holds a BA in computer science from Cambridge University.
Ask TOM Office Hours: DBSAT, the Database Security Assessment Tool
 
48:50
Presented on April 12 2018: The Database Security Assessment Tool (DBSAT) is one of the most-downloaded database utilities, and at the same time one of the easiest to use! Join special guest Pedro Lopes, Product Manager for DBSAT, as we cover what is new in DBSAT version 2.0.1, how DBSAT can be used to find unnecessary risk in your database environment, and how you can use DBSAT as part of your database security program. 00:00 Why is DBSAT Needed? 12:44 Introducing DBSAT 28:23 Demonstration of DBSAT 36:19 Accelerate Compliance with EU GDPR 39:11 DBSAT Summary 42:23 Q&A AskTOM Office Hours offers free, monthly training and tips on how to make the most of Oracle Database, from Oracle product managers, developers and evangelists. https://asktom.oracle.com/ https://developer.oracle.com/ https://cloud.oracle.com/en_US/tryit music: bensound.com
Views: 523 Oracle Developers
Oracle's Defense-in-Depth Database Security Controls
 
04:17
Vipin Samar, Oracle SVP of database security, discusses key data security challenges and Oracle's approach to providing defense-in-depth security with multiple layers of control to protect data on premises and in the cloud.
Views: 420 Oracle
Remediating the Most Common Microservices Bottlenecks & Vulnerabilities
 
49:40
Microservices are popular: they are extremely focused and target a single action. You get the benefits: not tied to physical location, fewer deployment issues, faster development, language of choice, REST APIs, efficient data management, etc. But how do you minimize the downside? For example, achieving high performance and availability is not easy, latencies add up and security is paramount. In this session, we will show you how to maximize service levels and prevent threats and data loss from the most common bottlenecks and vulnerabilities by using ML. With ML, you can monitor performance, trace applications across multiple tiers, understand utilization of resources, troubleshoot problems rapidly and monitor for security threats. Vijay Tatkar is Product Management Director for Oracle Management Cloud. Vijay has over 29 years of industry experience, about 25+ years of those managing developers and development tools engineering. He has worked in, and managed, Developer Tools, Analyzers and Cloud computing tools in the past. Changing developer trends to DevOps, Microservices driven architectures and Cloud and making sense of the enormous amount of data generated has drawn Vijay to Systems Management and Security Cloud (OMC) https://developer.oracle.com/ https://cloud.oracle.com/en_US/tryit
Views: 367 Oracle Developers
Vulnerability Control Vulnerability Detection
 
04:49
Transcript: This video will demonstrate how Skybox Vulnerability Control can be used to discover or detect vulnerabilities without the use of an active scanner. In addition, we’ll look at how vulnerabilities from multiple sources are viewed within the product. We are starting here in Vulnerability Control. We will pop down and look at the model behind the scenes, specifically at the vulnerability occurrences. So right now we have 1884 vulnerabilities that have been imported into the system from a Qualys scan. So I can see these vulnerabilities here—they are being grouped together by discovery method at this point. What we’ll do now is pop over to operational console and take a look at a specific task here called, “SCCM Direct Import.” This task will go out to an SCCM server, use a username and password to import that data directly into Skybox’s database; this will be the asset data that SCCM is managing, including the host name and IP address as well as the operating system and application versions that are on that particular host. So let’s go ahead and launch this. We will pop back over to Vulnerability Control, and we’ll wait for that importation to finish. Okay we paused for a couple of minutes to let that data get imported. We’ll do a refresh, and we can see that we have 3300 vulnerabilities now, 1400 from SCCM. So these vulnerabilities represent missing patches on those assets that SCCM knows about. But in addition to that information, SCCM also has information about the applications that are on an asset. So here on my server REO, I see information about 7-Zip, Adobe, Microsoft, Mozilla and Oracle. But the only vulnerability we know about so far is a Microsoft Office vulnerability. So now what we’ll do is pop back over to operational console, and we’ll run another task—this one is SCCM vulnerability detector. This task will go out and match the application asset information on the hosts that came in from SCCM with Skybox’s vulnerability dictionary, and, in doing so, we’ll deduce new vulnerabilities on those assets. We’ll pop back over to vulnerability control. Let that run for a minute and then we’ll refresh. Look at that server REO, look at the vulnerability occurrences, and now we have many more vulnerabilities—674 vulnerabilities to be exact. Vulnerabilities from Mozilla Firefox, Microsoft Office, Windows Flash Player—there’s all sorts of vulnerabilities in there. If we go back to our original screen vulnerability occurrences (let that load up) we can see we now have 22,000 vulnerabilities from three different sources. We've got those original 18,000 vulnerabilities from Qualys, 14,000 vulnerabilities from the missing patches that SCCM knew about and then another 19,000 vulnerabilities that Skybox has deduced using Vulnerability Detector which matched up our vulnerability dictionary with that SCCM asset data. So this was a video demonstrating how Skybox Vulnerability Control can be used to discover or detect vulnerabilities without the use of an active scanner. To learn more about Vulnerability Control or any of the products in the Skybox suite, please visit www.skyboxsecurity.com.
Views: 610 Skybox Security
Foglight for Oracle Overview
 
18:19
https://www.quest.com/products/foglight-for-oracle/ [0:00 - 1:40] Introduction [1:41 - 3:05] Global View and Baseline [3:06 - 3:28] Monitoring Coverage [3:29 - 4:21] Homepage [4:22 - 4:57] Alert Log [4:58 - 5:23] Tablespaces [5:24 - 6:09] ASM [6:10 - 6:54] Pluggable Databases (aka Multitenant) [6:55 - 7:47] FRA (Fast Recovery Area) [7:48 - 8:26] Data Guard [8:27 - 9:41] SQL PI Introduction [9:42 - 10:31] Multi-Dimensional Workload Analysis [10:32 - 11:08] Workload Activity Highlights [11:09 - 12:01] Lock Analysis [12:02 - 12:38] I/O Analysis [12:39 - 13:29] Change Tracking [13:30 - 14:31] Execution Plan Analysis [14:32 - 15:14] Compare [15:15 - 15:46] Advisories [15:47 - 17:52] Reporting [17:53 - 18:05] Deployment
Views: 322 Quest
Building Your Application Security Data Hub: The Imperative for Structured Vulnerability Information
 
