ºÝºÝߣshows by User: codelion / http://www.slideshare.net/images/logo.gif ºÝºÝߣshows by User: codelion / Fri, 22 Mar 2019 04:35:44 GMT ºÝºÝߣShare feed for ºÝºÝߣshows by User: codelion 9 types of people you find on your team /slideshow/9-types-of-people-you-find-on-your-team/137613653 team-fortress-190322043544
What can the different character classes in Team Fortress teach us about team building? ]]>
What can the different character classes in Team Fortress teach us about team building? ]]> Fri, 22 Mar 2019 04:35:44 GMT /slideshow/9-types-of-people-you-find-on-your-team/137613653 codelion@slideshare.net(codelion) 9 types of people you find on your team codelion What can the different character classes in Team Fortress teach us about team building? <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/team-fortress-190322043544-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> What can the different character classes in Team Fortress teach us about team building?
9 types of people you find on your team from Asankhaya Sharma
]]> 248 1 https://cdn.slidesharecdn.com/ss_thumbnails/team-fortress-190322043544-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Design and Implementation of the Security Graph Language /slideshow/design-and-implementation-of-the-security-graph-language/137613195 design-and-implementation-of-security-graph-language-190322043221
Today software is built in fundamentally different ways from how it was a decade ago. It is increasingly common for applications to be assembled out of open-source components, resulting in the use of large amounts of third-party code. This third-party code is a means for vulnerabilities to make their way downstream into applications. Recent vulnerabilities such as Heartbleed, FREAK SSL/TLS, GHOST, and the Equifax data breach (due to a flaw in Apache Struts) were ultimately caused by third-party components. We argue that an automated way to audit the open-source ecosystem, catalog existing vulnerabilities, and discover new flaws is essential to using open-source safely. To this end, we describe the Security Graph Language (SGL), a domain-specific language for analysing graph-structured datasets of open-source code and cataloguing vulnerabilities. SGL allows users to express complex queries on relations between libraries and vulnerabilities in the style of a program analysis language. SGL queries double as an executable representation for vulnerabilities, allowing vulnerabilities to be automatically checked against a database and deduplicated using a canonical representation. We outline a novel optimisation for SGL queries based on regular path query containment, improving query performance up to 3 orders of magnitude. We also demonstrate the effectiveness of SGL in practice to find zero-day vulnerabilities by identifying sever]]>
Today software is built in fundamentally different ways from how it was a decade ago. It is increasingly common for applications to be assembled out of open-source components, resulting in the use of large amounts of third-party code. This third-party code is a means for vulnerabilities to make their way downstream into applications. Recent vulnerabilities such as Heartbleed, FREAK SSL/TLS, GHOST, and the Equifax data breach (due to a flaw in Apache Struts) were ultimately caused by third-party components. We argue that an automated way to audit the open-source ecosystem, catalog existing vulnerabilities, and discover new flaws is essential to using open-source safely. To this end, we describe the Security Graph Language (SGL), a domain-specific language for analysing graph-structured datasets of open-source code and cataloguing vulnerabilities. SGL allows users to express complex queries on relations between libraries and vulnerabilities in the style of a program analysis language. SGL queries double as an executable representation for vulnerabilities, allowing vulnerabilities to be automatically checked against a database and deduplicated using a canonical representation. We outline a novel optimisation for SGL queries based on regular path query containment, improving query performance up to 3 orders of magnitude. We also demonstrate the effectiveness of SGL in practice to find zero-day vulnerabilities by identifying sever]]> Fri, 22 Mar 2019 04:32:21 GMT /slideshow/design-and-implementation-of-the-security-graph-language/137613195 codelion@slideshare.net(codelion) Design and Implementation of the Security Graph Language codelion Today software is built in fundamentally different ways from how it was a decade ago. It is increasingly common for applications to be assembled out of open-source components, resulting in the use of large amounts of third-party code. This third-party code is a means for vulnerabilities to make their way downstream into applications. Recent vulnerabilities such as Heartbleed, FREAK SSL/TLS, GHOST, and the Equifax data breach (due to a flaw in Apache Struts) were ultimately caused by third-party components. We argue that an automated way to audit the open-source ecosystem, catalog existing vulnerabilities, and discover new flaws is essential to using open-source safely. To this end, we describe the Security Graph Language (SGL), a domain-specific language for analysing graph-structured datasets