La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
This document summarizes Otavio Santana's presentation on stateless microservice security using JWT and MicroProfile. The presentation covered the limitations of Basic Auth and OAuth 2.0, and introduced JSON Web Tokens (JWT) as an alternative token-based authentication approach. It demonstrated how JWT can be used to securely transmit user authentication and authorization information in HTTP requests to microservices.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
The document discusses various approaches to securing REST APIs, including basic authentication and its limitations, OAuth 2.0 tokens and refresh tokens, hashing, and signing. It notes that while standards provide options, they do not ensure security and proper implementation is important. The presentation evaluates approaches based on performance and security, noting tradeoffs between the two goals.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
This document summarizes Otavio Santana's presentation on stateless microservice security using JWT and MicroProfile. The presentation covered the limitations of Basic Auth and OAuth 2.0, and introduced JSON Web Tokens (JWT) as an alternative token-based authentication approach. It demonstrated how JWT can be used to securely transmit user authentication and authorization information in HTTP requests to microservices.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
The document discusses various approaches to securing REST APIs, including basic authentication and its limitations, OAuth 2.0 tokens and refresh tokens, hashing, and signing. It notes that while standards provide options, they do not ensure security and proper implementation is important. The presentation evaluates approaches based on performance and security, noting tradeoffs between the two goals.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
- JWT tokens can be attacked by exploiting vulnerabilities in how they are validated and used. Common attacks include modifying token properties like the signing algorithm, injection of header parameters like kid and x5u, and cracking weak HS256 keys.
- Tools like jwtbrute and libraries that don't properly validate tokens can aid exploitation. Attackers aim to have their tampered tokens treated as authentic by compromising validation processes.
- Developers must carefully validate all token properties, use strong signing keys, and avoid deserialization that doesn't verify signatures to prevent exploitation of JWT tokens.
This document discusses password security and provides guidance on creating strong passwords. It notes that passwords should be long, using the full character set across uppercase, lowercase, numbers and symbols. Short passwords can be cracked very quickly using modern computing power even with hashing and encryption. The document demonstrates how different password lengths and compositions affect cracking times, showing that longer passwords above 14 characters that take full advantage of the available character set are most secure. It encourages creativity in password composition and testing passwords on online strength meters.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
The document discusses tracking infrastructure related to malware botnets through passive monitoring and active probing techniques. It provides an overview of tracking systems used to monitor the Gameover Zeus (GOZ) and newGOZ botnets. Specific case studies are described on tracking the fast flux proxy network of the Zbot botnet and predicting and identifying command and control domains generated by the domain generation algorithm (DGA) of the newGOZ botnet.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
- JWT tokens can be attacked by exploiting vulnerabilities in how they are validated and used. Common attacks include modifying token properties like the signing algorithm, injection of header parameters like kid and x5u, and cracking weak HS256 keys.
- Tools like jwtbrute and libraries that don't properly validate tokens can aid exploitation. Attackers aim to have their tampered tokens treated as authentic by compromising validation processes.
- Developers must carefully validate all token properties, use strong signing keys, and avoid deserialization that doesn't verify signatures to prevent exploitation of JWT tokens.
This document discusses password security and provides guidance on creating strong passwords. It notes that passwords should be long, using the full character set across uppercase, lowercase, numbers and symbols. Short passwords can be cracked very quickly using modern computing power even with hashing and encryption. The document demonstrates how different password lengths and compositions affect cracking times, showing that longer passwords above 14 characters that take full advantage of the available character set are most secure. It encourages creativity in password composition and testing passwords on online strength meters.
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
The document discusses tracking infrastructure related to malware botnets through passive monitoring and active probing techniques. It provides an overview of tracking systems used to monitor the Gameover Zeus (GOZ) and newGOZ botnets. Specific case studies are described on tracking the fast flux proxy network of the Zbot botnet and predicting and identifying command and control domains generated by the domain generation algorithm (DGA) of the newGOZ botnet.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
Cryptography involves techniques for securing communications and information. The document discusses several cryptographic concepts:
1. Hashing involves running data through a function to generate a fixed-size output called a digest or hash. Common hashing algorithms are MD5, SHA-1, and SHA-256.
2. Symmetric encryption uses the same key for encryption and decryption. Algorithms like AES and DES encrypt blocks of data under a secret key.
3. Asymmetric encryption uses different public and private keys. RSA and ECC are common algorithms. Keys can be generated, and data encrypted and decrypted.