49:41
Recorded at AppSecUSA 2014 in Denver http://2014.appsecusa.org/ Thursday, September 18 • 9:30am - 10:15am Building Your Application Security Data Hub: The Imperative for Structured Vulnerability Information One of the reasons application security is so challenging to address is that it spans multiple teams within an organization. Development teams build software, security testing teams find vulnerabilities, security operations staff manage applications in production and IT audit organizations make sure that the resulting software meets compliance and governance requirements. In addition, each team has a different toolbox they use to meet their goals, ranging from scanning tools, defect trackers, Integrated Development Environments (IDEs), WAFs and GRC systems. Unfortunately, in most organizations the interactions between these teams is often strained and the flow of data between these disparate tools and systems is non-existent or tediously implemented manually. In today’s presentation, we will demonstrate how leading organizations are breaking down these barriers between teams and better integrating their disparate tools to enable the flow of application security data between silos to accelerate and simplify their remediation efforts. At the same time, we will show how to collect the proper data to measure the performance and illustrate the improvement of the software security program. The challenges that need to be overcome to enable teams and tools to work seamlessly with one another will be enumerated individually. Team and tool interaction patterns will also be outlined that reduce the friction that will arise while addressing application security risks. Using open source products such as OWASP ZAP, ThreadFix, Bugzilla and Eclipse, a significant amount of time will also be spent demonstrating the kinds of interactions that need to be enabled between tools. This will provide attendees with practical examples on how to replicate a powerful, integrated Application Security program within their own organizations. In addition, how to gather program-wide metrics and regularly calculate measurements such as mean-time-to-fix will also be demonstrated to enable attendees to monitor and ensure the continuing health and performance of their Application Security program. Speaker Dan Cornell CTO, Denim Group Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Views: 523 OWASP
OSSIM Demo (5.1) - Improved Threat Detection, Security Visibility, and Usability
 
42:12
You want to be alerted to threats targeting your assets as quickly as possible so you know where to focus your attention. This OSSIM tutorial teaches you how to accelerate your visibility of malicious activity in your network by integrating greatly expanded threat data from the AlienVault Open Threat Exchange (OTX) so you can identify and prioritize activity that the OTX community has reported as indicative of an attack or breach. Learn more about AlienVault OSSIM here: https://www.alienvault.com/products/ossim Join us for a special training session to learn more about what's new in OSSIM: -Improved detection of the latest threats: Utilize expanded Indicators of Compromise (IoCs) from OTX, including IP addresses, file hashes, domains, hostnames and URLs for more rapid and accurate threat detection in your network. -Improved visibility of the security status of critical assets: Demonstrate that you are monitoring files and state changes on critical assets to meet regulatory requirements, and deploy multiple Host IDS agents in a single workflow. -Improved usability of data source plugins for log management: Improve visibility, threat detection, and compliance by being able to analyze multiple log files from a single asset for suspicious or malicious behavior, as well as quickly identify any gaps in asset monitoring via data source plugins.
Views: 8865 AT&T Cybersecurity
#HITBGSEC 2017 CommSec D1 - Hacking Robots Before Skynet - Lucas Apa and Cesar Cerrudo
 
01:03:39
Robots are going mainstream. In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, as sex partners, cooking in homes, and interacting with our families. While robot ecosystems grow and become more of a disrupting force in our society and economy, they pose more of a significant threat to people, animals, and organizations if the technology is not secure. When vulnerabilities are exploited in robots, physical features can be utilized by attackers to damage property, company finances, or cause unexpected consequences where human life can be endangered. Robots are essentially computers with arms, legs and wheels, so the potential threats to their physical surroundings increase exponentially and in ways not widely considered before in computer security. In recent research, we discovered multiple critical vulnerabilities in home, business and industrial collaborative robots from well-known vendors. With responsible disclosure now completed, it’s time to reveal all the technical details, threats, and how attackers can compromise different robot ecosystem components with practical exploits. Live demos will showcase different exploitation scenarios that involve cyber espionage, harmful insider threats, property damage, and more. Through realistic scenarios we will unveil how insecure modern robot technology can be and why hacked robots could be more dangerous than other insecure technologies. The goal is to make robots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to businesses, consumers, and their surroundings. === Lucas Apa is an information security expert and entrepreneur. He currently provides comprehensive security services with cutting-edge firm IOActive, both onsite and remotely, for most of Global 500 companies and organizations. Lucas’ security research and ideas have been presented at world-renowned security conferences including Black Hat USA, PacSec Japan, Black Hat Europe, Ekoparty, AppSec USA, SecTor and EnergySec. His technical work and opinions have been featured in media outlets such as: The New York Times, Reuters, The Wall Street Journal, Forbes, CNN, CNBC, Financial Times, FOX, VICE and much more. He is currently based in Argentina and advises regularly with local media as a commentator and security analyst. --- Cesar Cerrudo is Chief Technology Officer for IOActive Labs, where he leads the team in producing ongoing, cutting-edge research in areas including Industrial Control Systems/SCADA, Smart Cities, the Internet of Things, and software and mobile device security. Cesar is a world-renowned security researcher and specialist in application security. Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft Windows, Yahoo! Messenger, and Twitter, to name a few. He has a record of finding more than 50 vulnerabilities in Microsoft products including 20 in Microsoft Windows operating systems. Based on his unique research, Cesar has authored white papers on database and application security as well as attacks and exploitation techniques. He has presented at a variety of company events and conferences around the world including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Infiltrate, 8.8, Hackito Ergo Sum, NcN, Segurinfo, RSA, and DEF CON. He recently started Securing Smart Cities (http://www.securingsmartcities.org), a non profit initiative to make cities around the world safer. Cesar collaborates with and is regularly quoted in print and online publications. His research has been covered by Wired, Bloomberg Businessweek, TIME, The Guardian, CNN, NBC, BBC, Fox News, The New York Times, New Scientist, Washington Post, Financial Times, The Wall Street Journal, and so on.
NSS Labs - The Evolution of 2012 Vulnerability Disclosures By Vendor
 