of open-source code and cataloguing vulnerabilities. SGL allows users to express complex queries on relations between libraries and vulnerabilities in the style of a program analysis language. SGL queries double as an executable representation for vulnerabilities, allowing vulnerabilities to be automatically checked against a database and deduplicated using a canonical representation. We outline a novel optimisation for SGL queries based on regular path query containment, improving query performance up to 3 orders of magnitude. We also demonstrate the effectiveness of SGL in practice to find zero-day vulnerabilities by identifying sever <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/design-and-implementation-of-security-graph-language-190322043221-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Today software is built in fundamentally different ways from how it was a decade ago. It is increasingly common for applications to be assembled out of open-source components, resulting in the use of large amounts of third-party code. This third-party code is a means for vulnerabilities to make their way downstream into applications. Recent vulnerabilities such as Heartbleed, FREAK SSL/TLS, GHOST, and the Equifax data breach (due to a flaw in Apache Struts) were ultimately caused by third-party components. We argue that an automated way to audit the open-source ecosystem, catalog existing vulnerabilities, and discover new flaws is essential to using open-source safely. To this end, we describe the Security Graph Language (SGL), a domain-specific language for analysing graph-structured datasets of open-source code and cataloguing vulnerabilities. SGL allows users to express complex queries on relations between libraries and vulnerabilities in the style of a program analysis language. SGL queries double as an executable representation for vulnerabilities, allowing vulnerabilities to be automatically checked against a database and deduplicated using a canonical representation. We outline a novel optimisation for SGL queries based on regular path query containment, improving query performance up to 3 orders of magnitude. We also demonstrate the effectiveness of SGL in practice to find zero-day vulnerabilities by identifying sever
Design and Implementation of the Security Graph Language from Asankhaya Sharma
]]> 111 1 https://cdn.slidesharecdn.com/ss_thumbnails/design-and-implementation-of-security-graph-language-190322043221-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Securing Open Source Code in Enterprise /slideshow/securing-open-source-code-in-enterprise/90723044 securing-open-source-code-in-enterprise-180315024942
In recent years, the number of open-source components used by developers to build software has seen immense growth. Millions of open-source libraries are distributed through centralised systems like Maven Central (Java), NPM (JavaScript), and GitHub (Go), and their widespread use means that bugs and vulnerabilities impact large numbers of downstream applications. In this talk, I will introduce the common security problems facing enterprises using open source code. We will also talk about how to manage the open source software risks using people, process and tools.]]>
In recent years, the number of open-source components used by developers to build software has seen immense growth. Millions of open-source libraries are distributed through centralised systems like Maven Central (Java), NPM (JavaScript), and GitHub (Go), and their widespread use means that bugs and vulnerabilities impact large numbers of downstream applications. In this talk, I will introduce the common security problems facing enterprises using open source code. We will also talk about how to manage the open source software risks using people, process and tools.]]> Thu, 15 Mar 2018 02:49:42 GMT /slideshow/securing-open-source-code-in-enterprise/90723044 codelion@slideshare.net(codelion) Securing Open Source Code in Enterprise codelion In recent years, the number of open-source components used by developers to build software has seen immense growth. Millions of open-source libraries are distributed through centralised systems like Maven Central (Java), NPM (JavaScript), and GitHub (Go), and their widespread use means that bugs and vulnerabilities impact large numbers of downstream applications. In this talk, I will introduce the common security problems facing enterprises using open source code. We will also talk about how to manage the open source software risks using people, process and tools. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/securing-open-source-code-in-enterprise-180315024942-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> In recent years, the number of open-source components used by developers to build software has seen immense growth. Millions of open-source libraries are distributed through centralised systems like Maven Central (Java), NPM (JavaScript), and GitHub (Go), and their widespread use means that bugs and vulnerabilities impact large numbers of downstream applications. In this talk, I will introduce the common security problems facing enterprises using open source code. We will also talk about how to manage the open source software risks using people, process and tools.
