Jose Manuel Ortega
Software engineer & Security Researcher
Actions
José Manuel Ortega is a software engineer and cybersecurity researcher with interest in new technologies, open source, security and testing. In recent years he has shown interest in innovation projects using Big Data technologies using programming languages such as Python. He is currently working as a software engineer in research projects related to Big Data, Cybersecurity and Blockchain. He has taught at university level and collaborated with the official college of computer engineers. He has also been a speaker at several conferences oriented to developers at national and international level. More information about his lectures and other published works can be found on his personal website https://josemanuelortegablog.com.
Links
Area of Expertise
Topics
Security in lambda functions and serverless architectures
Lambda and serverless arquitectures are a new cloud service that allows you to run code without provisioning or managing servers. This type of functionality allows you to run your code on an infrastructure with high availability and automatic scaling, as well as code monitoring and logging capabilities.
Security in lambda functions and serverless applications is an aspect that organizations should take into account in order to minimize possible attacks.This talk discusses the current state of security in serverless architectures and how we can apply good security practices in lambda functions.The OWASP Serverless Top 10 is an excellent reference for learning about the potential security risks and consequences of implementing a serverless architecture, as well as how to mitigate them.
Among the points to be discussed we can highlight:
-Introduction to serverless architectures and lambda functions
-Security in serverless architectures and OWASP Serverless Top 10
- Pentesting of lambda functions
-Best practices at the level of permissions and security policies when working in cloud environments
Security and auditing tools in Large Language Models (LLM)
LLM models are a subcategory of deep learning models based on neural networks and natural language processing(NLP). Security and auditing are critical issues when dealing with applications based on large language models, such as GPT (Generative Pre-trained Transformer) or LLM (Large Language Model) models.
This talk aims to analyze the security of these language models from the developer’s point of view, analyzing the main vulnerabilities that can occur in the generation of these models. Among the main points to be discussed we can highlight:
-Introduction to LLM
-Introduction to OWASP LLM Top 10.
-Auditing tools in applications that handle LLM models.
-Use case with the textattack tool(https://textattack.readthedocs.io/en/master/)
Security and auditing tools in Large Language Models (LLM)
LLM models are a subcategory of deep learning models based on neural networks and natural language processing(NLP). Security and auditing are critical issues when dealing with applications based on large language models, such as GPT (Generative Pre-trained Transformer) or LLM (Large Language Model) models.
This talk aims to analyze the security of these language models from the developer’s point of view, analyzing the main vulnerabilities that can occur in the generation of these models. Among the main points to be discussed we can highlight:
-Introduction to LLM
-Introduction to OWASP LLM Top 10.
-Auditing tools in applications that handle LLM models.
-Use case with the textattack tool(https://textattack.readthedocs.io/en/master/)
PyGoat: Analizando la seguridad en aplicaciones Django
La seguridad en aplicaciones web es un aspecto fundamental para garantizar la protección de los datos y la confidencialidad de los usuarios. Si nuestro objetivo es aprender como Django gestiona la seguridad, PyGoat es una aplicación desarrollada con Django vulnerable de forma intencionada que puede ser utilizada para aprender a asegurar nuestras aplicaciones Django.
En esta charla, analizamos como Django gestiona la seguridad utilizando la aplicación vulnerable Pygoat, identificando los problemas de seguridad subyacentes. Aprenderemos sobre vulnerabilidades de seguridad comunes como las que aparecen en el OWASP Top 10 en aplicaciones Django y cómo solucionarlas para que podamos mantener nuestras aplicaciones a salvo de atacantes.
Entre los puntos a tratar podemos destacar:
-Introducción a la seguridad en aplicaciones Django
-Pygoat como ejemplo de aplicación vulnerable
-Vulnerabilidades OWASP top 10 y mitigación
Evolution of security strategies in K8s environments
In the latest versions of K8s there has been an evolution regarding the definition of security strategies at the level of access policies to the cluster by users and developers. The security contexts allow you to define the configurations at the level of access control and privileges for a pod or container in a simple way using keywords in the configuration files.