4. Digital signatures provide integrity by allowing the authenticity of data to be verified. Signatures can
The document discusses using the ELK stack (Elasticsearch, Logstash, Kibana) to analyze security logs and events. It describes how to ingest logs into Logstash, normalize the data through filtering and parsing, enrich it with threat intelligence and geolocation data, and visualize the results in Kibana. The TARDIS framework is introduced as a way to perform threat analysis, detection, and data intelligence on historical security logs processed through the ELK stack.
An attacker was able to gain access to an internal network by phishing a secretary's smartphone. They then used lateral movement techniques like pass-the-hash to escalate privileges and access sensitive files. This included obtaining Domain Admin credentials for the "adm.arazzi" user. The attacker was ultimately able to exfiltrate data and establish persistence on the network.
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This document discusses stateless microservice security using JSON Web Tokens (JWT) with OAuth 2.0. It begins with an introduction to microservices architecture and its new security challenges compared to traditional monolithic systems. It then covers some common security options for microservices, including basic authentication, OAuth 2.0, and JWT. The document demonstrates how OAuth 2.0 token exchanges can be used to issue JWTs that are passed in authentication headers for microservice requests instead of sending passwords over the network. This improves scalability by eliminating network hops and allowing for stateless security checks of the signed JWTs.
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
DEMYSTIFYING REST
Kirsten Jones
REST web services are everywhere! It seems like everything you want is available via a web service, but getting started with one of these web services can be overwhelming – and debugging the interactions bewilders some of the smartest developers I know. In this talk, I will talk about HTTP, how it works, and how to watch and understand the traffic between your system and the server. From there I’ll proceed to REST – how REST web services layer on top of HTTP and how you can expect a REST web service to behave. We’ll go over how to monitor and understand requests and responses for these services. Once we’ve covered that, I’ll talk about how OAuth is used for authentication in the framework of a REST application. PHP code samples will be shown for interacting with an OAuth REST web service, and I will cover http monitoring tools for multiple OS’s. When you’re done with this talk you’ll understand enough about REST web services to be able to get started confidently, and debug many of the common issues you may encounter.
This is my initial release of a slide deck used to support a quick training to students on Facebook and Twitter API. A lot of stuff would need to be fixed (my english first as a non-native writer :-). It also does not (yet?) cover all APIs.
This support is better with associated resources such as the underlying Postman request collections.
Please feel free to give feedback if any.
OAuth 2.0 es un protocolo abierto que nos brinda autorización y delegación para nuestras APIs HTTP. En esta sesión daremos un repaso al estado del arte de la seguridad en las APIs HTTP. A continuación pasaremos a entender que es este protocolo y como funciona. Daremos un repaso a todos sus flujos: Authorization Code, Implicit, Client Credentials, ROPC, PKCE… y veremos ejemplos en directo para acabar de tener un imagen completa de todo lo que nos ofrece y que nos servirá para cuando empecemos a trabajar con servidores de identidad OIDC.
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
The document discusses various penetration testing techniques including:
1. Using OSINT techniques like disabling content security policies to scrape invite links from a site.
2. Checking domains with services like VirusTotal to see their categorization and reputation over time.
3. Using Azure domain fronting to hide command and control domains from network defenders.
4. Enumerating Active Directory with tools like Bloodhound to find high privilege accounts and exploit delegation.
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
Are you worried that your REST API may be the next victim of an attack by ruthless hackers? Don't fret. Utilizing the same standards implemented by OAuth 2.0 and OpenID Connect, you can secure your REST API. JSON Object Signing and Encryption (JOSE) is the core of a truly secure standards-based REST API. Let me show you how to ensure the data sent too and received from your API is as safe and secure as is reasonably possible.
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"Andreas Falk
Microservice architectures bring many benefits to software applications. But at the same time, new challenges of distributed systems have also been introduced. One of these challenges is how to implement a flexible, secure and efficient authentication and authorization scheme in such architectures.
The common solution for this is to use stateless token-based authentication and authorization by adopting standard protocols like OAuth 2.0 and OpenID Connect (OIDC).
In this talk, you will get a concise introduction into OAuth 2.0 and OIDC.
We will look at OAuth 2.0 and OIDC grant flows and discuss the differences between OAuth 2.0 and OpenID Connect. Finally, you will be introduced to the current best practices currently evolved by the working group.
So If you finally want to understand the base concepts of OAuth 2.0 and OIDC in a short time then this is the talk you should go for.