Securing Open Source Code in Enterprise from Asankhaya Sharma
]]> 211 1 https://cdn.slidesharecdn.com/ss_thumbnails/securing-open-source-code-in-enterprise-180315024942-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Secure Software Development /codelion/secure-software-development secure-software-development-160220064226
Build Software, Safely.]]>
Build Software, Safely.]]> Sat, 20 Feb 2016 06:42:26 GMT /codelion/secure-software-development codelion@slideshare.net(codelion) Secure Software Development codelion Build Software, Safely. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/secure-software-development-160220064226-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Build Software, Safely.
Secure Software Development from Asankhaya Sharma
]]> 373 5 https://cdn.slidesharecdn.com/ss_thumbnails/secure-software-development-160220064226-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Verified Subtyping with Traits and Mixins /slideshow/verified-subtyping-with-traits-and-mixins/58360311 verifiedsubtypingwithtraitsandmixins-1-160217072813
Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them.]]>
Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them.]]> Wed, 17 Feb 2016 07:28:13 GMT /slideshow/verified-subtyping-with-traits-and-mixins/58360311 codelion@slideshare.net(codelion) Verified Subtyping with Traits and Mixins codelion Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/verifiedsubtypingwithtraitsandmixins-1-160217072813-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Traits allow decomposing programs into smaller parts and mixins are a form of composition that resemble multiple inheritance. Unfortunately, in the presence of traits, programming languages like Scala give up on subtyping relation between objects. In this paper, we present a method to check subtyping between objects based on entailment in separation logic. We implement our method as a domain specific language in Scala and apply it on the Scala standard library. We have verified that 67% of mixins used in the Scala standard library do indeed conform to subtyping between the traits that are used to build them.
Verified Subtyping with Traits and Mixins from Asankhaya Sharma
]]> 310 4 https://cdn.slidesharecdn.com/ss_thumbnails/verifiedsubtypingwithtraitsandmixins-1-160217072813-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Specifying compatible sharing in data structures /slideshow/specifying-compatible-sharing-in-data-structures/58359694 specifyingcompatiblesharingindatastructures-160217070537
Automated verification of programs that utilize data structures with intrinsic sharing is a challenging problem. We develop an extension to separation logic that can reason about aliasing in heaps using a notion of compatible sharing. Compatible sharing can model a variety of fine grained sharing and aliasing scenarios with concise specifications. Given these specifications, our entailment procedure enables fully automated verification of a number of challenging programs manipulating data structures with non-trivial sharing. We benchmarked our prototype with examples derived from practical algorithms found in systems code, such as those using threaded trees and overlaid data structures.]]>
Automated verification of programs that utilize data structures with intrinsic sharing is a challenging problem. We develop an extension to separation logic that can reason about aliasing in heaps using a notion of compatible sharing. Compatible sharing can model a variety of fine grained sharing and aliasing scenarios with concise specifications. Given these specifications, our entailment procedure enables fully automated verification of a number of challenging programs manipulating data structures with non-trivial sharing. We benchmarked our prototype with examples derived from practical algorithms found in systems code, such as those using threaded trees and overlaid data structures.]]> Wed, 17 Feb 2016 07:05:37 GMT /slideshow/specifying-compatible-sharing-in-data-structures/58359694 codelion@slideshare.net(codelion) Specifying compatible sharing in data structures codelion Automated verification of programs that utilize data structures with intrinsic sharing is a challenging problem. We develop an extension to separation logic that can reason about aliasing in heaps using a notion of compatible sharing. Compatible sharing can model a variety of fine grained sharing and aliasing scenarios with concise specifications. Given these specifications, our entailment procedure enables fully automated verification of a number of challenging programs manipulating data structures with non-trivial sharing. We benchmarked our prototype with examples derived from practical algorithms found in systems code, such as those using threaded trees and overlaid data structures. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/specifyingcompatiblesharingindatastructures-160217070537-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Automated verification of programs that utilize data structures with intrinsic sharing is a challenging problem. We develop an extension to separation logic that can reason about aliasing in heaps using a notion of compatible sharing. Compatible sharing can model a variety of fine grained sharing and aliasing scenarios with concise specifications. Given these specifications, our entailment procedure enables fully automated verification of a number of challenging programs manipulating data structures with non-trivial sharing. We benchmarked our prototype with examples derived from practical algorithms found in systems code, such as those using threaded trees and overlaid data structures.
