Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] DevOps Growing
before 1.1.4 allows attackers to cause a denial of service (memory exhaustion and servlet outage) via unknown vectors related to a large number of calls in a batch.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/21955</url> <name>21955</name> </reference> <reference> <source>CONFIRM</source> <url>http://getahead.ltd.uk/dwr/changelog</url> <name>http://getahead.ltd.uk/dwr/changelog</name> </reference> <reference> <source>OSVDB</source> <url>http://osvdb.org/32658</url> <name>32658</name> </reference>
2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.</description> <references> <reference> <source>BID</source> <url>http://www.securityfocus.com/bid/64758</url> <name>64758</name> </reference> This is the one that allowed me to metasploit myself.
modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
modern world. I recognize the awesome responsibility that comes with this foundational role. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic and national security. I recognize these things – and I choose to be rugged.
-v /Users/mk/code/loca:/tmp/target/ owasp/pipeline:0.8.1 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
—name pipe jemurai/ pipeline:0.8 2.docker exec -it pipe bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
to make it easy and straightforward to extend in expected ways. • These illustrate the challenges of security automation. Mounter Files Code Live Filter Reporter “Tasks”
run -i -t —entrypoint=/bin/ bash jemurai/pipeline:0.8 2. cd pipeline/lib/pipeline/tasks/ 3. cp bundler-audit.rb test.rb 4. Edit to always create a finding (or use the following example for grep) 5. cd /../../lib 6. …/bin/pipeline -t test /tmp/