To facilitate the implementation of these security strategies throughout the cluster, new strategies have emerged such as the Pod Security Policy (PSP) where the cluster administrator is in charge of defining these policies at the cluster level with the aim that developers can follow these policies.
Other interesting projects include Open Policy Agent (OPA) as the main cloud-native authorization policy agent for creating policies and managing user permissions for access to applications.
The objective of this talk is to present the evolution that has occurred in security strategies and how we could use them together, as well as analyze their behavior in accessing resources. Among the points to be discussed we can highlight:
1.Introduction to security strategies in K8s environments
2.Pod Security Admission(PSA) vs Open Policy Agent(OPA)
3. Combination of different security strategies together
4. Access to resources in privileged and non-privileged mode
Computacion distribuida usando Python
La computación distribuída es un nuevo modelo de computación que surgió con el objetivo de resolver problemas de computación masiva donde diferentes máquinas trabajan en paralelo formando un clúster de computación.
En los últimos años han surgido diferentes frameworks como Apache Hadoop, Apache Spark y Apache Flink que permiten resolver este tipo de problemas donde tenemos datos masivos desde diferentes fuentes de datos.
Dentro del ecosistema de Python podemos destacar las librerías de Pyspark y Dask de código abierto que permiten la ejecución de tareas de forma paralela y distribuida en Python.
Entre los puntos a tratar podemos destacar:
-Introducción a la computacion distribuida
-Comparando tecnologías de computación distribuida
-Frameworks y módulos en Python para computacion distribuida
-Casos de uso en proyectos Big Data
Construyendo arquitecturas zero trust sobre entornos cloud
La adopción de arquitecturas basadas en microservicios ha crecido de manera exponencial en los últimos años. Cuando se trata de obtener la máxima seguridad utilizamos lo que se denomina arquitecturas de “confianza cero” (zero trust architecture).
El objetivo de esta charla es dar a conocer los principios básicos para construir aplicaciones utilizando arquitecturas zero trust y algunas herramientas para realizar auditorías de seguridad en entornos cloud. Entre los puntos a tratar podemos destacar:
-Introducción a DevSecOps y modelado de amenazas
-Modelo de confianza cero(zero trust) en la nube
-Mejoras prácticas a nivel de permisos y políticas de seguridad al trabajar en entornos cloud
-Herramientas de análisis orientadas al pentesting en entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
En los últimos años, las arquitecturas cloud han evolucionado a un modelo serverless que trae como principales ventajas la posibilidad de ejecutar código sin aprovisionar ni administrar servidores. Sin embargo, estos tipos de arquitecturas introducen un conjunto completamente nuevo de implicaciones de seguridad que deben tenerse en cuenta al crear sus aplicaciones.
En esta charla se analizará el estado actual de la seguridad en arquitecturas serverless, los principales riesgos y cómo podríamos mitigarlos de una forma sencilla. Entre los puntos a tratar podemos destacar:
-Introducción a las arquitecturas serverless
-Seguridad en arquitecturas serverless y OWASP Serverless Top 10
-Pentesting sobre aplicaciones serverless
-Mejoras prácticas de seguridad al trabajar en entornos cloud
Testing Spring Boot Security
Spring Boot has simplified the development of Spring applications. Its autoconfiguration and starter dependencies reduce the amount of code and configuration you need to begin an app.In this talk we will review the process for securing Spring Boot apps and how we can manage sensitive information.
In this talk we will review the process for securing Spring Boot applications and how we can resolve issues like certificates,vulnerablities and manage sensitive information in our applications. The talk will start how we can securize your Spring Boot application and continue introducing spring boot security autoconfiguration.Code examples will be with java sintax.
These could be the main talking points:
1. Introducing how we can securize your Spring Boot application.
2. Managing HTTPS and TLS/SSL certificates in Spring Boot applications
3. Libraries and modules that Spring provide for solving some attacks like XSS and CSRF in web apps
4. How to manage in a secure way the sensitive information such as passwords and access tokens
5. Tools for automating the process to discover security flaws
Darkweb + Python: discover, analyze and extract information from hidden services
The talk will start explaining how Tor project can help us to the research and development of tools for online anonymity and privacy of its users while surfing the Internet, by establishing virtual circuits between the different nodes that make up the Tor network. In addition, we will review how Tor works from anonymity point of view, preventing websites from tracking you. Python help us to automate the process to search an discover hidden services thanks to packages like requests,requesocks and sockspy.At this point we will review the crawling process and show tools in python ecosystem available for this task such as Deep Explorer(https://github.com/blueudp/deep-explorer).
