̽»¨ÊÓƵ

̽»¨ÊÓƵ, in conjunction with its vendor partners, sponsors hundreds of events each year, ranging from webcasts and tradeshows to executive roundtables and technology forums.

Government Events and Resources

Events

f5-logo-rgb_transparent.png
F5

F5 Capture the Flag


Event Date: February 04, 2025
Hosted By: F5, WWT & ̽»¨ÊÓƵ
Location: Scott AFB, IL

The F5 DISA team hosted an interactive Capture the Flag competition where attendees competed against others to hunt for API vulnerabilities and learn how they work.

In this lab and Capture the Flag exercise, attendees learned how to identify and mitigate:

  • Hard-Coded Secrets: Many applications exchange user credentials for a hard-coded token or key. This key allows anyone who knows it to gain access to the application, however, many times these keys have no expiration, allowing a user to completely circumvent the authentication process.
  • Broken Authorization: Providing blanket access to the API keys has proven detrimental to multiple mobile and web applications. Malicious users have used such blanket access to get ahold of confidential data belonging to others.
  • Data Access Control on User Interface (UI): Time and again we have seen implementations where APIs pull more data from a server than an app is authorized to share, so even if the app’s UI filters this information from the user, attackers can access and exploit this data.
  • Security Check for User Interface (UI): Over the last few decades, we have learned that no entry made by the client should be blindly trusted. In some instances, checks are built into the UI, but they can be circumvented with man-in-the-middle tools or API tools.
  • Weak Tokens: JSON Web Token (JWT) has soared in popularity for use within APIs for its ability to provide integrity. However, an implementation of JWT without a proper cryptographic signing mechanism can lead to privilege escalation.
  • Credential Stuffing: Bots have automated the process of testing stolen website login credentials; testing credentials against APIs is no different. Bots can be used to scrape APIs for data or used to validate stolen credentials, eventually leading to account takeover (ATO) attacks.
  • Version Troubles: APIs are often changed to add functionality or remove unused features. These changes can cause the clients that use them to break, so it is common practice that organizations maintain multiple versions of APIs to ensure compatibility. Sometimes out-of-sight and out-of-mind treatment for older versions of APIs has caused breaches, and security controls are not kept up to date for the older version.

Fill out the form below to view this archived event.


Resources

AWS-Color-Smile-Logo-Cropped_80.png
Resources

AWS Spotlight Series: Better Together: AWS & Palo Alto Networks' Prisma Cloud

Palo Alto Networks and AWS have created the joint venture: Palo Alto Networks Prisma Cloud, a comprehensive cloud-native security platform to protect your AWS Cloud environments. Palo Alto Network Prisma Cloud SLED team members Mat Lamb, Tracey Conn, and Paul Wells discussed this new security offering and its development.

In this session, attendees:

  • Discovered how to obtain a full asset inventory of resources across multiple AWS accounts and uncover security issues
  • Learned how to automatically benchmark their AWS environments against compliance standards such as General Data Protection Regulation, Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, and more
  • Found out how to easily investigate issues with powerful query language and an audit trail
  • Saw how to consolidate data from multiple threat intelligence streams while protecting cloud environments with governance policies, increasing runtime protection, and implementing full lifecycle security with AWS Inspector, GuardDuty, and Security Hub

Fill out the form below to view this Resource.