Specifying compatible sharing in data structures from Asankhaya Sharma
]]> 243 4 https://cdn.slidesharecdn.com/ss_thumbnails/specifyingcompatiblesharingindatastructures-160217070537-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Exploiting undefined behaviors for efficient symbolic execution /slideshow/exploiting-undefined-behaviors-for-efficient-symbolic-execution/58359491 efficientsymbolicexecution-1-160217065751
Symbolic execution is an important and popular technique used in several software engineering tools for test case generation, debugging and program analysis. As such improving the performance of symbolic execution can have huge impact on the effectiveness of such tools. In this paper, we present a technique to systematically introduce undefined behaviors during compilation to speed up the subsequent symbolic execution of the program. We have implemented our technique inside LLVM and tested with an existing symbolic execution engine (Pathgrind). Preliminary results on the SIR repository benchmark are encouraging and show 48% speed up in time and 30% reduction in the number of constraints.]]>
Symbolic execution is an important and popular technique used in several software engineering tools for test case generation, debugging and program analysis. As such improving the performance of symbolic execution can have huge impact on the effectiveness of such tools. In this paper, we present a technique to systematically introduce undefined behaviors during compilation to speed up the subsequent symbolic execution of the program. We have implemented our technique inside LLVM and tested with an existing symbolic execution engine (Pathgrind). Preliminary results on the SIR repository benchmark are encouraging and show 48% speed up in time and 30% reduction in the number of constraints.]]> Wed, 17 Feb 2016 06:57:51 GMT /slideshow/exploiting-undefined-behaviors-for-efficient-symbolic-execution/58359491 codelion@slideshare.net(codelion) Exploiting undefined behaviors for efficient symbolic execution codelion Symbolic execution is an important and popular technique used in several software engineering tools for test case generation, debugging and program analysis. As such improving the performance of symbolic execution can have huge impact on the effectiveness of such tools. In this paper, we present a technique to systematically introduce undefined behaviors during compilation to speed up the subsequent symbolic execution of the program. We have implemented our technique inside LLVM and tested with an existing symbolic execution engine (Pathgrind). Preliminary results on the SIR repository benchmark are encouraging and show 48% speed up in time and 30% reduction in the number of constraints. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/efficientsymbolicexecution-1-160217065751-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Symbolic execution is an important and popular technique used in several software engineering tools for test case generation, debugging and program analysis. As such improving the performance of symbolic execution can have huge impact on the effectiveness of such tools. In this paper, we present a technique to systematically introduce undefined behaviors during compilation to speed up the subsequent symbolic execution of the program. We have implemented our technique inside LLVM and tested with an existing symbolic execution engine (Pathgrind). Preliminary results on the SIR repository benchmark are encouraging and show 48% speed up in time and 30% reduction in the number of constraints.