Learn about HTTP/2 and its relationship to HTTP 1.1 and SPDY. Understand core features and how they benefit security and browser efficiency. More that a "what's new" this talk will leave you with an understanding of why choices in HTTP/2 were made. You'll leave knowing what HTTP/2 is and why it is better for clients and servers.
The document provides an overview of basic web security concepts including:
1. It defines common web terms like front-end, back-end, cookies, sessions, URLs, HTTP methods, headers and status codes.
2. It discusses how cookies and sessions are used to track users and maintain state on the web.
3. It covers potential information leaks from files like robots.txt, hidden files and directories as well as techniques for searching websites like Google hacking.
4. It introduces common web vulnerabilities like XSS, CSRF and discusses how attacks are carried out and potential impacts. It also notes some PHP quirks that could be exploited if not understood.
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Similar to 2018 ecuador deconstruyendo y evolucionando la seguridad en servicios rest (20)
7 Recomendaciones para migrar tus aplicaciones a Jakarta EE utilizando Apache...César Hernández
Con el impacto en el ecosistema después de la migración del paquete javax a Jakarta en Jakarta EE 9 y el soporte para Java SE 11 en Jakarta EE 9.1, esta sesión cubre recomendaciones y estrategias para ayudarlo a navegar el proceso de migración a Jakarta EE 9.1 usando Apache TomEE .
Paving the road with Jakarta EE and Apache TomEE - JCON 2021César Hernández
- The document summarizes a presentation by César Hernández on paving the road with Jakarta EE and Apache TomEE. It discusses the context of migrating from Java EE to Jakarta EE, approaches to migration including bytecode-level tools and source code tools, and how to contribute to Jakarta EE and Apache TomEE open source projects. It promotes embracing continuous integration, delivery, and sharing learning experiences to help with the migration.
7 recomendaciones para migrar tus aplicaciones a Jakarta EE utilizando Apache...César Hernández
Con el impacto en el ecosistema después de la migración del paquete javax a Jakarta en Jakarta EE 9 y el soporte para Java SE 11 en Jakarta EE 9.1, esta sesión cubre recomendaciones y estrategias para ayudarlo a navegar el proceso de migración a Jakarta EE 9.1 usando Apache TomEE .
Keeping brazil's medical industry safe with Micro Profile [TDC 2021]César Hernández
Get to know this exceptional case of migration to the cloud with MicroProfile and Jakarta EE in the Brazilian medical industry. It involves several challenges such as the fifth-largest population and largest territory in the world; complexity; and diversity, both geographic and economic. We discuss how MicroProfile projects such as Health Check, JWT Authentication, Metrics, OpenAPI, Rest Client, and Config contributed to the success of the project; what benefits they saw; the challenges they faced; and how they solved them.
Adoptar o implementar nuevas tecnologías a nuestros sistemas basados en Java tiene muchos ángulos de análisis que van más allá de lo técnico.
En esta sesion veremos 10 formas prácticas y efectivas en las que puedes contribuir activamente en el ecosistema Cloud Native de Java con JakartaEE y Apache TomEE.
Con esta información podrás tomar mejores decisiones en las mejoras continuas de tus arquitecturas y sistemas basados en java.
Paving the way with Jakarta EE and Apache TomEE - JCConfCésar Hernández
Cesar Hernandez is a senior software engineer at Tomitribe who discusses his work with Jakarta EE and Apache TomEE. He provides an overview of the transition from Java EE to Jakarta EE, including the changes to namespaces. Apache TomEE is an open source Java EE application server built from Apache components that is compliant with Jakarta EE and MicroProfile. TomEE 9.0 implements the transition to the new jakarta namespaces. Resources are provided for users migrating to Jakarta EE 9 and getting involved in the open source community.
Keeping brazil's medical industry safe with Micro Profile and JakartaEE - Jak...César Hernández
Get to know this exceptional case of migration to the cloud with MicroProfile and Jakarta EE in the Brazilian medical industry. It involves several challenges such as the fifth-largest population and largest territory in the world; complexity; and diversity, both geographic and economic. We discuss how MicroProfile projects such as Health Check, JWT Authentication, Metrics, OpenAPI, Rest Client, and Config contributed to the success of the project; what benefits they saw; the challenges they faced; and how they solved them.
Pavimentando el camino con Jakarta EE 9 y Apache TomEE César Hernández
Jakarta EE 9 introduce la migración del paquete javax a jakarta en la plataforma, impactando en el ecosistema y, por lo tanto, en los usuarios finales. Esta sesión cubre antecedentes, recomendaciones y estrategias basadas en código para ayudarlo a navegar por la migración de sus aplicaciones Java Enterprise usando Apache TomEE.
