Know Your Security Model

•Descargar como PPTX, PDF•

0 recomendaciones•694 vistas

This document discusses .NET Framework 4 security architecture, including application domains, code verification processes, code access security (CAS), role-based security concepts like authentication and authorization, and cryptography. It also covers security transparency attributes, demonstrates a MS13-015 vulnerability exploit, and provides contact information for the author.

Tecnología

Know Your Security Model
Mikhail Shcherbakov
9-я конференция .NET разработчиков
12 октября 2014
dotnetconf.ru

2
About me
• Senior software developer at Positive
Technologies
• Working on Application Inspector - source
code analyzer
• Previous team lead at Acronis and Luxoft

3
Terms
C# 5.0 Language Specification
Common Language Infrastructure (CLI) Standard ECMA-335

4
.NET Framework 4 Security
Architecture
• Application Domains
• The verification process
• Code Access Security (CAS)
o Policy
o Permissions
o Enforcement
• Role-based security
o Authentication
o Authorization
o Principal and Identity
• Cryptography

5
.NET Framework 4 Security
Architecture
• Application Domains
• The verification process
• Code Access Security (CAS)
o Policy
o Permissions
o Enforcement
• Role-based security
o Authentication
o Authorization
o Principal and Identity
• Cryptography

6
Knowledge in Practice
• CAS is the base of security
• Development of extensible and security-
sensitive applications
• Troubleshooting and knowledge about the
internals
o ASP.NET / IIS o Silverlight
o SQL CLR o XBAP
o ClickOnce o Sharepoint

7
Application Domains
• Fully Trusted and Partially Trusted
• Heterogeneous and Homogeneous
• Sandboxing by AppDomain

8
Type Safety
• C# compilation
• Just-in-time (JIT) compilation
• Native Image Generator (Ngen.exe)
• PEVerify tool

9
Code Access Security
• Policy (deprecated in .NET Framework 4)
• Permissions
• Enforcement
o Fully Trusted assemblies in Partially Trusted AppDomain
o Security Transparency Code
o Assert permissions
o SecurityPermission o RegistryPermission
o ReflectionPermission o SocketPermission
o FileIOPermission o WebPermission

10
Level 2 Security Transparency
Critical
Full Trust code that can do anything
Safe Critical
Full Trust code Provides access to Critical code
Transparent
Only verifiable code Cannot p/invoke Cannot elevate/assert

11
Security Transparency Attributes
Assembly
Level
Type
Level
Member
Level
SecurityTransparent   
SecuritySafeCritical   
SecurityCritical   
AllowPartiallyTrustedCallers   
SecAnnotate.exe - .NET Security Annotator Tool

12
Demo MS13-015 vulnerability
Could Allow Elevation of Privilege (KB2800277)
Exploited by Trusted Chain attack

13
Thank you for your attention!
Mikhail Shcherbakov
Positive Technologies
linkedin.com/in/mikhailshcherbakov
yuske.dev@gmail.com
github.com/yuske

Más contenido relacionado

La actualidad más candente

Static Files in the Modern Web Age

Alec Gleason

Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...

mfrancis

Defensive programming

Mark Reynolds

Dos and Don'ts of Android Application Security (Security Professional Perspec...

Bijay Senihang

On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale. While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell. What should companies or organizations do? Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session. To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh

The Log4Shell Vulnerability – explained: how to stay secure

Kaspersky

[OWASP Poland Day] Saving private token

OWASP

Hp fortify source code analyzer(sca)

Nagaraju Repala

Securing Serverless - By Breaking In

Guy Podjarny

DevSecCon Seatlle 2019 - Workshop The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application: Introspection: information disclosure /graphql as a single point of failure (DoS attacks) IDOR Broken Access control Injections Once we get familiar with the issues, we will explain how to avoid it and/or fix it.