01:05
This video shows a day-by-day representation of the vulnerabilities disclosed throughout 2012 per software vendor. Each dot represents a specific vulnerability and each cluster represents a vendor with multiple vulnerabilities disclosed. The bar on the left dynamically updates which vendors have the most vulnerabilities disclosed throughout the year.
Views: 1350 Jennifer Stowe
Nessus - Tutorial 2 - Basic Vulnerability Scanning
 
06:08
In this tutorial we will use Nessus to scan an unpatched XP system to show the vulnerabilities it has. We will create a policy and run a scan then produce a report.
Views: 6472 Jenko022
Remediating the Most Common Microservices Bottlenecks & Vulnerabilities
 
44:16
Vijay Tatkar Director, Product Management Oracle Microservices are popular: they are extremely focused and target a single action. You get the benefits: not tied to physical location, fewer deployment issues, faster development, language of choice, REST APIs, efficient data management, etc. But how do you minimize the downside? For example, achieving high performance and availability is not easy, latencies add up and security is paramount. In this session, we will show you how to maximize service levels and prevent threats and data loss from the most common bottlenecks and vulnerabilities by using ML. With ML, you can monitor performance, trace applications across multiple tiers, understand utilization of resources, troubleshoot problems rapidly and monitor for security threats.
Views: 87 Oracle Developers
RuhrSec 2016: "Java deserialization vulnerabilities - The forgotten bug class", Matthias Kaiser
 
43:13
Abstract. Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies including a 0day. Biography. Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. Currently, he enjoys researching deserialization and looking into COM/OLE.
Views: 1949 Hackmanit GmbH
PENTESTON® Product Overview Video
 
09:52
PENTESTON® is a cyber security vulnerability assessment workbench used by individuals, businesses and services providers worldwide. Quickly snap into the pre-configured cyber-range and easily select from over (40+) Tools. Engage single system or multiple targets to determine if identified technical risk presents a business risk. For large projects collaborate with different team members, import and enter manual findings to a centralized QA resource. Leverage the application program interface (API) to trigger automated assessments on newly discovered targets, code releases etc., the possibilities are limitless with PENTESTON® enroll today take risk free test-drive
Views: 646 ProactiveRISK
How to Secure your Web Applications
 
02:00
If you want to protect your apps against threats, first you need to understand them. This video will briefly and concisely walk you through each tier of an application, what makes those tiers vulnerable to attacks, and how to secure them and reduce your risk. Learn how to protect your apps with F5’s full security portfolio—explore use cases, product capabilities, and deployment modes. F5 Application Security Solutions https://www.f5.com/security F5 Application Protection Solutions Guide https://www.f5.com/pdf/solution-guides/application_solution_guide_2018.pdf
Views: 984 F5 Networks, Inc.
DEF CON 18 - Esteban Martínez Fayó - Hacking and Protecting Oracle Database Vault
 
54:48
Esteban Martínez Fayó - Hacking and Protecting Oracle Database Vault Oracle Database Vault was launched a few years ago to put a limit on DBAs unlimited power especially over highly confidential data where it is required by regulations. This presentation will show how this add-on product for Oracle Database performs on this difficult task, first giving an introduction to DB Vault and what protections does it brings, then showing with many examples how it is possible to bypass the protections provided. The attacks demonstrated include getting operating system access to disable DB Vault, SQL Injection and impersonation techniques to bypass DB Vault protections and how it is possible using simple exploits to circumvent DB Vault. These attack examples are accompanied by recommendations on how to protect from them. Also the presentation shows some issues with native database auditing and has a section with additional recommendations to secure DB Vault and conclusions. Esteban Martínez Fayó is a security researcher; he has discovered and helped to fix multiple security vulnerabilities in major vendor software products. He specializes in application security and is recognized as the discoverer of most of the vulnerabilities in Oracle server software. Esteban has developed and presented novel database attack techniques at international conferences such as Black Hat, WebSec, NcN and ekoparty. Esteban currently works for Argeniss doing information security research and developing security related software solutions. For copies of the slides and additional materials please see the DEF CON 18 Archive here: https://defcon.org/html/links/dc-archives/dc-18-archive.html
Views: 525 DEFCONConference
[DEFCON 21] Java Every-Days: Exploiting Software Running on 3 Billion Devices
 
43:16
Java Every-Days: Exploiting Software Running on 3 Billion Devices Speakers: Brian Gorenc - Zero Day Initiative, HP Security Research Jasiel Spelman - Security Researcher Over the last three years, Oracle Java has become the exploit author's best friend. And why not? Java has a rich attack surface, broad install base, and runs on multiple platforms allowing attackers to maximize their return-on-investment. The increased focus on uncovering weaknesses in the Java Runtime Environment (JRE) shifted research beyond classic memory corruption issues into abuses of the reflection API that allow for remote code execution. This talk focuses on the vulnerability trends in Java over the last three years and intersects public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program. We begin by reviewing Java's architecture and patch statistics to identify a set of vulnerable Java components. We then highlight the top five vulnerability types seen in ZDI researcher submissions that impact these JRE components and emphasize their recent historical significance. The presentation continues with an in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component. Finally, we discuss how attackers typically leverage weaknesses in Java. We focus on specific vulnerability types attackers and exploit kits authors are using and what they are doing beyond the vulnerability itself to compromise machines. We conclude with details on the vulnerabilities that were used in this year's Pwn2Own competition and review steps Oracle has taken to address recent issues uncovered in Java. Brian Gorenc (@MaliciousInput, @thezdi) is the Manager of Vulnerability Research in HP's Security Research organization. His primary responsibility is running the Zero Day Initiative (ZDI) program and doing root cause analysis on ZDI submissions. Brian's current research centers on discovering vulnerabilities in popular software, analyzing attack techniques, and identifying vulnerability trends. Prior to joining HP he worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment. Jasiel Spelman (@WanderingGlitch) is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, he was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a B.A. in Computer Science from the University of Texas at Austin.
Views: 8811 TalksDump
Oracle APEX - Best Way Deploy ORDS,Apache Tomcat in Oracle APEX
 
