 So my name is M.C.U.C.H.I. I am mainly a junior part of AXL but I am a top little bit there about what the junior to AXL is for us like what our process is what we do and what we work technical, record and improvement we make in the production so first of all it's a little bit naive but I always say that junior to Bax I is very simple so junior to Bax I is very simple for us because it is a logical issue with an AXL it's very very bad things you have to fix it in the background to the way you have to touch all the versions which are very very old this is a intensive investment and for you obviously data features are nature-concerned or life reasons you have to update certain times may not be released so general idea is to prevent and mitigate security issues before they already exist so investment money for something like this house in the end it doesn't change so I am afraid of the mindset of security development life cycle it's basically two different steps to show what you do with H.I.T. development and I am sure what we do with H.I.T. so you have to develop something with some kind of training for example documentation it's not easy but this is basically the developer manual and you see several security guidelines and we explain in the what is this kind of security back how to avoid it and like for example so the developer can understand what are the issues involved and if you are in trouble and have this security training so one example will be tomorrow you know someday even they will have the next product we will go together for the next product and look at how to make it more for sure this will be quite cool if you won't attempt development okay and if we fix an issue actually we ask developers to fix it themselves so if someone is having this security back it's like hey can you please fix it or something like that because then you actually learn and you plan you probably don't make the same mistake again the next time so that's something nice not everybody likes it so obviously before you develop a future just think a little bit about how this is going to be and what are the impact and you actually have a channel which finds what is the specific kind of video you are allowed to do so for example what may the administrator do and what may the general user do and this is documented and this is something that we hope for customers so the customer has a specific security environment that comes to us and you can look into it if you plan a new information always pass so after you have developed something you actually need to check or you might want to you need to check if in this case you are not going to be there so you have an aesthetic environment you can use it you can use one of these tools or one of these right but it actually does it to how your foot go in there it looks at the paths like this is how the user and the user end up in the data this is how the program ends and this are functions where potentially user get caught in their statements like you can function that now and execute to shell commands and you can send some power to the user and then this program when you are really sure the data is escaped or why you really should be able to do this and you also do some kind of so it's not all automatic automatic statistics are nice but they don't solve everything it's basically a very dark and insured so if an automatic scanner finds something you can be sure there will be some other things in the program which are way bigger mistakes and you have to split management to help you do this so before something can enter a product it is going to be good by at least two people so in the end at least three people have looked at it yourself somebody else and somebody else and this actually goes this way so you open the program first then you describe hey this is the reason I could change and you could mention what people like for example if it is about shell you could mention here and ask here to take a look at it here in the next year if somebody else they say hey this looks good to me that's a project and what we can do with this you can merge it there is actually a technical importance so you can request to merge but you also have to be upset so it's not possible to merge something on your own in a malicious way and also with in every language you have some kind of unsafe functions unsafe functions is something which most face to the community so there are functions if you ever use them you are not going to be doing something wrong and if user inputs lots in them you probably will not be able to do this tuition or something like that and you actually have a static scanner tool in your product which checks as well on forbidden functions so functions like unsualized are forbidden and if you use them the scanner will actually point out it's you are using unsafe it's not good obviously this is not perfect but it's just a matter of insurance because if you really want to do something even if you can still write unsualized in some other way it's analytically evaluated but this one is more than normal and it's also organized as security faults so when we develop something we think about how can you make a way that is purely money and nobody out there like you are having some agents or people in the type of thing that should still be reasonable to achieve it so you don't face the truth and this something makes but nothing should totally make a big change one example here is a nice one is actually the function that shows the login folder so the login page what you basically see here is one of the functions so you have this ad site and behind this page you make like hey this is a public page if you don't like this that's what it does so you basically say this function is available to the public or for local viewers or whatever type of movie you know you mentioned but you also basically end for cross-site request forging machines so cross-site request forging is basically