Attacking and defending GraphQL applications: a hands-on approach

Davide Cioccia

[OWASP Poland Day] OWASP for testing mobile applications

OWASP

Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup

Davide Cioccia

Managing Security Requirements in Software Projects Security requirements, and more broadly Non-Functional Requirements (NFRs), are often critical to the development of software. Unfortunately, many traditional and agile development methodologies tend to focus on features with little attention paid to NFRs. As a result, most organizations do not rigorously track NFRs alongside functional requirements, which leads to increased costs and – in the case of security – significant risk down the road. This presentation focuses on how to practically build systematic security and NFRs into the development process. We will address the following: - How do people currently address NFRs - Challenges with current approaches - Addressing recurring issues with an NFR library - Defining library goals - Selecting a repository for re-usable requirements - Selecting information sources - Add requirements to the repository - Using the library in development projects Learning objectives: - Understand shortcomings in current development processes for addressing NFRs - Be able to build a simple library of re-usable non-functional requirements - Be able to use the library in development project

Luncheon 2015-01-15 - Managing Security Requirements in Software Projects by ...

North Texas Chapter of the ISSA

Secure Coding 101 - OWASP University of Ottawa Workshop

Paul Ionescu

DevSecOps, The Good, Bad, and Ugly

4ndersonLin

In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.

Why Security Engineer Need Shift-Left to DevSecOps?

Najib Radzuan

DevSecCon Boston2018 - advanced mobile security automation with bdd

Davide Cioccia

Best practice recommendations for utilizing open source software (from a lega...

Rogue Wave Software

With the rise of micro-services, REST communication is more popular than ever. But the communication between the different parts must also be performed in a secure way. First, we need to know if the user or system is allowed to call the JAX-RS endpoint. For this authentication part, self-contained tokens are the best option to not overload any of our services in the system. JWT which contains the authentication but also can contain the authorization info is ideal for this use-case. And secondly, we need guarantees that the message isn't altered, that we can have message integrity. For that part, we can use signatures like specified in the HTTP signature draft specification.

Secure JAX-RS

Rudy De Busscher

Based on the research results, it can be concluded that the ISO / IEC 27034 standard regulates that vulnerability testing should be carried out, but it is not specified how and what should be tested for vulnerabilities, but how and what is not described. NIST and NIAP both refer to OWASP MASVS and contain controls by which the mobile application is tested, mainly focusing on vulnerabilities that relate to vulnerabilities in data storage and authorization. This is confirmed by statistics provided by Digital Security. The most recognized is MASVS. One of the parts of MASVS describes what, how and how to test. It should be noted that all standards rather weakly assess vulnerabilities that relate to interaction with the API. As can be seen from the tests described in Section 2.2, the most critical vulnerabilities are vulnerabilities that are associated with interaction with the application server.

Standards and methodology for application security assessment

Mykhailo Antonishyn

[Wroclaw #2] iOS Security - 101

OWASP

La actualidad más candente (20)

Static Files in the Modern Web Age

Do not disturb my circles! Secure Application Isolation with OSGi - Mirko Jah...

Defensive programming

Dos and Don'ts of Android Application Security (Security Professional Perspec...

The Log4Shell Vulnerability – explained: how to stay secure

[OWASP Poland Day] Saving private token

Hp fortify source code analyzer(sca)

Securing Serverless - By Breaking In

Attacking and defending GraphQL applications: a hands-on approach

[OWASP Poland Day] OWASP for testing mobile applications

Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup

Luncheon 2015-01-15 - Managing Security Requirements in Software Projects by ...

Secure Coding 101 - OWASP University of Ottawa Workshop

DevSecOps, The Good, Bad, and Ugly

Why Security Engineer Need Shift-Left to DevSecOps?

DevSecCon Boston2018 - advanced mobile security automation with bdd

Best practice recommendations for utilizing open source software (from a lega...

Secure JAX-RS

Standards and methodology for application security assessment

[Wroclaw #2] iOS Security - 101

Destacado

The bell la padula model

Shaishav Dahal

Inversion of Control в .NET

DotNetConf

Особенности передачи и обработки видео данных. Приправа из кодеков или с чем ...