These could be the talking points:
1. Introduction to Tor project and hidden services
2. Discovering hidden services.
3. Modules and packages we can use in python for connecting with Tor network
4. Tools that allow search hidden services and atomate the crawling process in Tor network
Microservices and serverless in python projects
Monoliths, microservices and now Serverless. Function as a Service (FaaS) platforms give us new ways to attack old problems. The possibility of executing functions as a service allows designing scalable and highly parallel applications, but on the other hand, this kind of applications require a particular programming style. For example, bundling dependencies and managing state is not trivial. However, there are plenty of tools and frameworks to help you code serverless applications with Python, and once you get started it is not complicated.
In this talk I will mention the advantages of Serverless and we will focus on the situations in which we can introduce it into our Python projects. I will use AWS Lambda for the examples.
These could be the main talking points:
1. Introducing Serverless and Function as a Service (FaaS) in Python projects
2. Advantages of Microservices and Serverless
3. AWS Lambda functions with chalice
4. Testing AWS lambda with docker
Testing python security
Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities.
In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code.
These could be the main talking points:
1. Introduction to secure programming in python.
2. Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
3. Common attack vectors on Python applications like Remote Command Execution and SQL injection
4. Best practices for avoid execution of malicious commands
5. Tools that help us to protect and obfuscate our source code
Docker for python developers and data analytics
Docker is a powerful tool for packaging software and services in containers and running them on a virtual infrastructure. Python is a powerful language for data scientists and analytics. In this talk I will show how we can join both technologies and combine them to create python applications oriented to data analytics.
I will show how we can make use of Python and Docker to build robust data analysis workflows that can be used in the context of a datascientist
These could be the main talking points:
-Introduce docker for data analysis.I will explain the core ideas behind docker and show how they can be useful for data analysis
-introduce docker client for access the data we have in our containers and show in details how works the docker API
-Introduce open ource Python tools which uses the docker client to analyze data in containers
-Analyze the main images we can find in docker ecosystem for data scientits like jypyter and modules like sklearn or tensorflow
-I will show some examples and use cases for scientists data analysis
Functional testing with Groovy and soapUI
Functional testing is a small but very important part of the tests to be perform to try to reproduce the interaction with the user.
Groovy incorporates features that simplify the development of functional testing in REST-API or SOAP Webservices.In this talk we will see how to incorporate functional tests to a REST API with SoapUI using groovy scripts. I will show some uses cases related with connection databases and validate user informacion in an end-to-end scenario.
These could be the main talking points:
1.Introduction to functional testing
2.Connecting SoapUI and Groovy
3.Creating and executing testsuite and testcase in SoapUI with groovy scripts
4.Use cases for testing your application REST API
Sharing secret keys in docker containers
From a Docker context point of view the secure distribution and traceability of secrets is a core concern in the new microservices and containerized environments, where software entities are constantly spawned and deleted. The best solution is to use a key-value store to keep secrets and retrieve them from the container at runtime.
In this talk I will show how to save secret keys in containers in production and best practices for save and secure distribution of secrets in docker containers.
These could be the main talking points:
1.Challenges of security and secret keys in containers
2.Best practices for save and secure distribution of secrets in docker containers
3.Other tools for distribute secrets in containers like Hashicorp Vault and KeyWhiz
Vaults keeps a detailed audit log to keep track of all the secrets and the access and manipulations performed by each user,in this way is ery easy trace any suspicious interaction.
KeyWhiz stores secrets encrypted in memory and provides access via a REST API and a command-line interface
Hacking NodeJS applications for fun and profit
NodeJS is one of the fastest growing platforms nowdays and from a security point of view in necessary to know all posibilities that the platform offers to developers. In this talk I will show what are the main vulnerabilities we can found and how we can fix them in our applications.
