the work of security teams
play

The work of security teams Mateusz Kocielski shm@NetBSD.org - PowerPoint PPT Presentation

Nov 17, 2023 •160 likes •355 views

The work of security teams Mateusz Kocielski shm@NetBSD.org LogicalTrust pkgsrccon Krak ow, July 02, 2016 THANKS kamil@ & co-organizers THANKS kamil@ & co-organizers *applause.wav* whoami(1) pentester at LogicalTrust

  1. The work of security teams Mateusz Kocielski shm@NetBSD.org LogicalTrust pkgsrccon Krak´ ow, July 02, 2016

  2. THANKS kamil@ & co-organizers

  3. THANKS kamil@ & co-organizers *applause.wav*

  4. whoami(1) ◮ pentester at LogicalTrust ◮ open source committer: ◮ NetBSD - libsaslc(3), bozohttpd(8), hacking random things & secteam member ◮ PHP - bug finding & fixing ◮ security: ◮ PHP - CVE-2010-1868, CVE-2010-1917, CVE-2010-4150, CVE-2010-4156, CVE-2011-1938, CVE-2016-5768, ... ◮ stunnel - CVE-2013-1762 ◮ OpenSSH - CVE-2011-0539 ◮ Apache - CVE-2014-0117, CVE-2014-0226 ◮ FreeBSD - CVE-2015-1414 ◮ NetBSD - CVE-2015-8212, ... ◮ ...

  5. NetBSD & Security ◮ exploit mitigations ◮ ASLR ◮ PaX ◮ SSP ◮ FORTIFY ◮ kernel based NULL pointer dereferences ◮ blacklistd(8) ◮ veriexec(8) ◮ ... ◮ see security(7) ◮ it’s clear we all care about security

  6. Motivation behind this talk ◮ what’s going on behind security-team@ ◮ what we do ◮ what need to be done to issue a security report ◮ what can be done better

  7. security-related groups in the NetBSD ◮ security-alert@ - Security Alert Team ◮ An emergency contact address for notifying the NetBSD project of security issues. Less of a formal ’group’ than security-officer@. ◮ security-team@ - Security Team ◮ Responsible for handling security issue resolution and announcements. ◮ security-officer@ - Security-Officer ◮ Responsible for assisting to resolve security issues and preparing announcements. ◮ pkgsrc-security@ - pkgsrc Security Team ◮ Responsible for handling pkgsrc security issues.

  8. security-team@ - what you do? ◮ we try to keep the NetBSD code safe ◮ pressure of time ◮ we assist in ◮ cooperating with 3rd parties to exchange information on issues ◮ evaluating potential vulnerabilities ◮ preparing patches ◮ preparing advisories ◮ cooperating with other devs to keep our codebase safe ◮ http://www.netbsd.org/support/security/advisory.html ◮ 252 advisories since 1998 ◮ whole bug cycle usually takes from few hours to days

  9. security-team@ - advisories - stats per year 2000. 17 2001. 18 2002. 27 2003. 18 2004. 10 2005. 13 2006. 26 2007. 7 2008. 15 2009. 13 2010. 13 2011. 9 2012. 4 2013. 13 2014. 15 2015. 12 2016. 5

  10. security-team@ - cooperating with 3rd parties/devs ◮ cooperating with 3rd parties ◮ ”Hey NetBSD, there’s a bug in XXX” ◮ receiving confidential information about bugs in 3rd party software ◮ coordinated disclosure (usually information is embargoed until someday) ◮ ”Hey 3rd party software, there’s a bug in XXX” ◮ communication usually bases on trust → we have to keep the information in confidential ◮ ”Hey TCP-stack wizard, there’s a nasty bug in TCP implementation, may I ask you to help us fix that?”

  11. security-team@ - evaluating potential vulnerabilities ◮ evaluating bug impact ◮ local DoS that can be triggered by privileged user � = remote code execution due to bug in kernel ◮ trying to figure out the root cause ◮ looking for solutions and workarounds ◮ trying to figure out technical implications

  12. security-team@ - preparing patches ◮ working with random parts of the code ◮ security related patches should be crafted with carefulness ◮ PHP fixed few bugs... and introduced other vulnerabilities :) ◮ arrange pull-ups to supported branches ◮ coordinate devs ◮ need to deal with different versions of 3rd party software ◮ like unmaintained OpenSSL 0.9.x in NetBSD 5.x

  13. security-team@ - preparing advisory ◮ provide information on ◮ vulnerable branches ◮ technical details ◮ solutions and workarounds ◮ how to deal with bug ◮ how to fix from autobuilds ◮ how to fix from source ◮ requires writing in English... ◮ usually painful process (at least for me :))