Exploiting undefined behaviors for efficient symbolic execution from Asankhaya Sharma
]]> 391 4 https://cdn.slidesharecdn.com/ss_thumbnails/efficientsymbolicexecution-1-160217065751-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 DIDAR: Database Intrusion Detection with Automated Recovery /codelion/didar-database-intrusion-detection-with-automated-recovery didar-160217065411
In this project we present a new architecture for database intrusion detection. We implement this framework called DIDAR (Database Intrusion Detection with Automated Recovery) and discuss the performance issues. Recently there has been considerable interest in the design of intrusion detection system for databases. Most of the current systems take a laid back approach and concentrate more on containment and recovery once the database has been infected by malicious transaction. We propose a more proactive solution; DIDAR aims to detect the intrusions as soon as possible with support for damage containment and auto recovery as well. DIDAR provides intrusion tolerance by working in two phases – learning and detection. During the learning phase we build a model of the legitimate queries for each user based on the currently executing transactions and later use that model to detect the malicious transactions. DIDAR guarantees quality of information assurance at four different levels for each user. We have positive results based on our prototype and preliminary testing on synthetic database. With almost no load to the database DIDAR achieves high detection rates, quick damage containment and full recovery.]]>
In this project we present a new architecture for database intrusion detection. We implement this framework called DIDAR (Database Intrusion Detection with Automated Recovery) and discuss the performance issues. Recently there has been considerable interest in the design of intrusion detection system for databases. Most of the current systems take a laid back approach and concentrate more on containment and recovery once the database has been infected by malicious transaction. We propose a more proactive solution; DIDAR aims to detect the intrusions as soon as possible with support for damage containment and auto recovery as well. DIDAR provides intrusion tolerance by working in two phases – learning and detection. During the learning phase we build a model of the legitimate queries for each user based on the currently executing transactions and later use that model to detect the malicious transactions. DIDAR guarantees quality of information assurance at four different levels for each user. We have positive results based on our prototype and preliminary testing on synthetic database. With almost no load to the database DIDAR achieves high detection rates, quick damage containment and full recovery.]]> Wed, 17 Feb 2016 06:54:11 GMT /codelion/didar-database-intrusion-detection-with-automated-recovery codelion@slideshare.net(codelion) DIDAR: Database Intrusion Detection with Automated Recovery codelion In this project we present a new architecture for database intrusion detection. We implement this framework called DIDAR (Database Intrusion Detection with Automated Recovery) and discuss the performance issues. Recently there has been considerable interest in the design of intrusion detection system for databases. Most of the current systems take a laid back approach and concentrate more on containment and recovery once the database has been infected by malicious transaction. We propose a more proactive solution; DIDAR aims to detect the intrusions as soon as possible with support for damage containment and auto recovery as well. DIDAR provides intrusion tolerance by working in two phases – learning and detection. During the learning phase we build a model of the legitimate queries for each user based on the currently executing transactions and later use that model to detect the malicious transactions. DIDAR guarantees quality of information assurance at four different levels for each user. We have positive results based on our prototype and preliminary testing on synthetic database. With almost no load to the database DIDAR achieves high detection rates, quick damage containment and full recovery. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/didar-160217065411-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> In this project we present a new architecture for database intrusion detection. We implement this framework called DIDAR (Database Intrusion Detection with Automated Recovery) and discuss the performance issues. Recently there has been considerable interest in the design of intrusion detection system for databases. Most of the current systems take a laid back approach and concentrate more on containment and recovery once the database has been infected by malicious transaction. We propose a more proactive solution; DIDAR aims to detect the intrusions as soon as possible with support for damage containment and auto recovery as well. DIDAR provides intrusion tolerance by working in two phases – learning and detection. During the learning phase we build a model of the legitimate queries for each user based on the currently executing transactions and later use that model to detect the malicious transactions. DIDAR guarantees quality of information assurance at four different levels for each user. We have positive results based on our prototype and preliminary testing on synthetic database. With almost no load to the database DIDAR achieves high detection rates, quick damage containment and full recovery.