This is a talk that explains some of the most common problems in NodeJS applications and how using frequently used tools it is possible to exploit such vulnerabilities. On the other hand, it will also be appreciated how some of these vulnerabilities are not included in OWASP Top 10 and it is important to take into account certain design and development practices in order not to fall into errors involving security incidents.
These could be the talking points:
-Node.js security packages
I will comment how to protect express applications in terms of authentication, logging ,middleware and security best practices before put applications in production
-How to prevent OWASP TOP 10 in a NodeJS application In this point I will comment the OWASP NodeGoat project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in nodejs applications from a attacker perspective.
https://github.com/OWASP/NodeGoat
-Tools which will help to protect our node applications like NSP module or Retire, which scans for known libraries with vulnerabilities in angular and jquery ecosystem.Other tools like NodeJSScan allow detecting vulnerabilities following some predefined rules
Securing Python Web Applications
Often, security is only an afterthought when designing and building web applications with Python, which can have embarrassing, costly and sometimes dangerous consequences. Implementing “reasonably good” security is not very hard though, especially when thinking about it right from the start.
In this talk, I will explain several techniques for improving the security of Python-based web applications. As there is already plenty of material available on general security concepts, I will instead focus on more advanced topics like:
-Dividing the application into data layers and application service layers to reduce the attack surface and minimize the impact of security breaches. -Advanced Authentication Techniques: How to use two-factor authentication and similar techniques to improve login security. -How to defend against (simple) DDoS attacks and brute forcing. -User Security Notifications & Audit Logs: How to let your users know about suspicious activity.
I will focus on API-centric web applications, most of the points are applicable to “traditional” web apps as well though. Example code for implementing the different techniques in popular web frameworks (Flask and Django) will be provided in a Github repository
GrayLog for Java developers
For developers, application logs are critical to figuring out what’s going on inside the apps we create.In this talk I will show Graylog as an open source log management tool, providing central storage, processing, and analysis of log messages powered by Java,MongoDB and ElasticSearch.
These could be the talking points:
1.GrayLog architecture
The Graylog log server is based on Java and offers a means for combining several server nodes in a cluster for high availability and scalability. Graylog uses Elasticsearch as database for the log messages as well as MongoDB for application data.
2.Searching and analyzing: Graylog Web Interface
Graylog also has a web interface for searching and viewing Graylog messages. Filters can be applied and saved into logical “streams”, allowing you to look at a slice of your data.
3.Use case:Configure graylog in java projects with maven
As a standard for log events, Graylog promotes usage of the Graylog Extended Log Format (GELF). I will show a use case configuring graylog inside Java project with the GELF appender.
4.Integrating GrayLog with LogStash
In order to create a full log solution it is suitable to combine Graylog with Logstash with a little modification of Logstash and a custom Graylog Plugin.
Everything you need to know about containers security
Security is important but not everyone cares about it until something bad happens. In this talk, I’ll speak about main tips for integrating Security into Containers.I will share my knowledge and experience and help people learn to focus more on Containers Security.
In this talk I will review the state of the art of application security practices and talk about best security practices to create more secure containers. And we look at organizational, process, and technology innovations to secure applications in ways that incorporate, but go beyond, testing for vulnerabilities, by looking at what developers can do before checking in code and what application security looks like in production.
These could be the main talking points:
-How to Integrate security into iteration and pipeline application development.
Integrating security into the iteration and pipeline application development involves automating as many security tests as possible so that they run all other automated tests. These tests should be performed on every code commit, and even in the earliest stages of a software project.
-How to integrate preventive security controls into shared source code repositories and shared services.
Shared source code repositories allows anyone to discover and reuse the collective knowledge of the organization, not only for code, but also for toolchains, deployment pipeline and security. Security information should include mechanisms or tools for safeguarding applications and environments, such as specifc libraries for security support. Also, is important putting security artifacts into the version control system that Containers use for detecting vulnerablities in specific third party libraries.
-How to secure your development environments.
Is important ensure that all environments minimize security risk. This involves generating automated tests to ensure that all appropriate settings have been correctly applied for configuration hardening, database security, key lengths, and so on. It also involves using tests to scan environments using security vulnerablities scanner.