  14. security-team@ - what can be done better? ◮ minimize time frame between notification about the bug and advisory publication ◮ binary patches (see FreeBSD’s freebsd-update(1)) ◮ Security Notices ◮ proactive NetBSD code audits

  15. Reporting a security issue ◮ contact security-alert@ (remember about PGP) ◮ send-pr(1) ◮ if you suspect the bug is important, then use security-alert@ ◮ provide as many details as you can ◮ root case/patches more than welcome

  16. How you can help? ◮ fix bugs from coverity scans ◮ notify us if you see potential hole in the NetBSD ◮ audit the NetBSD code ◮ try to provide as many details as you can ◮ we need fresh blood - join us to make the NetBSD safer place for you and me

  17. my projects - fuzzing + rump Become a hero: ◮ I’m fuzzing various parts of the NetBSD using rump(7) ◮ now I’m focused on network stack ◮ Address Sanitizer (other sanitizers?) ◮ if you want to join me, drop me a line → shm@NetBSD.org ◮ think about your master thesis/research/fun ◮ test my SMEP/SMAP implementation

  18. Q&A

Recommend

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives?

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives?

Welcome to JMS! FAQs How do the following programs work: Teams? Pre-AP? Electives? Lunch? Recharge? Pre-Enrollment? Academic Teams On Team English Language Arts Social Studies Science Off

202 views • 9 slides
IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am

IT Security Teams and Managed Security Services Working Together 2006 FIRST Conference Who am I? Chris van Breda, CD, CISSP, EnCE Click to add subtitle 2 Theme for the 2006 conference Sharing Intelligence in Global Response working

894 views • 72 slides
Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key

Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key

Navigating Complexity High-performance discovery teams 1 Tale of Two Teams >8 2 Key Learnings Two different types of work ; two different ways of thinking Accelerate discovery Maximize Learning MVPs Idea flow Better Ideas Collective

761 views • 55 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Practices and Charter Research Branch Security Council Affairs Division Department of Political Affairs United Nations August

490 views • 28 slides
Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security

Introduction to the Introduction to the Work of the Security Council Work of the Security Council Security Council Affairs Division Department of Political Affairs United Nations August 2013 Outline What is the Security Council?

189 views • 16 slides
FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is

FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is

MANAGEMENT FUNDAMENTALS Teamwork Lesson 6 Teamwork Why Teams @ Work Organization? Work in organizations is inter-connected HR Fin Prod Mkt IT Admin What is a Team? Two or more An unit of two or more people people who interact and

329 views • 15 slides
Thank you to you and your teams for all your work on the budget. This framework includes all of

Thank you to you and your teams for all your work on the budget. This framework includes all of

10/6/2017 TO: Chancellors FROM: Jim Johnsen RE: Budget Development Thank you to you and your teams for all your work on the budget. This framework includes all of the information we received from the universities. I look forward to our

324 views • 8 slides
Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team

Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team

Team Development Team Development Part III: Part III: Working in Teams Working in Teams May, 2001 Natural Work Teams Team Member Expectations Team Member Expectations Which expectations from our handout can we now add to our list?

645 views • 21 slides
Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in

Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in

Today In Class Rik Eberhardt Today In CMS.611 / 6.037 & SIT IN YOUR TEAMS Working in Teams Effectively Agile Review Team Dynamics How do distributed agile teams perform? Work in Class Review & Agile Processes

454 views • 24 slides
Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password

Open source password manager for teams 80% of security incidents are due to poor password management policies. ~ Trustwave Each year, over 125 millions hours of productivity are lost due to passwords management problematics. ~

950 views • 25 slides
Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex

Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex

Velocity Teams @ Work in Texas Critical Access Hospitals Julie Ketelsen, MPH, CHES Flex Coordinator Texas Department of Agriculture Flex Reverse Site Visit 2016 Why Have Velocity Teams? Improve quality outcomes Peer to Peer Support

236 views • 12 slides
Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter:

Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter:

Vocational Rehabilitation Teams Does the concept match the reality? Background Presenter: Lisa McAulay Regional Manager and Occupational Therapist for Fit For Work Masters Degree at AUT My research is focused on how New Zealand teams

468 views • 21 slides
Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer

255 105 0 149 149 149 225 225 225 68 84 106 84 28 0 0 0 153 65 0 102 Using Git Hooks to Help Your 40 40 40 Joo Santos Engineering Teams Work Software Engineer joao.santos@zalando.de Autonomously @joaomcsantos Europython 2015

