Jose Manuel Ortega

Jose Manuel Ortega

Software engineer & Security Researcher

I’m a Software Engineer really focused on new technologies, open source, security and testing.My career has been focused from the beginning to specialize in python and java languages and security testing projects.In recent years I'm interesting in security development, especially on mobile applications. At this moment I am security tester engineer and my functions in the project are analysis and testing the security of applications.


Personal blog and other conferences:

https://about.me/jmortegac
http://jmortega.github.io
https://jmortegac.wixsite.com/conferences

Current sessions

Python​ ​network​ ​inspection​ ​tools

Python has an ecosystem of tools that allows you to inspect, analyze and interact with network packets as native Python objects using the capabilities of programs known as Wireshark and libpcap. Some of the tools contain dissection modules that extend the original program. The objective of the conference is show this type of tools analyzing what we can do with them at the level of inspection of packets in the network and transport layers.

These could be the main talking points:

1.Introduction to network inspection tools
Tools such as Wireshark, tcpdump, tshark, ngrep and flowgrep are useful for inspection of
packages.

2.Flowinspect as a network inspection tool

3. I will discuss other solutions that we can find in python such as Scapy and Pyshark as a wrapper
for tshark that allows the capture and analysis of packages using wireshark dissectors.

I'll show some use case where we can use these tools for malware identification through signatures and Shellcode emulation / detection.

As a bonus we can analyze the tool that the NSA has for this type of tasks.

https://github.com/NationalSecurityAgency/sharkPy

notes


Serverless vs Containers: Running code in the cloud

We call them generically “containers” and they are a very popular way to deploy microservices in your infraestructure. When when we say “serverless” we mean some cloud products that provide “Functions as a Service. In this talk we will review the relation and differences between these technologies.

From the Containers point of view the deploying of applications provides better control over the time and place where developer can deploy the code. From the serverless point of view this control is delegated to cloud services like Google Cloud Functions and Aws Lambda. With some examples we will review the differences between these 2 approaches.

These could be the main points of the talk:

1.Introduction to container and serverless technologies

2.Examples of code running with these technologies

3.Pros and cons of each one

4.Uses cases comparing where one option is better than the other


Monitoring and managing Containers using Open Source tools

The world is advancing towards accelerated deployments using DevOps and cloud native technologies. In architectures based on microservices, container monitoring and management become even more important as we need to scale our application.

In this talk, I will show how to monitor and manage docker containers to manage the status of your applications. We will review how to monitor for security events using open source solutions to build an actionable monitoring system for Docker and Kubernetes.

Through a web interface, tools such as cadvisor, portainer and rancher give us a global overview of the containers you are running as well as facilitate their management.

These could be the main points to discuss:

-Challenges in containers and architectures distributed from the point of view of monitoring and administration

-Most important metrics that we can use to measure container performance.

-Tools for monitoring and management of containers such as cadvisor, sysdig and portainer

-Rancher as a platform for the administration of Kubernetes


Finding security vulnerabilities in open source projects

In recent years, the amount of open source components used by developers has growth. Millions of open source libraries are distributed through centralized systems such as Maven (Java), NPM and GitHub. In this talk, I will present the common security problems faced by companies that use open source.

Every time we download a module to use it in our application without knowing it, it means exposing our application to possible security problems and vulnerabilities that these modules have. We will study an example application that uses several vulnerable dependencies, which we will exploit as an attacker would. For each vulnerability, we will explain why it happened, we will show its impact and, most importantly, we will see how to avoid it or solve it. We will also talk about how to manage the risks of open source software using people, processes and tools.

These could be the main talking points:

-Security in open source repositories

-OWASP TOP 10 from an attacker perspective In this point I will comment the OWASP project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in web applications from an attacker perspective.

-Tools which will help to protect our applications scanning for known libraries with vulnerabilities in specific ecosystems like java,javascript and python.


SecDevOps containers

Security is important but not everyone cares about it until something bad happens.

In this talk I would like to talk that with the use of tools oriented to the “DevOps” ecosystem, the essential and necessary security elements for any application to be deployed in “security mode” are not considered. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code requires the right tools for security development.