DIDAR: Database Intrusion Detection with Automated Recovery from Asankhaya Sharma
]]> 450 4 https://cdn.slidesharecdn.com/ss_thumbnails/didar-160217065411-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Developer-focused Software Security /slideshow/developerfocused-software-security/58310113 developerfocusedsoftwaresecurity-160216075258
Over the past few years, the way we build software has changed a lot. These days, developers make heavy use of open-source libraries and 3rd party components to design and assembly software. Unfortunately, reusable components also mean reusable vulnerabilities. Hackers have shifted their attention from exploiting applications to exploiting vulnerabilities in libraries. In this talk, we will review some of the popular security vulnerabilities that affected open-source libraries recently. We will also look at how current security products and techniques do not focus on vulnerabilities in libraries and components. Detecting vulnerabilities in libraries and remediating them requires a change in thinking about software security. Developers are the key stakeholders in the security of the software they build and empowering them with the right tools and information can help them build secure software. We will take a look at a XSS (Cross-site Scripting) vulnerability in the popular JavaScript library Handlebars.js and the impact it had on other libraries and applications. We will then show how developers can make use of secure HTTP headers and content security policy to prevent XSS, clickjacking and other code injection attacks. Integrating security features directly in software development can enable developers to build software safely.]]>
Over the past few years, the way we build software has changed a lot. These days, developers make heavy use of open-source libraries and 3rd party components to design and assembly software. Unfortunately, reusable components also mean reusable vulnerabilities. Hackers have shifted their attention from exploiting applications to exploiting vulnerabilities in libraries. In this talk, we will review some of the popular security vulnerabilities that affected open-source libraries recently. We will also look at how current security products and techniques do not focus on vulnerabilities in libraries and components. Detecting vulnerabilities in libraries and remediating them requires a change in thinking about software security. Developers are the key stakeholders in the security of the software they build and empowering them with the right tools and information can help them build secure software. We will take a look at a XSS (Cross-site Scripting) vulnerability in the popular JavaScript library Handlebars.js and the impact it had on other libraries and applications. We will then show how developers can make use of secure HTTP headers and content security policy to prevent XSS, clickjacking and other code injection attacks. Integrating security features directly in software development can enable developers to build software safely.]]> Tue, 16 Feb 2016 07:52:58 GMT /slideshow/developerfocused-software-security/58310113 codelion@slideshare.net(codelion) Developer-focused Software Security codelion Over the past few years, the way we build software has changed a lot. These days, developers make heavy use of open-source libraries and 3rd party components to design and assembly software. Unfortunately, reusable components also mean reusable vulnerabilities. Hackers have shifted their attention from exploiting applications to exploiting vulnerabilities in libraries. In this talk, we will review some of the popular security vulnerabilities that affected open-source libraries recently. We will also look at how current security products and techniques do not focus on vulnerabilities in libraries and components. Detecting vulnerabilities in libraries and remediating them requires a change in thinking about software security. Developers are the key stakeholders in the security of the software they build and empowering them with the right tools and information can help them build secure software. We will take a look at a XSS (Cross-site Scripting) vulnerability in the popular JavaScript library Handlebars.js and the impact it had on other libraries and applications. We will then show how developers can make use of secure HTTP headers and content security policy to prevent XSS, clickjacking and other code injection attacks. Integrating security features directly in software development can enable developers to build software safely. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/developerfocusedsoftwaresecurity-160216075258-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Over the past few years, the way we build software has changed a lot. These days, developers make heavy use of open-source libraries and 3rd party components to design and assembly software. Unfortunately, reusable components also mean reusable vulnerabilities. Hackers have shifted their attention from exploiting applications to exploiting vulnerabilities in libraries. In this talk, we will review some of the popular security vulnerabilities that affected open-source libraries recently. We will also look at how current security products and techniques do not focus on vulnerabilities in libraries and components. Detecting vulnerabilities in libraries and remediating them requires a change in thinking about software security. Developers are the key stakeholders in the security of the software they build and empowering them with the right tools and information can help them build secure software. We will take a look at a XSS (Cross-site Scripting) vulnerability in the popular JavaScript library Handlebars.js and the impact it had on other libraries and applications. We will then show how developers can make use of secure HTTP headers and content security policy to prevent XSS, clickjacking and other code injection attacks. Integrating security features directly in software development can enable developers to build software safely.
