Author Image

Hi, I am Shubo

Shubo Zhang

Senior Software Engineer at Tenable

I am a passionate software engineer with 10+ years of working experience.

Leadership
Team Work
Communication
Hard Working
Fast Learner
Problem Solving

Skills

Experiences

1
Senior Software Engineer
Tenable

Jan. 2020 - Present, Columbia, MD

Tenable delivers unparalleled coverage and comprehensive insight to enable you to detect vulnerabilities, assess risk, and prioritize remediation for every asset, in every environment.

Responsibilities:
  • Design and develop XYZ tool for ABC task
  • Design, develop and manage disaster recovery tool Xtool that backup Kubernetes volumes, databases, and cluster’s resource definition.
  • Lead backend team.

Software Engineer
Nielsen

Oct. 2018 - Jan. 2020, Columbia, MD

Nielsen is a global measurement and data analytics company that provides the most complete and trusted view of consumers and markets worldwide. Nielsen has operations in over 100 countries.

Responsibilities:
  • Write lots of example codes.
2

3
Software Engineer
T.Rowe Price

Oct. 2017 - Oct. 2018, Baltimore, MD

T. Rowe Price Group is a global investment management firm that offers funds, advisory services, account management, and retirement plans and services for individuals, institutions, and financial intermediaries

Responsibilities:
  • Write lots of example codes.

Software Engineer
FINRA (Financial Industry Regulatory Authority)

Oct. 2016 - Oct. 2017, Rockville, MD

FINRA is a private corporation that acts as a self-regulatory organization. FINRA is the successor to the National Association of Securities Dealers, Inc. and the member regulation, enforcement, and arbitration operations of the New York Stock Exchange

Responsibilities:
  • Write lots of example codes.
4

5
Software Engineer
Multiplan

Aug. 2015 - Oct. 2018, Rockville, MD

MultiPlan has pioneered innovative solutions for healthcare payors, drawing on unique insights and data analysis to customize an action plan to help each of our customers thrive. Our roots go back to MultiPlan’s early days as a New York hospital network, and we have grown, adapted and innovated our way to offering the industry’s most comprehensive portfolio of cost management solutions.

Responsibilities:
  • Write lots of example codes.

Projects

Kubernetes
Kubernetes
Contributor March 2018 - Present

Production-Grade Container Scheduling and Management.

Tensorflow
Tensorflow
Developer Jun 2018 - Present

An Open Source Machine Learning Framework for Everyone.

Toha
Toha
Owner Jun 2019 - Present

A Hugo theme for personal portfolio.

Recent Posts

Card image cap
OWASP 十大网站安全风险 (三):敏感信息泄漏

OWASP 十大信息安全主题 注入攻击 (Injection) 无效身份认证(Broken Authentication 敏感信息泄漏(Sensitive Data Exposure) XML外部处理器漏洞(XML External Entities (XXE)) 无效存取控管(Broken Access Control) 错误设置安全系统(Security Misconfiguration) 跨站攻击(Cross-Site Scripting (XSS)) 不安全的反序列化漏洞(Insecure Deserialization) 使用已有漏洞元件(Using Components with Known Vulnerabilities) 日志和监控不足风险(Insufficient Logging and Monitoring) 敏感信息泄漏 许多网站和API没能很好的保护敏感信息,像金融,医疗,个人信息等等。攻击者可以通过窃取,篡改这些数据来进行信用卡诈骗,身份盗用,和 其他犯罪。敏感信息泄漏大多由于没有额外数据加密保护,像是没有在服务器端和传输过程中做加密保护,尤其是在和浏览器交换数据的过程。 了解敏感信息泄漏 在过去几年,敏感信息泄漏在网络安全中造成的最严重的影响。最常见的安全疏失就是没有加密,或者没有按照安全准则加密敏感信息。像是在密钥的产生和管理, 使用不安全算法,协议,网络等等,尤其是使用弱哈希密码加密存储数据。 敏感信息泄漏的威胁可能来自外部和内部。外部攻击者往往不会直接暴力解密,而是会在数据传输,与客户浏览器交互的过程中拦截,窃取明文, 然后对加密 系统攻击。内部威胁主要是有些员工运用权限漏洞直接下载敏感数据,如果数据只是在服务器端加密,没有多层加密的话,下载过程数据会自动解密,员工就拿到的 敏感信息的明文。 敏感信息一般包括个人身份确认信息,医疗资料,密码,私人信息,信用卡,还有一些法律要求管制的数据等等。 敏感信息泄漏不仅仅关乎经济,信用损失,还有伴随的法律责任。 所以对于敏感信息,要求在存储和传输的过程中都要额外加密保护。至少要考虑下面的具体问题: 数据传输过程中是否使用了非加密,非安全的协议, 像http, SMTP, 和 ftp 外部网络数据传输过程中是否一直是加密的,例如负平衡和应用前后台间的数据传输 敏感数据是否有备份 加密算法是否符合最近的安全标准,代码中是否有使用太老或者弱的加密算法 是否使用了默认加密算法,是否使用了弱的密钥,是否重用的密钥,是否有定期翻转密钥 与客户端数据交互的时候,是否强制使用安全加密通信

Card image cap
OWASP 十大网站安全风险 (二):无效身份认证

OWASP 十大信息安全主题 注入攻击 (Injection) 无效身份认证(Broken Authentication) 敏感信息泄漏(Sensitive Data Exposure) XML外部处理器漏洞(XML External Entities (XXE)) 无效存取控管(Broken Access Control) 错误设置安全系统(Security Misconfiguration) 跨站攻击(Cross-Site Scripting (XSS)) 不安全的反序列化漏洞(Insecure Deserialization) 使用已有漏洞元件(Using Components with Known Vulnerabilities) 日志和监控不足风险(Insufficient Logging and Monitoring) 无效身份认证 程序开发中,既要保证安全,又要有好的用户体验,身份认证,授权,和session管理很容易出现错误漏洞,攻击者可以利用这些漏洞来穿透认证检查,从而可以临时或者永久的使用其他人的账户。 了解无效身份认证 对于需要保存状态的应用程序,身份认证,授权,session管理等的设计和执行很容易出现漏洞。尤其是session管理,它是身份认证,授权等的基石,攻击者大多 会对过期令牌进行攻击。 攻击者有海量的有效用户名和密码组合,这些数据可以使用在 撞库攻击(credential stuffing attack) 默认管理员账户列表 自动暴力破解 字典攻击工具 攻击者能通过以上手段发现无效身份认证漏洞, 一般来说,攻击者只需要几个账户,或者一个管理员账户,就能侵入,破坏系统,这样可能会造成很严重的后果,例如 洗钱,盗窃身份,重要敏感信息泄漏 等等。 什么情况容易被攻击 允许撞库攻击 允许暴力破解 允许默认或者非常弱的密码,例如 “Password1” 和 “admin/admin”

Achievements

Best Presenter

Champion

Graduation

Award Winner