DotNetConf

Введение в реактивный .NET

DotNetConf

от авгиевых конюшен к звездам

Lev Goncharov

Внутреннее устройство GC

tym32167

Машинное обучение на платформе .NET

DotNetConf

Customer satisfaction для программистов

Alexander Byndyu

This webinar will introduce the AWS Shared Security Model. We will examine how to use the inherent security of the AWS environment, coupled with the security tools and features AWS makes available, to create a resilient environment with the security you need. Learning Objectives: • Understand the security measures AWS puts in place to secure the environment where your data lives • Understand the tools AWS offers to help you create a resilient environment with the security you need • Consider actions when moving a sensitive workload to AWS • Security benefits you can expect by deploying in the AWS Cloud Who Should Attend: - Prospects and customers with a security background - Who are interested in using AWS to manage security-sensitive workloads

AWS Webcast - Understanding the AWS Security Model

Amazon Web Services

Destacado (9)

The bell la padula model

Inversion of Control в .NET

Особенности передачи и обработки видео данных. Приправа из кодеков или с чем ...

Введение в реактивный .NET

от авгиевых конюшен к звездам

Внутреннее устройство GC

Машинное обучение на платформе .NET

Customer satisfaction для программистов

AWS Webcast - Understanding the AWS Security Model

Similar a Know Your Security Model

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff

DevSecCon

Sandboxing in .NET CLR

Mikhail Shcherbakov

Started In Security Now I'm Here

Christopher Grayson

Proactive Security AppSec Case Study

Andy Hoernecke

This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to find the correct gear to get us down the road.

ShiftGearsWithInformationSecurity.pdf

Steven Carlson

This presentation looks at the problem of selecting the best programming language and tools to ensure IoT software is secure, robust, and safe. By taking a look at industry best practices and decades of knowledge from other industries (such as automotive and aerospace), you will learn the criteria necessary to choose the right language, how to overcome gaps in developers’ skills, and techniques to ensure your team delivers bulletproof IoT applications.

Programming languages and techniques for today’s embedded andIoT world

Rogue Wave Software

Meetup code security

UttamParmar7

Attacking and Defending Mobile Applications

Jerod Brennen

Integrating security into the application development process

Jerod Brennen

In the ever-evolving, fast-paced Agile development world, application security has not scaled well. Incorporating application security and testing into the current development process is difficult, leading to incomplete tooling or unorthodox stoppages due to the required manual security assessments. Development teams are working with a backlog of stories—stories that are typically focused on features and functionality instead of security. Traditionally, security was viewed as a prevention of progress, but there are ways to incorporate security activities without hindering development. There are many types of security activities you can bake into your current development lifecycles—tooling, assessments, stories, scrums, iterative reviews, repo and bug tracking integrations—every organization has a unique solution and there are positives and negatives to each of them. In this slide deck, we go through the various solutions to help build security into the development process.

AppSec in an Agile World

David Lindner

Application security meetup k8_s security with zero trust_29072021

lior mazor

Thick client pentesting_the-hackers_meetup_version1.0pptx

Anurag Srivastava

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype

Emerasoft, solutions to collaborate

Cncf checkov and bridgecrew

LibbySchulze

Presented on September 22, 2016 by Brent Baude, Principle Software Engineer, Atomic and Docker Development, Red Hat; Randy Kilmon, VP, Engineering, Black Duck Organizations are increasingly turning to container environments to meet the demand for faster, more agile software development. But a 2015 study conducted by Forrester Consulting on behalf of Red Hat revealed that 53% of IT operations and development decision makers at global enterprises reported container security concerns as a barrier to adoption. The challenges of managing security risk increase in scope and complexity when hundreds or even thousands of different open source software components and licenses are part of your application code base. Since 2014, more than 6,000 new open source security vulnerabilities have been reported, making it essential to have good visibility into and control over the open source in use in order to understand if any known vulnerabilities are present. In this webinar, experts from Red Hat and Black Duck will share the latest insights and recommendations for securing the open source in your containers, including protecting them from vulnerabilities like Heartbleed, Shellshock and Venom. You’ll learn: • Why container environments present new application security challenges, including those posed by ever-increasing open source use. • How to scan applications running in containers to identify open source in use and map known open source security vulnerabilities. • Best practices and methodologies for deploying secure containers with trust and confidence.

