Talks

Python para proyectos de seguridad [hacking, pentesting]

Python se ha convertido en el lenguaje más usado para desarrollar herramientas dentro del ámbito de la seguridad. Muchas de las herramientas que se pueden encontrar hoy en día como escáner de puertos, análisis de vulnerabilidades, ataques por fuerza bruta y hacking de passwords, se han escrito en este lenguaje ,además de ofrecer un ecosistema de herramientas para realizar pruebas de seguridad y de pentesting de aplicaciones. Entre los puntos a tratar se pueden destacar: Herramientas de seguridad que se pueden encontrar realizadas en python(sqlmap,theharvester,sparta) Introducir librerías para obtener información del objetivo como Shodan,pygeocoder,pygeoip Análisis y extracción de metadatos en Python en imágenes y documentos Análisis de puertos con herramientas como python-nmap Conexión con servidores FTP,SSH El objetivo de la charla es mostrar las herramientas que existen dentro de la propia API de Python y librerías de terceros para desarrollar herramientas que permitan realizar pruebas de seguridad y de pentesting de las aplicaciones. ​ Habrá una demo práctica sobre una herramienta de pentesting creada desde cero con algunos de los módulos comentados.

Increasing Web Security With The Power Of HTTP Headers

Nowadays everyone uses web browsers on a daily basis for various tasks such as reading emails or purchasing on ecommerce portals. Web developers often forget that a browser is a piece of software that can be used as remote code execution engine, an can be used to inject malicious code either by exploiting an Cross-Site Scripting (XSS) vulnerability or by executing a MITM attack. The focus of this talk is to explain how new browser headers (HSTS, HPKP, CSP) can help to easily add an extra layer of security in order to defend against common web security vulnerabilities. ​ These could be the talking points: -Introduction about web browsers security,explaining why secure transport is important and what HTTPS provides in terms of confidentiality, authenticity and integrity -Analyze new headers, such as HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) and Content Security Policy (CSP),explaining how they work for avoid HTTPS,XSS and Clickjacking attacks.

GrayLog for Java developers FOSDEM 2018

GrayLog for Java developers FOSDEM 2018 For developers, application logs are critical to figuring out what’s going on inside the apps we create. We tail them. We search them. We analyze and graph them.In this talk I will show Graylog as an open source log management tool, providing central storage, processing, and analysis of log messages powered by Java,MongoDB and ElasticSearch These could be the talking points: 1.GrayLog architecture The Graylog log server is based on Java and offers a means for combining several server nodes in a cluster for high availability and scalability. Graylog uses Elasticsearch as database for the log messages as well as MongoDB for application data. 2.Searching and analyzing: Graylog Web Interface Graylog also has a web interface for searching and viewing Graylog messages. Filters can be applied and saved into logical “streams”, allowing you to look at a slice of your data. 3.Use case:Configure graylog in java projects with maven As a standard for log events, Graylog promotes usage of the Graylog Extended Log Format (GELF) I will show a use case configuring graylog inside java project with the GELF appender. 4.Integrating GrayLog with LogStash In order to create a full log solution it is suitable to combine Graylog with Logstash with a little modification of Logstash and a custom Graylog Plugin.

Everything you need to know about containers security FOSDEM 2018

Security is important but not everyone cares about it until something bad happens. In this talk, I’ll speak about main tips for integrating Security into Containers.I will share my knowledge and experience and help people learn to focus more on Containers Security. In this talk I will review the state of the art of application security practices and talk about best security practices to create more secure containers. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production. These could be the main talking points: -How to Integrate security into iteration and pipeline application development. Integrating security into the iteration and pipeline application development involves automating as many security tests as possible so that they run all other automated tests. These tests should be performed on every code commit, and even in the earliest stages of a software project. -How to integrate preventive security controls into shared source code repositories and shared services. Shared source code repositories allows anyone to discover and reuse the collective knowledge of the organization, not only for code, but also for toolchains, deployment pipeline and security. Security information should include mechanisms or tools for safeguarding applications and environments, such as specifc libraries for security support. Also, is important putting security artifacts into the version control system that Containers use for detecting vulnerablities in specific third party libraries. -How to secure your development environments. Is important ensure that all environments minimize security risk. This involves generating automated tests to ensure that all appropriate settings have been correctly applied for configuration hardening, database security, key lengths, and so on. It also involves using tests to scan environments using security vulnerablities scanner.I will show the main tools for detecting vulnerabilities within container images.

Talks

Testing Docker Images Security

En esta conferencia se presentarán las mejores praćticas a nivel de revisiones de seguridad en las imágenes de docker. En primer lugar, se verá una descripción general del proceso de despliegue de una imagen en el repositorio oficial docker hub. En segundo lugar, se comentarán las principales superficies de ataque y las amenazas sobre dichas imágenes. Por último, se verá cómo se puede detectar vulnerabilidades en las imágenes con herramientas que permite automatizar éste proceso y otras técnicas de análisis de código junto con las mejores prácticas que explican cómo remediar estas vulnerabilidades. Se harán demos con herramientas Opensource y algunos casos de uso con python.