Developer-focused Software Security from Asankhaya Sharma
]]> 436 5 https://cdn.slidesharecdn.com/ss_thumbnails/developerfocusedsoftwaresecurity-160216075258-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Visualizing Symbolic Execution with Bokeh /slideshow/visualizing-symbolic-execution-with-bokeh/49214441 pydatasing-150610102807-lva1-app6891
Exploring symbolic execution using Bokeh, a Python based framework for data visualization.]]>
Exploring symbolic execution using Bokeh, a Python based framework for data visualization.]]> Wed, 10 Jun 2015 10:28:07 GMT /slideshow/visualizing-symbolic-execution-with-bokeh/49214441 codelion@slideshare.net(codelion) Visualizing Symbolic Execution with Bokeh codelion Exploring symbolic execution using Bokeh, a Python based framework for data visualization. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/pydatasing-150610102807-lva1-app6891-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Exploring symbolic execution using Bokeh, a Python based framework for data visualization.
Visualizing Symbolic Execution with Bokeh from Asankhaya Sharma
]]> 830 1 https://cdn.slidesharecdn.com/ss_thumbnails/pydatasing-150610102807-lva1-app6891-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Crafting a Successful Engineering Career /slideshow/crafting-a-successful-engineering-career/49214001 craftingasuccessfulengineeringcareer-150610101602-lva1-app6892
Advise on how to build a successful and enriching engineering career in the software industry.]]>
Advise on how to build a successful and enriching engineering career in the software industry.]]> Wed, 10 Jun 2015 10:16:02 GMT /slideshow/crafting-a-successful-engineering-career/49214001 codelion@slideshare.net(codelion) Crafting a Successful Engineering Career codelion Advise on how to build a successful and enriching engineering career in the software industry. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/craftingasuccessfulengineeringcareer-150610101602-lva1-app6892-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Advise on how to build a successful and enriching engineering career in the software industry.
Crafting a Successful Engineering Career from Asankhaya Sharma
]]> 537 1 https://cdn.slidesharecdn.com/ss_thumbnails/craftingasuccessfulengineeringcareer-150610101602-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Certified Reasoning for Automated Verification /slideshow/certified-reasoning-for-automated-verification/49213826 certifiedreasoningforautomatedverification-150610101100-lva1-app6892
Formal methods help improve the quality and reliability of software by providing proof of correctness. However, ensuring the correctness of verification tools that apply these formal methods, is itself a much harder problem. A typical way to justify the correctness is to provide soundness proofs based on semantic models. For program verifiers these soundness proofs are quite large and complex. In this thesis, we introduce certified reasoning to provide machine checked proofs of various components of an automated verification system. We develop new certified decision procedures (Omega++) and certified proofs (for compatible sharing) and integrate with an existing automated verification system (HIP/SLEEK). We show that certified reasoning improves the correctness and expressivity of automated verification without sacrificing on performance.]]>
Formal methods help improve the quality and reliability of software by providing proof of correctness. However, ensuring the correctness of verification tools that apply these formal methods, is itself a much harder problem. A typical way to justify the correctness is to provide soundness proofs based on semantic models. For program verifiers these soundness proofs are quite large and complex. In this thesis, we introduce certified reasoning to provide machine checked proofs of various components of an automated verification system. We develop new certified decision procedures (Omega++) and certified proofs (for compatible sharing) and integrate with an existing automated verification system (HIP/SLEEK). We show that certified reasoning improves the correctness and expressivity of automated verification without sacrificing on performance.]]> Wed, 10 Jun 2015 10:11:00 GMT /slideshow/certified-reasoning-for-automated-verification/49213826 codelion@slideshare.net(codelion) Certified Reasoning for Automated Verification codelion Formal methods help improve the quality and reliability of software by providing proof of correctness. However, ensuring the correctness of verification tools that apply these formal methods, is itself a much harder problem. A typical way to justify the correctness is to provide soundness proofs based on semantic models. For program verifiers these soundness proofs are quite large and complex. In this thesis, we introduce certified reasoning to provide machine checked proofs of various components of an automated verification system. We develop new certified decision procedures (Omega++) and certified proofs (for compatible sharing) and integrate with an existing automated verification system (HIP/SLEEK). We show that certified reasoning improves the correctness and expressivity of automated verification without sacrificing on performance. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/certifiedreasoningforautomatedverification-150610101100-lva1-app6892-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Formal methods help improve the quality and reliability of software by providing proof of correctness. However, ensuring the correctness of verification tools that apply these formal methods, is itself a much harder problem. A typical way to justify the correctness is to provide soundness proofs based on semantic models. For program verifiers these soundness proofs are quite large and complex. In this thesis, we introduce certified reasoning to provide machine checked proofs of various components of an automated verification system. We develop new certified decision procedures (Omega++) and certified proofs (for compatible sharing) and integrate with an existing automated verification system (HIP/SLEEK). We show that certified reasoning improves the correctness and expressivity of automated verification without sacrificing on performance.