GrayLog for Java developers
For developers, application logs are critical to figuring out what’s going on inside the apps we create.
We tail them. We search them. We analyze and graph them.
I this talk I will show Graylog as an open source log management tool, providing central storage, processing, and analysis of log messages powered by Java,MongoDB and ElasticSearch.
These could be the talking points:
1.GrayLog architecture
The Graylog log server is based on Java and offers a means for combining several server nodes in a cluster for high availability and scalability.
Graylog uses Elasticsearch as database for the log messages as well as MongoDB for application data.
2.Searching and analyzing: Graylog Web Interface
Graylog also has a web interface for searching and viewing Graylog messages.
Filters can be applied and saved into logical “streams”, allowing you to look at a slice of your data.
3.Use case:Configure graylog in java projects with maven
As a standard for log events, Graylog promotes usage of the Graylog Extended Log Format (GELF)
I will show a use case configuring graylog inside java project with the GELF appender.
4.Integrating GrayLog with LogStash
In order to create a full log solution it is suitable to combine Graylog with Logstash with a little modification of Logstash and a custom Graylog Plugin.
Serveless security issues and best practices
Serverless and Function as a Service (FaaS) give us new ways to deploy applications based in microservices architecture. The possibility of executing functions as a service allows designing scalable and highly parallel applications, but on the other hand, this kind of applications require following security best practices for minimizing attack surface.
In this talk I will review the main security issues we can find in the serverless paradigm, comparaing with the cloud traditional model. Once reviewed these security issues, we will review best practices from developer point of view for minimizing attack surface.
These could be the main talking points:
1. Introducing Serverless computing and Function as a Service (FaaS)
2. Serverless security issues
3. Serverless security best practices
Python network inspection tools
Python has an ecosystem of tools that allows you to inspect, analyze and interact with network packets as native Python objects using the capabilities of programs known as Wireshark and libpcap. Some of the tools contain dissection modules that extend the original program. The objective of the conference is show this type of tools analyzing what we can do with them at the level of inspection of packets in the network and transport layers.
These could be the main talking points:
1.Introduction to network inspection tools
Tools such as Wireshark, tcpdump, tshark, ngrep and flowgrep are useful for inspection of
packages.
2.Flowinspect as a network inspection tool
3. I will discuss other solutions that we can find in python such as Scapy and Pyshark as a wrapper
for tshark that allows the capture and analysis of packages using wireshark dissectors.
I'll show some use case where we can use these tools for malware identification through signatures and Shellcode emulation / detection.
As a bonus we can analyze the tool that the NSA has for this type of tasks.
https://github.com/NationalSecurityAgency/sharkPy
notes
Serverless vs Containers: Running code in the cloud
We call them generically “containers” and they are a very popular way to deploy microservices in your infraestructure. When when we say “serverless” we mean some cloud products that provide “Functions as a Service. In this talk we will review the relation and differences between these technologies.
From the Containers point of view the deploying of applications provides better control over the time and place where developer can deploy the code. From the serverless point of view this control is delegated to cloud services like Google Cloud Functions and Aws Lambda. With some examples we will review the differences between these 2 approaches.
These could be the main points of the talk:
1.Introduction to container and serverless technologies
2.Examples of code running with these technologies
3.Pros and cons of each one
4.Uses cases comparing where one option is better than the other
Monitoring and managing Containers using Open Source tools
The world is advancing towards accelerated deployments using DevOps and cloud native technologies. In architectures based on microservices, container monitoring and management become even more important as we need to scale our application.
In this talk, I will show how to monitor and manage docker containers to manage the status of your applications. We will review how to monitor for security events using open source solutions to build an actionable monitoring system for Docker and Kubernetes.
Through a web interface, tools such as cadvisor, portainer and rancher give us a global overview of the containers you are running as well as facilitate their management.
These could be the main points to discuss:
-Challenges in containers and architectures distributed from the point of view of monitoring and administration
-Most important metrics that we can use to measure container performance.
-Tools for monitoring and management of containers such as cadvisor, sysdig and portainer
-Rancher as a platform for the administration of Kubernetes
Finding security vulnerabilities in open source projects
In recent years, the amount of open source components used by developers has growth. Millions of open source libraries are distributed through centralized systems such as Maven (Java), NPM and GitHub. In this talk, I will present the common security problems faced by companies that use open source.