05:53
Oracle REST Data Services is a Java EE-based alternative for Oracle HTTP Server and mod_plsql. The Java EE implementation offers increased functionality including a command line based configuration, enhanced security, file caching, and RESTful web services. Oracle REST Data Services also provides increased flexibility by supporting deployments using Oracle WebLogic Server, GlassFish Server, Apache Tomcat, and a standalone mode. The Oracle Application Express architecture requires some form of web server to proxy requests between a web browser and the Oracle Application Express engine. Oracle REST Data Services satisfies this need but its use goes beyond that of Oracle Application Express configurations. Oracle REST Data Services simplifies the deployment process because there is no Oracle home required, as connectivity is provided using an embedded JDBC driver.
Views: 2204 Oracle Apex
CppCon 2018: Patricia Aas “Make It Fixable: Preparing for Security Vulnerability Reports”
 
28:46
http://CppCon.org — Presentation Slides, PDFs, Source Code and other presenter materials are available at: https://github.com/CppCon/CppCon2018 — From experience we have learned that almost any surface we expose could have weaknesses. We have to have a plan on how to deal with issues as they arise, and an architecture that allows us to correct and protect in products that are already in use. When security is lifted up to the discretion of the user, however, we often fail to inform their decision properly. The usability of security and the architecture of fixability are closely connected, and both need continued refinement and focus. This talk will describe architectural and organizational features that make it easier to make corrective measures. They are down-to-earth everyday scenarios, illustrated by real world software projects and security incidents. Some of the stories are well known, some are anonymized to protect the innocent. Finally we will show examples of how difficult it is to design the user experience of security. — Patricia Aas, TurtleSec Programmer Patricia has been programming C++ professionally for 13 years, she started out working on the Opera desktop browser and has looped back to browser making in the recent years, now working on the Vivaldi browser with many ex-opera colleagues. While away from the browser world she did a stint as a Java consultant coming back to C++ when working on embedded teleconference systems at Cisco. For the last couple of years she has begun doing public speaking, after only doing in-house speaking before. She is passionate about the tech industry and its impact on peoples lives. Since January she has been active in the #include<C++> community where she is one of the admins. — Videos Filmed & Edited by Bash Films: http://www.BashFilms.com
Views: 1135 CppCon
TrustPort Management Unauthenticated Remote Code Execution Exploit
 
00:43
#TrustPort Management Unauthenticated Remote Code Execution #Exploit http://eastfw.com/ Vulnerability Summary Multiple vulnerabilities in TrustPort’s management product allow remote unauthenticated attackers to cause the product to execute arbitrary code. TrustPort Management “offers you an effective and practical way to install centrally, configure and update antivirus software in your network and it enables mass administration of TrustPort products. Central administration from TrustPort brings you simple application of corporate security policies, monitoring of security incidents or the remote starting of tasks”.
Views: 44 East Exploit
Oracle Commerce Cloud: Use Multi-Factor Authentication After Updating
 
06:33
Set up Oracle Mobile Authenticator (OMA), register Commerce Cloud with OMA, manage multiple accounts, log in to the Administration UI, and troubleshoot authentication issues.
Views: 709 Oracle Commerce
Moving Fast and Securing Things - AppSecUSA 2017
 
41:56
“Process” is often seen as a antithetical to the fast-moving nature of startups; security processes, in particular, can be regarded as a direct impediment to shipping cool features. On the other hand, the security of an organization and its users shouldn’t be disregarded for the sake of speed. Striking a balance between security and nimble development is a vital aspect of a security (in particular, application security) team. At Slack, we have implemented a secure development process which has both accelerated development and allowed us to scale our small team to cover the features of a rapidly growing engineering organization. In this presentation we will discuss both our Secure Development Lifecycle (SDL) process and tooling, as well as view metrics and provide analysis of how the process has worked thus far. We intend to open-source our tooling as a supplement to this presentation, and offer advice for others wishing to attempt similar implementations. We'll discuss our deployment of a flexible framework for security reviews, including a lightweight self-service assessment tool, a checklist generator, and most importantly a chat-based process that meets people where they are already working. We’ll show how it’s possible to encourage a security mindset among developers, while avoiding an adversarial relationship. By tracking data from multiple sources, we can also view the quantified success of such an approach and show how it can be applied in other organizations. Speakers Max Feldman Slack, Inc Max Feldman works on the Product Security team at Slack, where he works on the bug bounty and security assessments of Slack features, as well as the development of security tools and automation. He was previously a member of the Product Security team at Salesforce. Zachary Pritchard Security Engineer, Slack Fikrie Yunaz Slack, inc Fikrie Yunaz is a Product Security Engineer at Slack. He is a security enthusiast and loves breaking web applications. He specializes in the areas of application security and security test automation. He was previously a Security Engineer at Oracle. - Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Views: 826 OWASP
Securing the Software Supply Chain (Cloud Next '18)
 
40:18
Containers have revolutionized how we develop, package, and deploy applications. As enterprises create more containerized workloads, the security of the software supply chain must be top of mind. Join this session to learn how security teams can enhance deploy-security security. We’ll also hear from the security team at Shopify to learn how they use GCP tools as part of their container security strategy and best practices. Event schedule → http://g.co/next18 Watch more Security sessions here → http://bit.ly/2zJTZml Next ‘18 All Sessions playlist → http://bit.ly/Allsessions Subscribe to the Google Cloud channel! → http://bit.ly/NextSub
Patching Heartbleed OpenSSL Vulnerability with Puppet Enterprise
 