Certified Reasoning for Automated Verification from Asankhaya Sharma
]]> 1008 3 https://cdn.slidesharecdn.com/ss_thumbnails/certifiedreasoningforautomatedverification-150610101100-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 Last Days of Academy /slideshow/last-days-of-academy-49213533/49213533 a-3-b643029f0e41b703208228511ba638c4b52795d7-150610100236-lva1-app6892
Why higher education is ripe for disruption]]>
Why higher education is ripe for disruption]]> Wed, 10 Jun 2015 10:02:36 GMT /slideshow/last-days-of-academy-49213533/49213533 codelion@slideshare.net(codelion) Last Days of Academy codelion Why higher education is ripe for disruption <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/a-3-b643029f0e41b703208228511ba638c4b52795d7-150610100236-lva1-app6892-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Why higher education is ripe for disruption
Last Days of Academy from Asankhaya Sharma
]]> 1010 1 https://cdn.slidesharecdn.com/ss_thumbnails/a-3-b643029f0e41b703208228511ba638c4b52795d7-150610100236-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 SayCheese Ad /slideshow/saycheese-ad-12647246/12647246 project2venturelabs-120423010456-phpapp01
Promotional presentation for SayCheese. 3D Cravings for your Cravings]]>
Promotional presentation for SayCheese. 3D Cravings for your Cravings]]> Mon, 23 Apr 2012 01:04:55 GMT /slideshow/saycheese-ad-12647246/12647246 codelion@slideshare.net(codelion) SayCheese Ad codelion Promotional presentation for SayCheese. 3D Cravings for your Cravings <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/project2venturelabs-120423010456-phpapp01-thumbnail.jpg?width=120&amp;height=120&amp;fit=bounds" /><br> Promotional presentation for SayCheese. 3D Cravings for your Cravings
SayCheese Ad from Asankhaya Sharma
]]> 255 2 https://cdn.slidesharecdn.com/ss_thumbnails/project2venturelabs-120423010456-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post http://activitystrea.ms/schema/1.0/posted 0 https://cdn.slidesharecdn.com/profile-photo-codelion-48x48.jpg?cb=1559700980 I lead the R&D function at SRC:CLR (SourceClear). I am responsible for creating and managing the company’s worldwide product research and technology transfer programs. SRC:CLR is a startup that is redefining the software security paradigm. We are a security solution unlike any other: made for developers, by developers. http://asankhaya.github.io https://cdn.slidesharecdn.com/ss_thumbnails/team-fortress-190322043544-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/9-types-of-people-you-find-on-your-team/137613653 9 types of people you ... https://cdn.slidesharecdn.com/ss_thumbnails/design-and-implementation-of-security-graph-language-190322043221-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/design-and-implementation-of-the-security-graph-language/137613195 Design and Implementat... https://cdn.slidesharecdn.com/ss_thumbnails/securing-open-source-code-in-enterprise-180315024942-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/securing-open-source-code-in-enterprise/90723044 Securing Open Source C...