Contain your risk: Deploy secure containers with trust and confidence

Black Duck by Synopsys

The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline – often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors – ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors. This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline – source control, open source component management, software builds, automated testing, and packaging for distribution – is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. The presentation is intended to be useful both for evaluating internal build processes as well as to support the evaluation of critical external vendors’ processes.

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Denim Group

Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf

Infosec train

The Advanced Penetration Testing with Kali Linux is an all-embracing course that expertly explains to optimize Kali Linux and its powerful tools for advanced wired and wireless networks. The course focuses to demonstrate advanced techniques to perform penetration testing. You learn to use Metasploit Framework and practices used in exploiting Windows and Unixplatforms. Vulnerability scanningforms an integral part of this comprehensive training and demonstrates how a system is targeted and exploited. The training also empowers you with detailed understanding of diverse post-exploitation techniques and modernistic techniques to evade antivirus while understanding the customization of attacks.

Advanced-Penetration-Testing_course_content

priyanshamadhwal2

Nicolas destor pres_f5agility2018

Nicolas Destor

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

SecuRing

Similar a Know Your Security Model (20)

DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff

Sandboxing in .NET CLR

Started In Security Now I'm Here

Proactive Security AppSec Case Study

ShiftGearsWithInformationSecurity.pdf

Programming languages and techniques for today’s embedded andIoT world

Meetup code security

Attacking and Defending Mobile Applications

Integrating security into the application development process

AppSec in an Agile World

Application security meetup k8_s security with zero trust_29072021

Thick client pentesting_the-hackers_meetup_version1.0pptx

Open DevSecOps 2019 - Securing the Software Supply Chain - Sonatype

Cncf checkov and bridgecrew

Contain your risk: Deploy secure containers with trust and confidence

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...

Advanced-Penetration-TestinAPT With KALI Linux Course Content.pdf

Advanced-Penetration-Testing_course_content

Nicolas destor pres_f5agility2018

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

Más de Mikhail Shcherbakov

Delegates and events in C#

Mikhail Shcherbakov

Mythbusters - Web Application Security

Mikhail Shcherbakov

Доклад с митапа MSK .NET Community (http://mskdotnet.org). Поговорим о самом мощном отладчике для Windows – WinDbg. Разберем как начать использовать этот отладчик, чем он может быть полезен для .NET разработчиков. Подробней остановимся на практических моментах его применения, зачем он прикладным программистам, web-разработчикам. Посмотрим и на другие инструменты отладки, которые занимают нишу между интуитивно управляемым комбайном Visual Studio и легким, но крайне аскетичным WinDbg.

Михаил Щербаков "WinDbg сотоварищи"

Mikhail Shcherbakov

Apache Ignite.NET в действии

Mikhail Shcherbakov

Архитектура Apache Ignite .NET

Mikhail Shcherbakov

Знакомство с In-Memory Data Grid

Mikhail Shcherbakov

сценарии использования статического анализатора

Mikhail Shcherbakov

WCF. Легко или проблемно

Mikhail Shcherbakov

Поиск ошибок в программах на языке C#

Mikhail Shcherbakov

Когда в C# не хватает C++. Часть 3.

Mikhail Shcherbakov

Project Rider

Mikhail Shcherbakov

WinDbg в руках .NET разработчика

Mikhail Shcherbakov

Structured logging

Mikhail Shcherbakov

RESTful API: Best practices, versioning, design documentation

Mikhail Shcherbakov

Простой и кросс-платформенный WEB-сервер на .NET

Mikhail Shcherbakov

Использование Visual Studio Tools for Apache Cordova в реальных проектах

Mikhail Shcherbakov

Когда в C# не хватает C++. Часть 2.