08:01
We walk through the process of patching the Heartbleed OpenSSL vulnerability with Puppet Enterprise. For more information about Puppet Enterprise, then download 10 free nodes at: http://info.puppetlabs.com/download-pe.html
Views: 1175 Puppet
Security auditing software tutorial part 05
 
01:01
tutorial Security, software, tutorial, Cissp, Cisa, security review, review, penetration testing, forensics, compliance, vulnerability, vulnerability assessment, vulnerability management, audit, auditing, how to, training, security vulnerability, secure auditor, event log viewer, compliance tools, tools, utilities, audit software, secure bytes, security assessment, Sans, Cis, Isaca, Cert, policy audit, enumeration, hack, hacking, system, Cisco, oracle, windows, MSSQL, Windows vulnerability, oracle security, Cisco configuration, Cisco routers, routers, windows security, Microsoft, downloads, security software, internal auditing, Microsoft products, ethical hacking, Secure Win Auditor, Secure Ora Auditor, Secure SQL Auditor, Secure Cisco Auditor, Access control, event log management, query, risk management, risk assessment, unified digital risk assessment solution, risk assessment software,
Views: 220 topclasslink
DEFCON 18: Exploiting WebSphere Application Servers JSP Engine 1/3
 
14:58
Speaker: Ed Schaller WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker. In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server. Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided. For presentations, whitepapers or audio version of the Defcon 18 presentations visit: http://defcon.org/html/links/dc-archives/dc-18-archive.html
Views: 779 Christiaan008
Oracle Weblogic Server Deserialization Remote Command Execution (CVE-2018-2628)
 
00:28
Oracle Weblogic Server Deserialization Remote Command Execution (CVE-2018-2628) Source: https://twitter.com/pyn3rd/status/990114565219344384
Views: 4260 The Hacker News
Opening Keynote (Cloud Next '19)
 
01:30:02
Sundar Pichai, CEO, Google, 0:20 Eyal Manor, VP, Engineering, Anthos, 12:20 David Goeckeler, EVP and General Manager, Networking and Security Business, Cisco, 17:29 Jennifer Lin, Director of Product Management, Anthos, 21:40 Sanjay Poonen, COO, VMware, 31:06 Ratnakar Lavu, SR. EVP & CTO, Kohl’s, 36:09 Alpna Doshi, Group CIO, Philips, 44:00 Reggie Chambers, Chief Admin Officer, Chase Consumer Banking, JP Morgan Chase, 50:38 Brad Calder, VP of Core Infrastructure, Google Cloud Platform, 59:33 Hanan Youssef, Product Manager for High Memory VMs, Google Cloud Platform, 1:02:29 Mike Crowe, CIO, Colgate-Palmolive, 1:09:19 Jay Kreps, CEO, Confluent, 1:16:39 Ofer Bengal, CEO, Redis Labs, 1:19:08 Gopal Ashok, Product Manager, Google Cloud Platform, Databases, 1:22:52 Hear from Google Cloud leaders and customers about how the cloud is transforming business and improving the lives and circumstances of people around the world in ways never before possible. Build with Google Cloud → http://bit.ly/2TTAfkN Next ‘19 All Sessions playlist → https://bit.ly/Next19AllSessions Subscribe to the GCP Channel → https://bit.ly/GCloudPlatform Speaker(s): Sundar Pichai, Brad Calder, Michael Crowe, Jen Fitzpatrick, Thomas Kurian, Ratnakar Lavu, Jennifer Lin Moderator: Eyal Manor Session ID: GENKEY01 fullname:Brad Calder,Jen Fitzpatrick,Thomas Kurian,Jennifer Lin,Eyal Manor;
Views: 136795 Google Cloud Platform
Protecting Sensitive Data in the Oracle E-Business Suite
 
01:04:14
To protect sensitive data, like Social Security numbers, in Oracle E-Business Suite environments, numerous Oracle technologies and third-party products exist that all promise to be your next silver bullet. However, implementing these technologies is challenging and there are significant limitations and often certification issues. Best practices and client success stories with encryption, scrambling, and auditing are discussed with solutions ranging from simple SQL scripts to expensive add-on products.
Views: 189 Integrigy
DEF CON 24 - Joshua Drake, Steve Christey Coley - Vulnerabilities 101
 
43:18
If you’re interested in vulnerability research for fun or profit, or if you’re a beginner and you’re not sure how to progress, it can be difficult to sift through the firehose of technical information that’s out there. Plus there are all sorts of non-technical things that established researchers seem to just know. There are many different things to learn, but nobody really talks about the different paths you can take on your journey. We will provide an overview of key concepts in vulnerability research, then cover where you can go to learn more - and what to look for. We’ll suggest ways for you to choose what you analyze and provide tools and techniques you might want to use. We’ll discuss different disclosure models (only briefly, we promise!), talk about the different kinds of responses to expect from vendors, and give some advice on how to write useful advisories and how to go about publishing them. Then, we’ll finish up by covering some of the ‘mindset’ of vulnerability research, including skills and personality traits that contribute to success, the different stages of growth that many researchers follow, and the different feelings (yes, FEELINGS) that researchers can face along the way. Our end goal is to help you improve your chances of career success, so you can get a sense of where you are, where you want to go, and what you might want to do to get there. We will not dig too deeply into technical details, and we’d go so far as to say that some kinds of vulnerability research do not require deep knowledge anyway. Vulnerability research isn’t for everyone, but after this talk, maybe you’ll have a better sense of whether it’s right for you, and what to expect going forward. Bio: Joshua J. Drake is the VP of Platform Research and Exploitation at Imperium Enterprise Mobile Security and lead author of the Android Hacker’s Handbook. Joshua focuses on original research such as reverse engineering and the analysis, discovery, and exploitation of security vulnerabilities. He has over 10 years of experience researching and exploiting a wide range of application and operating system software with a focus on Android since early 2012. In prior roles, he served at Occupant Labs, Rapid7’s Metasploit, and VeriSign’s iDefense Labs. Joshua previously spoke at Black Hat, DEF CON , RSA, CanSecWest, Recon, Ruxcon/Breakpoint, Toorcon, and DerbyCon. Other notable accomplishments include; helping spur mobile ecosystem change in 2015, exploiting Oracle’s JVM at Pwn2Own 2013, exploiting the Android browser via NFC with Georg Wicherski at Black Hat USA 2012, and winning DEF CON 18 CTF with ACME Pharm in 2010. Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting FDA CDRH on medical device cyber security. Steve was co-creator and Editor of the CVE list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for CWE, the Common Weakness Scoring System (CWSS), and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential ‘Responsible Vulnerability Disclosure Process’ IETF draft with Chris Wysopal in 2002. He was an active contributor to other community-oriented efforts such as CVSS, CVRF, and NIST’s Static Analysis Tool Exposition (SATE). His interests include adapting traditional IT security methodologies to new areas, software assurance, improving vulnerability information exchange, and making the cybersecurity profession more inclusive for anybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.
Views: 7115 DEFCONConference
HITB2011KUL - D1T2 - Alexander Polyakov, Dimitry Chastuhin - SAPocalypse Now, CrushingSAPs J2EE...
 