It is easy contributing to open source - JCON 2020César Hernández
The problem developers new to open source have is joining the community, starting to contribute, and using common open source tools. In this session, attendees will learn how to contribute and become valuable a part of any open source community. Attendees will learn soft and hard skills based on two case studies: Eclipse MicroProfile and Apache TomEE projects. Attendees will learn to access the culture of open source projects, expected behavior and attitude toward new contributors; how to start small, take risks, ask lots of questions; and how to get started with common open source tools like Maven, Git, and JIRA. Students will leave this workshop the soft skills and the hard skills required to make meaningful contributions.
It is easy contributing to Open Source - ECLIPSE CON 2020César Hernández
The problem developers new to open source have is joining the community, starting to contribute, and using common open source tools. In this session, attendees will learn how to contribute and become valuable a part of any open source community. Attendees will learn soft and hard skills based on two case studies: Eclipse MicroProfile and Apache TomEE projects. Attendees will learn to access the culture of open source projects, expected behavior and attitude toward new contributors; how to start small, take risks, ask lots of questions; and how to get started with common open source tools like Maven, Git, and JIRA. Students will leave this workshop the soft skills and the hard skills required to make meaningful contributions.
Paving the way with Jakarta EE and apache TomEE at cloudconferencedayCésar Hernández
Jakarta EE 9 introduces the migration of the javax to jakarta package in the platform, impacting the ecosystem and, therefore, the end-users. This session covers background, recommendations and code driven strategies to help you navigate the migration of your Java Enterprise applications using Apache TomEE.
Pavimentando el Camino con Jakarta EE 9 y Apache TomEE 9.0.0César Hernández
Jakarta EE 9 introduce la migración del paquete javax a jakarta en la plataforma, lo que impacta en el ecosistema y, por lo tanto, en los usuarios finales. Esta sesión cubre antecedentes, recomendaciones y estrategias basadas en código para ayudarlo a navegar por la migración de sus aplicaciones Java Enterprise usando Apache TomEE.
Creando microservicios con java micro profile y tomee - CUNORI 2020César Hernández
En esta sesión los asistentes presenciaron la base teórica y práctica para la creación de micro servicios con Java, JakartaEE, MicroProfile utilizando TomEE como servidor de aplicaciones.
Paving the way with Jakarta EE and Apache TomEE - itkonekt 2020César Hernández
Jakarta EE 9 introduces the migration of the javax to jakarta package in the platform, impacting the ecosystem and, therefore, the end-users. This session covers background, recommendations and code driven strategies to help you navigate the migration of your Java Enterprise applications using Apache TomEE.
Creando microservicios con Java MicroProfile y TomEE - OGBTCésar Hernández
En esta sesión los asistentes presenciaron la base teórica y práctica para la creación de micro servicios con Java, JakartaEE, MicroProfile utilizando TomEE como servidor de aplicaciones.
Creando microservicios con Java, Microprofile y TomEE - Baranquilla JUGCésar Hernández
En esta sesión los asistentes presenciaron la base teórica y práctica para la creación de micro servicios con Java, JakartaEE, MicroProfile utilizando TomEE como servidor de aplicaciones.
Creando microservicios con Java y Microprofile - Nicaragua JUGCésar Hernández
En esta sesión los asistentes presenciaron la base teórica y práctica para la creación de micro servicios con Java, JakartaEE, MicroProfile utilizando TomEE como servidor de aplicaciones.
Keeping brazil's medical industry safe with Micro Profile and JakartaEE - Jak...César Hernández
Get to know this exceptional case of migration to the cloud with MicroProfile and Jakarta EE in the Brazilian medical industry. It involves several challenges such as the fifth-largest population and largest territory in the world; complexity; and diversity, both geographic and economic. We discuss how MicroProfile projects such as Health Check, JWT Authentication, Metrics, OpenAPI, Rest Client, and Config contributed to the success of the project; what benefits they saw; the challenges they faced; and how they solved them.
Es fácil contribuir al open source - Bolivia JUG 2020César Hernández
En esta sesión impartida el 18 de Abril de 2020 compartimos con el JUG de Bolivia lo fácil que es contribuir al Opensource. Utilizamos como ejemplo dos proyecto Java: Apache TomEE y Eclipse MicroProfile.