Mikhail Shcherbakov

Распространённые ошибки оценки производительности .NET-приложений

Mikhail Shcherbakov

Когда в C# не хватает C++

Mikhail Shcherbakov

Как это работает: DLR

Mikhail Shcherbakov

Más de Mikhail Shcherbakov (20)

Delegates and events in C#

Mythbusters - Web Application Security

Михаил Щербаков "WinDbg сотоварищи"

Apache Ignite.NET в действии

Архитектура Apache Ignite .NET

Знакомство с In-Memory Data Grid

сценарии использования статического анализатора

WCF. Легко или проблемно

Поиск ошибок в программах на языке C#

Когда в C# не хватает C++. Часть 3.

Project Rider

WinDbg в руках .NET разработчика

Structured logging

RESTful API: Best practices, versioning, design documentation

Простой и кросс-платформенный WEB-сервер на .NET

Использование Visual Studio Tools for Apache Cordova в реальных проектах

Когда в C# не хватает C++. Часть 2.

Распространённые ошибки оценки производительности .NET-приложений

Когда в C# не хватает C++

Как это работает: DLR

Último

Scaling API-first – The story of a global engineering organization

Radu Cotescu

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Developing An App To Navigate The Roads of Brazil

V3cube

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

GenCyber Cyber Security Day Presentation

Michael W. Hawkins

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Know Your Security Model

1. Know Your Security Model Mikhail Shcherbakov 9-я конференция .NET разработчиков 12 октября 2014 dotnetconf.ru

2. 2 About me • Senior software developer at Positive Technologies • Working on Application Inspector - source code analyzer • Previous team lead at Acronis and Luxoft

3. 3 Terms C# 5.0 Language Specification Common Language Infrastructure (CLI) Standard ECMA-335

4. 4 .NET Framework 4 Security Architecture • Application Domains • The verification process • Code Access Security (CAS) o Policy o Permissions o Enforcement • Role-based security o Authentication o Authorization o Principal and Identity • Cryptography

5. 5 .NET Framework 4 Security Architecture • Application Domains • The verification process • Code Access Security (CAS) o Policy o Permissions o Enforcement • Role-based security o Authentication o Authorization o Principal and Identity • Cryptography

6. 6 Knowledge in Practice • CAS is the base of security • Development of extensible and security- sensitive applications • Troubleshooting and knowledge about the internals o ASP.NET / IIS o Silverlight o SQL CLR o XBAP o ClickOnce o Sharepoint

7. 7 Application Domains • Fully Trusted and Partially Trusted • Heterogeneous and Homogeneous • Sandboxing by AppDomain

8. 8 Type Safety • C# compilation • Just-in-time (JIT) compilation • Native Image Generator (Ngen.exe) • PEVerify tool

9. 9 Code Access Security • Policy (deprecated in .NET Framework 4) • Permissions • Enforcement o Fully Trusted assemblies in Partially Trusted AppDomain o Security Transparency Code o Assert permissions o SecurityPermission o RegistryPermission o ReflectionPermission o SocketPermission o FileIOPermission o WebPermission

10. 10 Level 2 Security Transparency Critical Full Trust code that can do anything Safe Critical Full Trust code Provides access to Critical code Transparent Only verifiable code Cannot p/invoke Cannot elevate/assert

11. 11 Security Transparency Attributes Assembly Level Type Level Member Level SecurityTransparent    SecuritySafeCritical    SecurityCritical    AllowPartiallyTrustedCallers    SecAnnotate.exe - .NET Security Annotator Tool

12. 12 Demo MS13-015 vulnerability Could Allow Elevation of Privilege (KB2800277) Exploited by Trusted Chain attack

13. 13 Thank you for your attention! Mikhail Shcherbakov Positive Technologies linkedin.com/in/mikhailshcherbakov yuske.dev@gmail.com github.com/yuske

Know Your Security Model

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (9)

Similar a Know Your Security Model

Similar a Know Your Security Model (20)

Más de Mikhail Shcherbakov

Más de Mikhail Shcherbakov (20)

Último

Último (20)

Know Your Security Model