56:23
Having had great success with the first part of our research "A crushing blow at the heart of SAP's J2EE Engine" this is a continuation in this series of presentations and will look deeper at new web-based attacks and post exploitations on SAP's J2EE applications. We will explain the architecture of SAP's J2EE engine and give a complete tour into its internals. Thereafter, we will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, XML/SOAP attacks to insecure encryption algorithms and cross-system vulnerabilities in the J2EE platform. Finally a chained attack which use multiple logic vulnerabilities that gives full control over SAP's J2EE Engine will be demoed. A free tool will also be presented to automatically scan custom applications against this attack. Will this attack concept lead to a new worm? Who knows, but be prepared for SAPocalypsis NOW! About Alexander Polyakov Alexander Polyakov is the CTO at ERPScan company. Head of DSecrG research center (department of ERPScan). His expertise covers enterprise business-critical software like ERP, CRM, SRM, RDBMS, SCADA, banking and processing software. He found a lot of vulnerabilities in the products of such vendors as SAP and Oracle, and has made a lot of projects focused on special applications security in oil and gas, retail and banking sphere. He is the author of a book titled "Oracle Security from the Eye of the Auditor:Attack and Defense (in Russian)." He is also lead a OWASP-EAS, architect of ERPSCAN Security Scanner for SAP (http://erpscan.com), one of the contributors to Oracle with Metasploit project. Speaker at HITB (EU/ASIA), BlackHat, Source, DeepSec, Confidence, Troopers and many Russian conferences. About Dimitry Chastuhin Dimitry Chastuhin is a student of St. Petersburg State Polytechnic University, computer science department, he works upon SAP security, particularly upon Web applications and JAVA systems. He has official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Vkontakte (vk.com) and Yandex.ru, the Russian largest social networks and search engines. He is a contributor to the OWASP-EAS project.
Simplify GDPR Compliance with IBM Cloud Secure Virtualization
 
01:17
For more information, please visit: https://ibm.co/2slQ4aI In May 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect with daunting fines for any non-compliant company doing business in the EU: up to 4% of annual revenue. IBM Cloud Secure Virtualization can help protect your workloads and simplify GDPR compliance, using IBM Cloud bare metal servers with built-in Intel Xeon Processor security and HyTrust workload security software features that validate hardware integrity for VMware workloads.
Views: 1241 IBM Cloud
Preventing and Reacting to Guardium Database Full Issues
 
23:00
Take steps to prevent your Guardium internal database filling up, troubleshoot when it is filling up and take action to reduce the space when needed. Technotes referenced in the video in chronological order: IBM Security Guardium Administrator Responsibilities Guide - www.ibm.com/support/docview.wss?uid=swg21700685 System Requirements for v9.5 - http://www-01.ibm.com/support/docview.wss?uid=swg27045286 System Requirements for v10 - http://www-01.ibm.com/support/docview.wss?uid=swg27046184 MustGather: Collecting data for Guardium Appliance - http://www-01.ibm.com/support/docview.wss?uid=swg21971158 What changes have been made in the latest Guardium GPU patch? - http://www-01.ibm.com/support/docview.wss?uid=swg21693983 How to alert on the Guardium internal database filling up - http://www-01.ibm.com/support/docview.wss?uid=swg21696915 What can I do if I see my Guardium Appliance getting full? - https://www-304.ibm.com/support/docview.wss?uid=swg21511904 Why is my Guardium internal database filling up? - https://www-304.ibm.com/support/docview.wss?uid=swg21696497 How to troubleshoot Guardium aggregation or archive errors - http://www-01.ibm.com/support/docview.wss?uid=swg21698234 How much data is in my Guardium top tables per day? - http://www-01.ibm.com/support/docview.wss?uid=swg21981235 What type of Guardium problem can I consider to be a Severity 1 PMR - http://www-01.ibm.com/support/docview.wss?uid=swg21587895
Views: 2748 IBM Security Support
DEFCON 18: Exploiting WebSphere Application Servers JSP Engine 3/3
 
04:56
Speaker: Ed Schaller WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker. In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server. Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided. For presentations, whitepapers or audio version of the Defcon 18 presentations visit: http://defcon.org/html/links/dc-archives/dc-18-archive.html
Views: 245 Christiaan008
DEFCON 18: Exploiting WebSphere Application Servers JSP Engine 2/3
 
14:58
Speaker: Ed Schaller WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker. In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server. Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided. For presentations, whitepapers or audio version of the Defcon 18 presentations visit: http://defcon.org/html/links/dc-archives/dc-18-archive.html
Views: 397 Christiaan008
APPSEC Cali 2018 - Robots with Pentest Recipes
 