I’ll speak about main tips for integrating Security into DevOps.I will share my knowledge and experience and help people learn to focus more on DevOps Security.

These could be the main talking points:

-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices


Monitoring and managing Containers using Open Source tools

The world is advancing towards accelerated deployments using DevOps and cloud native technologies. In architectures based on microservices, container monitoring and management become even more important as we need to scale our application.
In this talk, I will show how to monitor and manage docker containers to manage the status of your applications. We will review how to monitor for security events using open source solutions to build an actionable monitoring system for Docker and Kubernetes.

Through a web interface, tools such as cadvisor, portainer and rancher give us a global overview of the containers you are running as well as facilitate their management.

These could be the main points to discuss:

-Challenges in containers and architectures distributed from the point of view of monitoring and administration

-Most important metrics that we can use to measure container performance.

-Tools for monitoring and management of containers such as cadvisor, sysdig and portainer

-Rancher as a platform for the administration of Kubernetes


Managing and deploying bots with AWS Lex Plaftorm

In this talk I will review the process of creating a bot using the AWS Lex platform. AWS Lex integrates with Amazon ecosystem and It offers an easy way for creating bots that can be integrated with a variety of external services like Slack.

First, I will explain the possibilities that AWS provides for building conversational and chatbot interfaces.Then,we continue how develop your own chatbot with Lex and Slack platforms.Will the help of Serveless framework we can orchestate the operations that AWS required for managing and develoying the bot.

In this talk I will mention the advantages of AWS Lex platform and we will focus on the situations in which we can integrate with Slack chatbots. I will use AWS Lambda with python for the examples

These could be the main talking points:

1. Introducing AWS Lex platform
2. Explaining how chatbots work with Slack platform
3. AWS Lambda functions with serverless framework
4. Managing and deploying bots with serverless and python


Developing reactive microservices with Micronaut

Micronaut is a new framework for the JVM that supports Java, Groovy and Kotlin and is designed to build native cloud microservices. Micronaut is the new solution for developing microservices in Java and provides a server and HTTP client in addition to supporting reactive and non-blocking microservices by being based on Netty.

Some of the features and advantages Micronaut framework include cloud native ,small processes that can run in less than 10 MB of JVM heap memory and dependency injection with AOP.

In this talk I will make an introduction to Micronaut comparing with other market solutions like SpringBoot. We will see the main Micronaut feautures analyzing how less memory can consume and how much faster is its startup time compared to a similar SpringBoot app.

These could be the main talking points:

1. Introduction to Micronaut and the concept of reactive applications
2. Advangages of Micronaut comparing with SpringBoot
3. Best practices from Micronaut
4. Use cases and applications examples using Micronaut


Testing Spring Boot Security

Spring Boot has simplified the development of Spring applications. Its autoconfiguration and starter dependencies reduce the amount of code and configuration you need to begin an app.In this talk we will review the process for securing Spring Boot apps and how we can manage sensitive information.

In this talk we will review the process for securing Spring Boot applications and how we can resolve issues like certificates,vulnerablities and manage sensitive information in our applications. The talk will start how we can securize your Spring Boot application and continue introducing spring boot security autoconfiguration.Code examples will be with java sintax.

These could be the main talking points:

1. Introducing how we can securize your Spring Boot application.
2. Managing HTTPS and TLS/SSL certificates in Spring Boot applications
3. Libraries and modules that Spring provide for solving some attacks like XSS and CSRF in web apps
4. How to manage in a secure way the sensitive information such as passwords and access tokens
5. Tools for automating the process to discover security flaws


Darkweb + Python: discover, analyze and extract information from hidden services

The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network. In addition, we will review how Tor works from anonymity point of view, preventing websites from tracking you. Python help us to automate the process to search an discover hidden services thanks to packages like requests,requesocks and sockspy.At this point we will review the crawling process and show tools in python ecosystem available for this task such as Deep Explorer(https://github.com/blueudp/deep-explorer).