the entire security vulnerability when you are working on a website and you are in need of this so that's a good bonus so if you open my website and on my website I have a chance to send the request to you next month then it will contain the cookies then it will be protected what you actually have is a shared secret on the left side and on the left side and if you do not exit this it will be blocked out this secret will be hidden but and there are also other things that I got from the session from the community for you if you want to have a write the video session you can say I want the session to be write another example is you have this also on the files so that the developer actually doesn't use directly the function to write on the creative system you write on the creative system you write on the creation layer you write on the files you write on the node API and in this the other nice thing is like if you change it in the folder you should not be able to escalate out so in the the file session you should not end up something above this folder so the worst that can happen is that an attenter could make something like this you just look at this all of them have automatically look at it and now we have we need some audience to look all of them so we have a successful background program to help you out using Hector one platform which is used by more than 3,000 Hector's out there and all of the projects from these also from my Japanese Twitter and he made it and what it basically is about is platforming and like institute bugs to a specific company and they evaluate it and you will pay for this it's not a bad institution and we basically are the highest people in the open source world I have some group here so if you look at this this is the maximum group and I don't know if you can pay someone the other $5,000 is one of the security issues there are a lot of projects like catchy and I think there are 3,000 of them and if you look at the million dollar companies like Tombox you already see that Tombox is making significant debt compared to the other popular sites like that which is probably more than the fastest and if you look at other also projects you see there are actually 8 people 8 people 8 people can actually look at the cost and buy a station and there is not only one person which I guess is probably a plane or a bus so if you look at the response timings this is the response efficiency and you see that we have an average 5% response in the top performance of the website which is a little bit about the production but it would have to take like one out of these to respond to you which is obviously not so awesome if you are not a security worker because you want feedback and most of the people on the house would not want to protect the cost of the money if you have to wait for weeks to be here and where you get the money you probably don't want anything else extra so if you look at the amount of work that this platform creates you see this is this game we can do this about 240 this is 100 here so you see when we have staffed program we have like 240 calls in a day which was a little bit annoying to fly and in our days we are down to just 100 calls a week which is very romantic but compared to payoffs actually we see that only payout but I can't believe it so far so far and those are all about 9 vulnerabilities and most of the vulnerabilities are actually not vulnerabilities at all but somebody can understand the software or something like that but again we are not in 19th century so we are on the website so we are in some misconfiguration or servers and we are flying 400,000 to 100,000 so it's a better way and once you have identified vulnerability we are going to publish a database called a number which is unique to this vulnerability and if you talk in the future about this vulnerability you can say CBB 215 ZZ1 of this vulnerability we had 2 years ago which it isn't there which is not really something easy to communicate and everybody thinks of some of the vulnerability in this one so we just know that we are vulnerable but likely when we release a little bit later or more later but when we release the vulnerability it's not so easy to recognize the vulnerability and it's that vulnerability which is a number which is 0 and 10 0 is an opportunity and 10 is this vulnerability and I always say up to 6 eventually it's deep and when it's over 6 you better be able to fix it soon and that's a nice way to communicate it but it also like sometimes we know we feel high and it's a little bit out of control but most of the vulnerability is actually very low it's a lot of difficulty to fight we also have the impact of this vulnerability and the vulnerability description like this vulnerability this release fixes this and that vulnerability this is what the network can do if they exploit this vulnerability and then the users that I have which is of perspective which version is attached and like like this person it changes very much when we release it it takes 14 days after release so what we do is we release a version we wait 14 days and then we release this information for customers we release this information of the same day as in the release and if it is a more or less specific issue we also provide an additional plan so I can say that this issue it has this impact we plan to make a release and one week after if you want to apply this patch now and you will be protected but that's obviously up to then because we do provide a little choice to apply this issue in advance and if you look at the statistics of vulnerability before it shows some nice data so this is the fixed of vulnerability that you have to look at which shows several vulnerabilities and you talk to them there is something about 10 and you may not think more 10 is a huge number but if you look at other programs like chapter some other advice that you will see is actually a little bit more interesting the statistics