39:56
Abstract : Application Security (AppSec) Teams are usually short-staffed. While this is no surprise in itself. Now there’s the added impetus of continuous delivery of security solutions for the continuous delivery pipelines of myriad engineering teams within an organization. While some teams have leveraged SAST, DAST and IAST as part of the continuous delivery pipeline, AppSec teams could definitely use a helping hand from other teams including QA, Engineering and Infrastructure (Security) Teams. However, this presents a problem, largely because the tools used by AppSec Teams (and security teams in general) are not easily understood or known by Engineering and QA teams. In addition, there are a diverse set of tools ranging from Application Vulnerability Scanners to Recon Tools, etc that are used by Security Teams, Pentest Teams and so on that are typically not meshed together in a common fabric. What if there were a way were we could create security testing recipes and run a battery of security tests right from baseline application security testing, to pre-deployment infrastructure vulnerability assessments, across various environments, and what’s better, UNDER A COMMON FABRIC!! For one, security testing would become much easier to create and execute, with various teams being able to author security testing pipelines themselves with limited involvement from an already-stretched appsec team. That’s what this talk is all about…. Over the last few months, my team and I have leveraged the all-powerful Robot Framework to integrate various security testing tools, including OWASP ZAP, Nmap, Nessus. Robot Framework is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). It provides a very extensible test-driven syntax that extend test libraries implemented in Python or Java. We have developed Open Source libraries for popular tools like OWASP ZAP, Nmap, Nessus and some recon tools, which can be invoked with existing libraries like Selenium, etc to perform completely automated, parameterized, security tests across the continuous delivery pipeline with easy-to-write, almost trivial test syntax like `run nmap scan` OR `start zap active scan` thereby making it easier for engineering teams to be able to create “recipes” of security tests that they want to run, integrate with functional test automation to run anything from a baseline scan to a complete parameterized security test of the application on various environments. In fact, we have used these libraries to run a “mostly automated pentest as a recipe” replete with recon, mapping, vulnerability discovery phases with evidences and reporting built-in. Ill be making most of the code available on GitHub for the community to use. Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU2017 and OWASP AppSecUSA 2017, as well as DEFCON 25. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others. Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Views: 1013 OWASP
Solstice Full Moon in Cancer Astrology Horoscope All Signs: December 21-22 2018
 
15:56
To get readings and products or to book The Leo King http://theleoking.com #fullmoon #horoscope #astrology #celebrityastrologer #horoscopes #theleoking #inspiration #spirituality #manifest #positivevibes Solstice Full Moon in Cancer Astrology Horoscope All Signs: December 21-22 2018 From beyond the dimensions of time and space, a King rises from the past and has come back from the future, to brighten up the dawning of a new age on Earth. Using his charm, ancient tool bag and positive energy, the Leo King reclaims his throne and sets on his quest to lead the new world into illuminating its individual and collective consciousness. The Leo King's quest takes him on a journey of brightening up the world with his music, astrology and inspirational speeches in order to change your life and bring you into spiritual ecstasy.​ David Palmer, aka, "The Leo King" owns and operates multiple OTT media corporations that produce, and distribute content via mobile apps. social media, and streaming platforms. The Leo King is a world famous celebrity astrologer, Electronic DJ, Professional IJSBA PWC Racer, and is also known for his speaking events, conferences and documentaries. David currently owns, The Leo King, Inc., 12th House Media, Inc. and is the Founder of Future Life TV, High Vibe TV, Elektronik Generation, and Spiritual Dance Music. The Leo King is about setting trends, and disrupting OTT Media markets, by creating content that is exciting, and some what controversial. Find out more about The Leo King, get a reading and more! http://www.theleoking.com Follow The Leo King on FB! https://www.facebook.com/theleokingdomoflove Follow us on twitter ande Instagram! @theleokingdom
Views: 21689 The Leo King
ASP.NET Padding Oracle Detector
 
00:53
Checkout tools: http://www.vdefcon.com/bai-viet/asp-net-padding-oracle-detector/ Facebook: https://www.facebook.com/vdefcon
Views: 308 Z Defcon
1 Intro Oracle
 
30:02
This video is related to HOW DO I ... ? training series as part of Oracle e-business suite course
Views: 483 Ahmed fathy
Oracle - The Future of Blockchain in Retail & CPG Supply Chains - Theme 7 - Recap
 
09:17
Theme interview on Theme #7 of the "The Future of Blockchain in Retail & CPG Supply Chains" panel, facilitated by Matthew Liotine, PhD, sponsored by Oracle Here is a high level summary of the findings: Despite all the hype, there are significant caveats with deploying blockchain based applications in the CPG space, and wide-scale implementation will likely be in the longer term. - Blockchain applications are vulnerable to rogue transactions. A blockchain based network is susceptible to vulnerabilities in the underlying network, endpoints and application software. - In CPG, creation of a successful blockchain network hinges on forming seamless collaboration and interoperability between diverse players and systems, requiring governance and perhaps regulation. - Blockchain is currently limited by real-time volume, efficiency and scalability due to consensus protocols and blockwise linear processing. - A 5 year adoption for widescale deployments are envisioned. Friction is due to competing conventional delivery methods, ability to transition from legacy systems, Check out the panel at: https://currnt.com/s481/the-future-of-blockchain-in-retail-cpg-supply-chains
Views: 75 Currnt
Stored XSS (Stored Cross Site Scripting) Vulnerability on Bigcommerce Subdomain
 
03:50
Hi Bigcommerce, Here is Shaifullah Shaon (Black_EyE), An Ethical Hacker from Bangladesh. a white hat cyber security researcher from Bangladesh reporting a serious [3'rd ranking in OWASP] security vulnerability on your system. I faced a technical security bug called "Stored XSS (Stored Cross Site Scripting) Vulnerability on Bigcommerce Subdomain". Let's follow me... I just post this at html editor for product listing. Here is popup autometically : http://cloudy-store6.mybigcommerce.com/smith-journal-13/ An attacker can defaced your community using script. And also attacker can stole cookies of your users using cookies stealling method. Cookies Stealing Method: http://sqli-basic.blogspot.com/2017/02/session-hijacking-or-cookie-stealing.html Please See my Video Poc for understand clearly. Hopefully Those are Very critical issue. Resolve those issue as soon as possible. Here is proof as video concept: https://youtu.be/yJcOwROv38Q Thank you Shaifullah Shaon (Black_EyE) [email protected]
GreenSQL Product Demo - August 2015
 