These could be the talking points:

1. Introduction to Tor project and hidden services
2. Discovering hidden services.
3. Modules and packages we can use in python for connecting with Tor network
4. Tools that allow search hidden services and atomate the crawling process in Tor network


Microservices and serverless in python projects

Monoliths, microservices and now Serverless. Function as a Service (FaaS) platforms give us new ways to attack old problems. The possibility of executing functions as a service allows designing scalable and highly parallel applications, but on the other hand, this kind of applications require a particular programming style. For example, bundling dependencies and managing state is not trivial. However, there are plenty of tools and frameworks to help you code serverless applications with Python, and once you get started it is not complicated.

In this talk I will mention the advantages of Serverless and we will focus on the situations in which we can introduce it into our Python projects. I will use AWS Lambda for the examples.

These could be the main talking points:

1. Introducing Serverless and Function as a Service (FaaS) in Python projects
2. Advantages of Microservices and Serverless
3. AWS Lambda functions with chalice
4. Testing AWS lambda with docker


Testing python security

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities.

In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code.

These could be the main talking points:

1. Introduction to secure programming in python.
2. Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
3. Common attack vectors on Python applications like Remote Command Execution and SQL injection
4. Best practices for avoid execution of malicious commands
5. Tools that help us to protect and obfuscate our source code


Docker for python developers and data analytics

Docker is a powerful tool for packaging software and services in containers and running them on a virtual infrastructure. Python is a powerful language for data scientists and analytics. In this talk I will show how we can join both technologies and combine them to create python applications oriented to data analytics.

I will show how we can make use of Python and Docker to build robust data analysis workflows that can be used in the context of a datascientist

These could be the main talking points:

-Introduce docker for data analysis.I will explain the core ideas behind docker and show how they can be useful for data analysis

-introduce docker client for access the data we have in our containers and show in details how works the docker API

-Introduce open ource Python tools which uses the docker client to analyze data in containers

-Analyze the main images we can find in docker ecosystem for data scientits like jypyter and modules like sklearn or tensorflow

-I will show some examples and use cases for scientists data analysis


Functional testing with Groovy and soapUI

Functional testing is a small but very important part of the tests to be perform to try to reproduce the interaction with the user.
Groovy incorporates features that simplify the development of functional testing in REST-API or SOAP Webservices.In this talk we will see how to incorporate functional tests to a REST API with SoapUI using groovy scripts. I will show some uses cases related with connection databases and validate user informacion in an end-to-end scenario.

These could be the main talking points:

1.Introduction to functional testing
2.Connecting SoapUI and Groovy
3.Creating and executing testsuite and testcase in SoapUI with groovy scripts
4.Use cases for testing your application REST API


Sharing secret keys in docker containers

From a Docker context point of view the secure distribution and traceability of secrets is a core concern in the new microservices and containerized environments, where software entities are constantly spawned and deleted. The best solution is to use a key-value store to keep secrets and retrieve them from the container at runtime.

In this talk I will show how to save secret keys in containers in production and best practices for save and secure distribution of secrets in docker containers.

These could be the main talking points:

1.Challenges of security and secret keys in containers
2.Best practices for save and secure distribution of secrets in docker containers
3.Other tools for distribute secrets in containers like Hashicorp Vault and KeyWhiz

Vaults keeps a detailed audit log to keep track of all the secrets and the access and manipulations performed by each user,in this way is ery easy trace any suspicious interaction.

KeyWhiz stores secrets encrypted in memory and provides access via a REST API and a command-line interface


Hacking NodeJS applications for fun and profit

NodeJS is one of the fastest growing platforms nowdays and from a security point of view in necessary to know all posibilities that the platform offers to developers. In this talk I will show what are the main vulnerabilities we can found and how we can fix them in our applications.

This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities. On the other hand, it will also be appreciated how some of these vulnerabilities are not included in OWASP Top 10 and it is important to take into account certain design and development practices in order not to fall into errors involving security incidents.

These could be the talking points:

-Node.js security packages

I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production

-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.

https://github.com/OWASP/NodeGoat

-Tools which will help to protect our node applications like NSP module or Retire, which scans for known libraries with vulnerabilities in angular and jquery ecosystem.Other tools like NodeJSScan allow detecting vulnerabilities following some predefined rules


Securing Python Web Applications

Often, security is only an afterthought when designing and building web applications with Python, which can have embarrassing, costly and sometimes dangerous consequences. Implementing “reasonably good” security is not very hard though, especially when thinking about it right from the start.