511 views • 40 slides
T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the

T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the

T.I.M. TEAMS T raffic I ncident M anagement Team 1 Why T.I.M. TEAMS? Over 50% of the congestion is caused by non- recurring incidents. For every additional minute taken to clear a traffic incident, it will extend the duration an

241 views • 13 slides
TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership

TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership

LEADING TEAMS AGENDA Update on Leading Teams Values Exercise LEADING TEAMS Leadership development for middle managers, those who manage other managers LEADING TEAMS DES ran 3 pilots 34 agencies participated UPDATE

456 views • 12 slides
1 What makes a successful Successful software teams team? Studies show a 10 to 1 difference

1 What makes a successful Successful software teams team? Studies show a 10 to 1 difference

Why teams? CSE 403 Lecture 9 Project teams Team size Team structure Many different models Bigger is better Smaller is better Software development teams Chief programmer team Key points Brooks Surgeon team Technical

282 views • 3 slides
Smart Work: Embrace Change & Empower Your Teams to Drive Growth and Innovation A Panel

Smart Work: Embrace Change & Empower Your Teams to Drive Growth and Innovation A Panel

Smart Work: Embrace Change & Empower Your Teams to Drive Growth and Innovation A Panel Discussion IBM Software Group www.ibm.com/web20 April 1, 2009 Lets Build a Smarter Planet Smart Work for a Smarter Planet Panelists: Kathy

662 views • 35 slides
Disclaimer ! The%presenta6on%itself,%and%the%views% and%opinions%expressed%by%the%presenter%

Disclaimer ! The%presenta6on%itself,%and%the%views% and%opinions%expressed%by%the%presenter%

What%remains?%What%are%(really)%new? June%13,%2013 Shin%Adachi,% CISSP,&CISM,&CISA,&PMP Lead%Security%Analyst,%NTT%I CoChair,%Educa6on%Commi8ee,%FIRST NTT%Innova7on%Ins7tute,%Inc. %Forum%of%Incident%Response%and%Security%Teams

451 views • 12 slides
Group or Team Level Intervention Can We Question the Importance of Teams at Workplace in Present

Group or Team Level Intervention Can We Question the Importance of Teams at Workplace in Present

Group or Team Level Intervention Can We Question the Importance of Teams at Workplace in Present Times? Executive teams run corporations. Project teams create new products and services. Matrix teams help develop everything from banking

314 views • 17 slides
Dancing to the same tune How can local and central IT teams work better together? Dr Rim El Kadi

Dancing to the same tune How can local and central IT teams work better together? Dr Rim El Kadi

Dancing to the same tune How can local and central IT teams work better together? Dr Rim El Kadi Rim.kadi@anu.edu.au So can central IT and the local areas dance TOGETHER? https://www.youtube.com/watch?v=4M5ghF14DLo The University IT

828 views • 33 slides
Essential Techniques for Leading Software Teams in the Work From Home Era Robin Bate Boerop 13

Essential Techniques for Leading Software Teams in the Work From Home Era Robin Bate Boerop 13

Essential Techniques for Leading Software Teams in the Work From Home Era Robin Bate Boerop 13 August 2020 Agenda Why Lead? Audience About Me Context, Part 1: Work-From-Home Needs Context, Part 2: Definition of Leadership

585 views • 41 slides
Session 2: Leading Innovation in Legal Aid Teams Checking-in Accelerator Goals 1) Develop

Session 2: Leading Innovation in Legal Aid Teams Checking-in Accelerator Goals 1) Develop

Session 2: Leading Innovation in Legal Aid Teams Checking-in Accelerator Goals 1) Develop strategies for leading teams in the face of uncertainty 2) Advance an organizational project Program Overview Capstone What is Project work Team

1.11k views • 95 slides
Course Introduction SWEN-343 Welcome Goals for the Course Prepare you for real world Be ready

Course Introduction SWEN-343 Welcome Goals for the Course Prepare you for real world Be ready

Course Introduction SWEN-343 Welcome Goals for the Course Prepare you for real world Be ready to work with diverse systems Diverse teams Work with teams (intra team) Create & Maintain Enterprise apps How is this course different!? What

645 views • 48 slides
High-Functioning Teams: What Makes Them Work, and What Makes Them Fail? Sea Pines Family

High-Functioning Teams: What Makes Them Work, and What Makes Them Fail? Sea Pines Family

High-Functioning Teams: What Makes Them Work, and What Makes Them Fail? Sea Pines Family Medicine Update July, 2018 Sharon K. Hull, MD, MPH Professor, Community and Family Medicine Director, Duke University School of Medicine Executive

419 views • 27 slides

More recommend