of the reports in Germany by external people in Oman if you see more of the vulnerability in the actual time in Germany this is since 2013 to now look at the human years we see in 2013 there are a lot of vulnerabilities because this panel is basically a release an advice update for every week and if you have one security check missing you have this type of vulnerability like 20 times but it will probably come in one time so this is actually caused by one type of generic vulnerability which applied to World of Platform in 2010 and you see this type of vulnerability this type of vulnerability this type of vulnerability in 2013 you see the orange bar actually going down a lot of people and if you look at 2014 you see it's actually way out of vulnerability because external contributions went down very low amount and if you look at 2015 you see the example of the background program the vulnerabilities that were caused by external people were actually of very low visibility so a lot of people in general here defines anything by example ok now we have about some security colleagues I think in the last few weeks so for example CSG and the same side I don't know if you know about hundreds of security police hundreds of security police and execution of the inline response I had an example to this day I implemented this in 2013 as a first the concept of over time there was always a big stricter and other politicians had implemented this in 2015 despite having to delay more and develop a lot more something to shock you and you also you see what is happening which allows you to enter the name so what you would see if your boss is in the field they would enter your name and if you enter your name it says hello it's a tech company but you know it's basically an enterprise so you enter basically an ancient company it isn't a scam a tech company who is not short-lived but maybe something like a user with this password or some other nasty stuff basically if you access everything that the user can do in this current session so if the user can click the user to process your existence so what you basically need to invent more of it is sending a head that it packs the browser to not execute so what we say is when you fold that thing you can execute anything but for a browser they are allowed to do the same domain so for one time they are allowed to do the same domain but not if they don't do the same domain in the region then we have the same kind of these files like images are allowed from the domain but you can also embed the thing like you can also execute this so you see it is very long and short here but the end it points out the only allowed content of the same domain if I access this thing next up what you can see is this currency so we can't execute this in background because it is not allowed by the police so if there is an accessible ability in most places because most browsers actually call it at the moment there is one exception coming from the house of that one in the United States so if you use Internet Explorer you might forget it because they have all this nice cute power name but this is for the administration what we also do is I have already talked about XSF before XSF is this type of anonymity open on the website and the whole website sends a request to your next couple and the next couple doesn't know from the website just the streams that you authentically can use again what we do against this is we have to share a secret which the next type of anonymity but what we also do is since I can use this for the long term Microsoft has said we are working on this so we are going to use Microsoft actually that is so please ask more text files have something that and what is there is this additional activity where we can say this company can only send the same domain so if you visit a new website and send a request to your next couple what could actually happen is this company will not be sent by Microsoft and you can actually have all these requests to be sent so the request has been sent by the whole website and what we do is we enforce this actually for every action controller we enforce that this company has been sent and action controller is something that changes something but in terms of what we change the setting actually this company has been sent which is only sent from the same domain and for every new controller we require the last couple which is pretty much the same but it is sent in a few more cases so if you open a Microsoft Q you have to find the link from every time because if you click on the link to the next part it will only send the last so that this product will still serve the only Microsoft in collection controllers and for all controllers like new controllers and the chance of being require only the last but that is how best we implement it so I think I have found a lot of requests that you are in now lots of texting questions yes how do you protect the apps so what kind of new questions so at the moment we are using the old ones right now but for the next version we use the next products the next products there is some kind of security building that the old one is so what is implemented is every app has to be signed set in the app if the app is inside you print it up and the set in the app set in the app to put the app into us so the old ones they just have to fill out the specific form you see here is the legend app or it's actually ignoring and then you need to give the system that form so we have some kind of path model to do that work so once the system is set then update the app and the 19th of this so we need to set all the steps and some of us have control of all the data that is stored this won't affect the user because when a chapter can't move they won't be able to serve the system but next will be available in the signature shop not in the signature shop so we have to make it so this is a good pass any more questions? that's important now