26:56
GreenSQL Product Demo includes: GreenSQL Setup Database Security - Database Firewall - SQL Injection Prevention - Segregation of Duties Database Activity Monitoring - Audit of admin commands, access, queries, stored procedures - Real-time alerts and Compliance Reports Sensitive Data Discovery - Discovery of PII, credit card info, etc. to meet Compliance - Consequent creation of masking and audit rules Dynamic Data Masking - Column and row level of Dynamic Data Masking
Views: 629 Green SQL
Webinar Forcepoint CASB: Increasing Visibility & Control Within Cloud Apps
 
43:42
While cloud-based applications or services and BYOD policies can increase user productivity and lower operating costs, they also lead to risk that traditional security controls were not designed to handle. You must be able to identify and stop both malicious and accidental people-based vulnerabilities while providing employees with the access to critical data they need to succeed. For more information please call us at 0845 567 8777 or email us at [email protected]
Views: 909 Secon Cyber
Automated AppSec Test with Robot Framework and Arachni
 
08:42
From the speaker: In this video, I demo RoboArachni (https://github.com/we45/RoboArachni/), that leverages the Arachni Web Vulnerability Scanner to perform an authenticated security test against a Web Service, completely automated. About the Speaker: Abhay Bhargav is the CTO of we45, a focused Application Security company. Abhay is the author of two international publications. “Secure Java for Web Application Development” and “PCI Compliance: A Definitive Guide”. Abhay is a builder and breaker of applications, and has authored multiple applications in Django and NodeJS. He is a passionate Pythonista and loves the idea of automation in security. This passion prompted him to author the world’s first hands-on Security in DevOps workshop that has been delivered in multiple locations, and recently as a highly successful workshop at the OWASP AppSecUSA 2016, OWASP AppSecEU2017 and OWASP AppSecUSA 2017, as well as DEFCON 25. In addition , Abhay speaks regularly at industry events including OWASP, ISACA, Oracle OpenWorld, JavaOne, and others. From: we45 is one of the world’s leader in application security. Our platform agnostic assessment methodologies combined with our pioneering thought leadership in Custom Security Automation for agile environments have been lauded by product engineering and security communities across market verticals. We45 prides itself being one of the very few security companies in devising a measurable and iterative DevSecOps framework that enable product engineering teams to seamlessly integrate security as part of their continuous integration and deployment lifecycle. For more visit http://www.we45.com
Views: 53 we45
Black Hat USA 2010: Hacking and Protecting Oracle Database Vault 5/5
 
10:16
Speaker: Esteban Martínez Fayó Oracle Database Vault was launched a few years ago to put a limit on DBAs unlimited power especially over highly confidential data where it is required by regulations. This presentation will show how this add-on product for Oracle Database performs on this difficult task, first giving an introduction to DB Vault and what protections does it brings, then showing with many examples how it is possible to bypass the protections provided. The attacks demonstrated include getting operating system access to disable DB Vault, SQL Injection and impersonation techniques to bypass DB Vault protections and how it is possible using simple exploits to circumvent DB Vault. These attack examples are accompanied by recommendations on how to protect from them. Also the presentation shows some issues with native database auditing and has a section with additional recommendations to secure DB Vault and conclusions. For more information click here (http://bit.ly/dwlBpJ)
Views: 130 Christiaan008
Microsoft Full Path Disclosure Vulnerability
 
01:48
Simple Full path disclosure in Stack Trace!
Improving KVM x86 Nested-Virtualization by Liran Alon
 
26:30
In this presentation, we will share our insights on current state and issues of KVM nVMX support in various mechanisms. We will deep dive into a nVMX mechanism which had many issues: nVMX event-injection. We will cover how it works, examine an interesting issue we have encountered, analyze it's root-cause and explain the fix we have upstream. Then, we will cover recent work done on other nVMX mechanisms in high-level and highlight pending nVMX issues which are still not resolved and suggest possible directions for the future of nVMX. --- Liran Alon Virtualization Architect Oracle Liran Alon is the Virtualization Architect of OCI Israel (Oracle Cloud Infrastructure). He is involved and lead projects in multiple areas of the company's public cloud offering such as Compute, Networking and Virtualization. In addition, Liran is a very active KVM contributor (mostly, but not limited to, nVMX). He has been involved in the past few years in advancing state-of-the-art of KVM nested-virtualization and the adjustment of QEMU/SeaBIOS/OVMF to support VMs from other hypervisors. In addition he worked on, and lead, the development of Oracle Ravello's propriety binary-translation hypervisor, which is optimized to run as a nested-hypervisor (on top of the public cloud) and able to expose AMD SVM with NPT (on CPU with no HW virt-extensions), and many more virtualization challenges. Previous to his work at Oracle, Liran has worked for over 6 years as Security Researcher & Developer for Israel PMO & IDF. There he has gained vast experience on OS Internals (Windows & Linux), kernel development, x86 architecture, reverse-engineering, vulnerabilities, exploits, exploit mitigations and security-products internals. Liran has a B.Sc. in Computer Science From Tel-Aviv University. In addition, he regularly lectures on various OS Internals courses.
Views: 319 KVM Forum
Java - Identify Command Injection
 
03:53
This video is part of a training product developed by nVisium to test students in a real application on competency with secure coding concepts. It originates from our Java course and covers mitigating Command Injection in our custom version of MoneyX, - a Java Spring application. If you're interested in this product, reach out to us via [email protected]
Views: 578 nVisium

Nuevo mundo sin ti kalimba karaoke music
Top ten best songs of hinder
The last eichhof soundtrack music
Dance music videos playlist
Wifey world video clips