In this talk, I will explain several techniques for improving the security of Python-based web applications. As there is already plenty of material available on general security concepts, I will instead focus on more advanced topics like:

-Dividing the application into data layers and application service layers to reduce the attack surface and minimize the impact of security breaches. -Advanced Authentication Techniques: How to use two-factor authentication and similar techniques to improve login security. -How to defend against (simple) DDoS attacks and brute forcing. -User Security Notifications & Audit Logs: How to let your users know about suspicious activity.

I will focus on API-centric web applications, most of the points are applicable to “traditional” web apps as well though. Example code for implementing the different techniques in popular web frameworks (Flask and Django) will be provided in a Github repository


GrayLog for Java developers

For developers, application logs are critical to figuring out what’s going on inside the apps we create.In this talk I will show Graylog as an open source log management tool, providing central storage, processing, and analysis of log messages powered by Java,MongoDB and ElasticSearch.

These could be the talking points:

1.GrayLog architecture

The Graylog log server is based on Java and offers a means for combining several server nodes in a cluster for high availability and scalability. Graylog uses Elasticsearch as database for the log messages as well as MongoDB for application data.

2.Searching and analyzing: Graylog Web Interface

Graylog also has a web interface for searching and viewing Graylog messages. Filters can be applied and saved into logical “streams”, allowing you to look at a slice of your data.

3.Use case:Configure graylog in java projects with maven

As a standard for log events, Graylog promotes usage of the Graylog Extended Log Format (GELF). I will show a use case configuring graylog inside Java project with the GELF appender.

4.Integrating GrayLog with LogStash

In order to create a full log solution it is suitable to combine Graylog with Logstash with a little modification of Logstash and a custom Graylog Plugin.


Everything you need to know about containers security

Security is important but not everyone cares about it until something bad happens. In this talk, I’ll speak about main tips for integrating Security into Containers.I will share my knowledge and experience and help people learn to focus more on Containers Security.
In this talk I will review the state of the art of application security practices and talk about best security practices to create more secure containers. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production.

These could be the main talking points:

-How to Integrate security into iteration and pipeline application development.

Integrating security into the iteration and pipeline application development involves automating as many security tests as possible so that they run all other automated tests. These tests should be performed on every code commit, and even in the earliest stages of a software project.

-How to integrate preventive security controls into shared source code repositories and shared services.

Shared source code repositories allows anyone to discover and reuse the collective knowledge of the organization, not only for code, but also for toolchains, deployment pipeline and security. Security information should include mechanisms or tools for safeguarding applications and environments, such as specifc libraries for security support. Also, is important putting security artifacts into the version control system that Containers use for detecting vulnerablities in specific third party libraries.

-How to secure your development environments.

Is important ensure that all environments minimize security risk. This involves generating automated tests to ensure that all appropriate settings have been correctly applied for configuration hardening, database security, key lengths, and so on. It also involves using tests to scan environments using security vulnerablities scanner.


GrayLog for Java developers

For developers, application logs are critical to figuring out what’s going on inside the apps we create.
We tail them. We search them. We analyze and graph them.
I this talk I will show Graylog as an open source log management tool, providing central storage, processing, and analysis of log messages powered by Java,MongoDB and ElasticSearch.

These could be the talking points:

1.GrayLog architecture

The Graylog log server is based on Java and offers a means for combining several server nodes in a cluster for high availability and scalability.
Graylog uses Elasticsearch as database for the log messages as well as MongoDB for application data.

2.Searching and analyzing: Graylog Web Interface

Graylog also has a web interface for searching and viewing Graylog messages.
Filters can be applied and saved into logical “streams”, allowing you to look at a slice of your data.

3.Use case:Configure graylog in java projects with maven

As a standard for log events, Graylog promotes usage of the Graylog Extended Log Format (GELF)
I will show a use case configuring graylog inside java project with the GELF appender.

4.Integrating GrayLog with LogStash

In order to create a full log solution it is suitable to combine Graylog with Logstash with a little modification of Logstash and a custom Graylog Plugin.