Discovering python search engine

Introducción a los motores de búsqueda en general,comentando conceptos de indexación y creación de contenidos y otros mas avanzados como el optimización de las búsquedas. Motores de búsqueda en python Los principales motores que podemos integrar en nuestras aplicaciones son elasticSearch, PostGres Full text Search que permite añadir capacidades de búsqueda en aplicaciones web con django,whoosh como módulo que permite añadir funcionalidades de búsqueda e indexado de contenidos en aplicaciones y sitios web. Cómo introducir estos motores en nuestras aplicaciones Se mostrará un ejemplo práctico con cada motor de búsqueda. Por ejemplo se podría crear una aplicación que leyera comentaríos de de twitter y almacenara la información más relevante en alguno de los motores de búsqueda para acceder a estos datos desde otras aplicaciones

Testing Docker Images Security

Docker is a great technology that allows developers to build and deploy the infrastructure of an application in one source code image, but, security is one of the biggest challenges. In this talk, we present the best practices and lessons learned of security reviews on docker images deployments. ​ These could be the main talking points: ​ 1-Introduction to docker security ecosystem,examining the main parts of a docker application. 2-Tools for auditing docker images for detecting vulnerabilities like docker-bench-security and lynis The target of these tools is detect potential vulnerabilities in docker images/containers and to monitor running docker containers for detecting anomalous activities. 3- Other tools for testing the security of a docker container. We can use tools such as Jenkins/TravisCI for automated testing, and Coveralls to ensure all lines of code inside docker image are tested. 4-Security best-practices around deploying Docker containers in production.

OSINT Tools for Security Auditing

The talk would aim about making an introduction to open source intelligence automation tools(OSINT) developed in Python, commenting the process we can follow to obtain, analyze and exploit public information in social networks and public servers.The final objective is obtain the maximum possible of knowledge in the context we are auditing. ​ The talking points could be: ​ -Introduction searching information from multiples sources with OSINT tools. -OSINT tools developed with python for extracting public information from servers and domains. -Advantages and limitations these tools from the user point of view. -Comment how these tools are developed and the main modules used in their development. ​ Some of the tools to comment are: -Censys and Shodan Python API as search engine server information. - SpiderFoot and recon-ng as a tools for extracting information from multiple sources and automate the footprinting process. -the Harvester as Python script for extracting emails and hostnames in a particular domain. -Osrframework and Maltego OSINT visualisation tool -Libraries and modules for collecting information from Tor and ZeroNet networks -Tinfoleak and Tweepy as Python scripts for data extraction on twitter. -FullContact API for obtain social networks profiles associated with an email address.

Conferences

Conferences 2019
Slides Video Conference link
docker DOCKER. Seguridad y monitorización en contenedores e imágenes [Meetup] [Ulab 2019]
python Testing python security [Pyconweb] [Pyconweb 2019]
nodejs Testing NodeJS security [YouTube] [FOSDEM 2019]
python DARKWEB + PYTHON: DISCOVER, ANALYZE AND EXTRACT INFORMATION FROM HIDDEN SERVICES [YouTube] [PYCONIT 2019]
Conferences 2018
Slides Video Conference link
python Testing python security [YouTube] [PYCONIE]
docker Common Vulnerabilities & Exposures (CVE) In Docker Containers [YouTube] [Sonatype] [ALLDAYDEVOPS] [Article]
python Python & OSINT para proyectos de seguridad [YouTube] [BITUP] [Article]
python Testing python security [YouTube] [PYCONES] [PYCONES-2018-Conference-Talks]
python Microservices and serverless in python projects [YouTube] [EUROPYTHON] [EuroPython-2018-Conference-Talk-Videos]
python Python para proyectos de seguridad [YouTube] [Linux Center]
python Introducción a python [Youtube] [Linux Center]
graylog GrayLog for Java developers [Youtube] [FOSDEM]
docker security Everything you need to know about containers security [Youtube] [FOSDEM]
Conferences 2017
Slides Video Conference link
OWASP Increasing Web Seurity With The Power Of HTTP Headers [Youtube] [OWASP APPSEC EU 2017]
docker Testing Docker Images Security Testing Docker Images Security [LINUXLAB IT]
docker Testing Docker Images Security [Youtube] [NOCONNAME]
docker Testing Docker Images Security [Youtube] [ALL DAY DEVOPS]
python Discovering Python Search Engine [Youtube] [PYCONES]
python Discovering Python Search Engine - [PYSS]
docker Testing Docker Images Security [Youtube] [BSIDES]
osint OSINT Tools for Security Auditing [Youtube] [FOSDEM]
security Footprinting for security auditors [Youtube] [FOSDEM]
Conferences 2016
Slides Video Conference link
osint OSINT Tools for security auditing [Youtube] [PYCONES]
python WebScraping with asyncio [Youtube] [PYCONIE]
nodejs Testing NodeJS Security [Youtube] [CODEMOTION]
python Ethical hacking with Python tools [Youtube] [EUROPYTHON]
python Hacking ético con herramientas Python [Youtube] [EUROPYTHON]
python Python tools for webscraping [Youtube] [PYDATA]
python Python para desarrolladores web [Youtube] [T3CHFEST]
Conferences 2015
Slides Video Conference link
python Comparing Python ORM - Track Avanzado [Youtube] [PYCONES]
python Seguridad y criptografía en Python - Track Científico [Youtube] [PYCONES]
android Testing Android Security [Youtube] [CODEMOTION]
security Seguridad en dispositivos móviles [Youtube] [Youtube]
jvm Comparing JVM Languages [Youtube] [JBCNCONF]
python Python Security & Cryptography [Youtube] [EUROPYTHON]
web Web Cryptography [Youtube] [JSDAY]
web Mobile Backend as a Service (MBaaS) [Youtube] [T3CHFEST]
Conferences 2014
Slides Video Conference link
Android in Practice [Youtube] [T3CHFEST]