Every time we download a module to use it in our application without knowing it, it means exposing our application to possible security problems and vulnerabilities that these modules have. We will study an example application that uses several vulnerable dependencies, which we will exploit as an attacker would. For each vulnerability, we will explain why it happened, we will show its impact and, most importantly, we will see how to avoid it or solve it. We will also talk about how to manage the risks of open source software using people, processes and tools.
These could be the main talking points:
-Security in open source repositories
-OWASP TOP 10 from an attacker perspective In this point I will comment the OWASP project that provides an environment to learn OWASP Top 10 security risks. I will comment the main risks we can find in web applications from an attacker perspective.
-Tools which will help to protect our applications scanning for known libraries with vulnerabilities in specific ecosystems like java,javascript and python.
SecDevOps containers
Security is important but not everyone cares about it until something bad happens.
In this talk I would like to talk that with the use of tools oriented to the “DevOps” ecosystem, the essential and necessary security elements for any application to be deployed in “security mode” are not considered. In addition to the so-called best practices, the development of efficient, readable, scalable and secure code requires the right tools for security development.
I’ll speak about main tips for integrating Security into DevOps.I will share my knowledge and experience and help people learn to focus more on DevOps Security.
These could be the main talking points:
-How to integrate security into iteration and pipeline application development with containers.
-How to secure development environments.
-DevOps security best practices
Monitoring and managing Containers using Open Source tools
The world is advancing towards accelerated deployments using DevOps and cloud native technologies. In architectures based on microservices, container monitoring and management become even more important as we need to scale our application.
In this talk, I will show how to monitor and manage docker containers to manage the status of your applications. We will review how to monitor for security events using open source solutions to build an actionable monitoring system for Docker and Kubernetes.
Through a web interface, tools such as cadvisor, portainer and rancher give us a global overview of the containers you are running as well as facilitate their management.
These could be the main points to discuss:
-Challenges in containers and architectures distributed from the point of view of monitoring and administration
-Most important metrics that we can use to measure container performance.
-Tools for monitoring and management of containers such as cadvisor, sysdig and portainer
-Rancher as a platform for the administration of Kubernetes
Managing and deploying bots with AWS Lex Plaftorm
In this talk I will review the process of creating a bot using the AWS Lex platform. AWS Lex integrates with Amazon ecosystem and It offers an easy way for creating bots that can be integrated with a variety of external services like Slack.
First, I will explain the possibilities that AWS provides for building conversational and chatbot interfaces.Then,we continue how develop your own chatbot with Lex and Slack platforms.Will the help of Serveless framework we can orchestate the operations that AWS required for managing and develoying the bot.
In this talk I will mention the advantages of AWS Lex platform and we will focus on the situations in which we can integrate with Slack chatbots. I will use AWS Lambda with python for the examples
These could be the main talking points:
1. Introducing AWS Lex platform
2. Explaining how chatbots work with Slack platform
3. AWS Lambda functions with serverless framework
4. Managing and deploying bots with serverless and python
Developing reactive microservices with Micronaut
Micronaut is a new framework for the JVM that supports Java, Groovy and Kotlin and is designed to build native cloud microservices. Micronaut is the new solution for developing microservices in Java and provides a server and HTTP client in addition to supporting reactive and non-blocking microservices by being based on Netty.
Some of the features and advantages Micronaut framework include cloud native ,small processes that can run in less than 10 MB of JVM heap memory and dependency injection with AOP.
In this talk I will make an introduction to Micronaut comparing with other market solutions like SpringBoot. We will see the main Micronaut feautures analyzing how less memory can consume and how much faster is its startup time compared to a similar SpringBoot app.
These could be the main talking points:
1. Introduction to Micronaut and the concept of reactive applications
2. Advangages of Micronaut comparing with SpringBoot
3. Best practices from Micronaut
4. Use cases and applications examples using Micronaut
2024 All Day DevOps Sessionize Event
Jose Manuel Ortega
Software engineer & Security Researcher
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top