Its easy! contributing to open source - Devnexus 2020César Hernández
The problem developers new to open source have is joining the community, starting to contribute, and using common open source tools. In this session, attendees will learn how to contribute and become valuable a part of any open source community. Attendees will learn soft and hard skills based on two case studies: Eclipse MicroProfile and Apache TomEE projects. Attendees will learn to access the culture of open source projects, expected behavior and attitude toward new contributors; how to start small, take risks, ask lots of questions; and how to get started with common open source tools like Maven, Git, and JIRA. Students will leave this workshop the soft skills and the hard skills required to make meaningful contributions.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfVALiNTRY360
Salesforce Healthcare CRM, implemented by VALiNTRY360, revolutionizes patient management by enhancing patient engagement, streamlining administrative processes, and improving care coordination. Its advanced analytics, robust security, and seamless integration with telehealth services ensure that healthcare providers can deliver personalized, efficient, and secure patient care. By automating routine tasks and providing actionable insights, Salesforce Healthcare CRM enables healthcare providers to focus on delivering high-quality care, leading to better patient outcomes and higher satisfaction. VALiNTRY360's expertise ensures a tailored solution that meets the unique needs of any healthcare practice, from small clinics to large hospital systems.
For more info visit us https://valintry360.com/solutions/health-life-sciences
Microservice Teams - How the cloud changes the way we workSven Peters
A lot of technical challenges and complexity come with building a cloud-native and distributed architecture. The way we develop backend software has fundamentally changed in the last ten years. Managing a microservices architecture demands a lot of us to ensure observability and operational resiliency. But did you also change the way you run your development teams?
Sven will talk about Atlassian’s journey from a monolith to a multi-tenanted architecture and how it affected the way the engineering teams work. You will learn how we shifted to service ownership, moved to more autonomous teams (and its challenges), and established platform and enablement teams.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Top 9 Trends in Cybersecurity for 2024.pptxdevvsandy
Security and risk management (SRM) leaders face disruptions on technological, organizational, and human fronts. Preparation and pragmatic execution are key for dealing with these disruptions and providing the right cybersecurity program.
When it is all about ERP solutions, companies typically meet their needs with common ERP solutions like SAP, Oracle, and Microsoft Dynamics. These big players have demonstrated that ERP systems can be either simple or highly comprehensive. This remains true today, but there are new factors to consider, including a promising new contender in the market that’s Odoo. This blog compares Odoo ERP with traditional ERP systems and explains why many companies now see Odoo ERP as the best choice.
What are ERP Systems?
An ERP, or Enterprise Resource Planning, system provides your company with valuable information to help you make better decisions and boost your ROI. You should choose an ERP system based on your company’s specific needs. For instance, if you run a manufacturing or retail business, you will need an ERP system that efficiently manages inventory. A consulting firm, on the other hand, would benefit from an ERP system that enhances daily operations. Similarly, eCommerce stores would select an ERP system tailored to their needs.
Because different businesses have different requirements, ERP system functionalities can vary. Among the various ERP systems available, Odoo ERP is considered one of the best in the ERp market with more than 12 million global users today.
Odoo is an open-source ERP system initially designed for small to medium-sized businesses but now suitable for a wide range of companies. Odoo offers a scalable and configurable point-of-sale management solution and allows you to create customised modules for specific industries. Odoo is gaining more popularity because it is built in a way that allows easy customisation, has a user-friendly interface, and is affordable. Here, you will cover the main differences and get to know why Odoo is gaining attention despite the many other ERP systems available in the market.
2. #RESTSecurity @CesarHgt @tomitribe
EcuadorJUG2018
César Hernández
• Senior Software Engineer at Tomitribe
• Java Champion
• Duke’s Choice Award 2016 y 2017
• Oracle Certified Professional
• +10 experience with Java EE
• Open Source advocate, teacher and
public speaker
5. #RESTSecurity @CesarHgt @tomitribe
EcuadorJUG2018
Áreas de Enfoque
• Más allá de Basic Auth
• Teoría de OAuth 2.0
• Introducción a JWT
• Google/Facebook style API security
• Arquitectura Stateless versus Stateful
• HTTP Signatures
• Amazon EC2 style API security
47. #RESTSecurity @CesarHgt @tomitribe
EcuadorJUG2018 Hashing Data
Tiene como entrada un conjunto de elementos, que suelen ser cadenas, y los
convierte en un rango de salida finito, normalmente cadenas de longitud fija.
57. #RESTSecurity @CesarHgt @tomitribe
EcuadorJUG2018
Access Token Now
• header (JSON > Base64 URL Encoded)
• Describe como la firma (signature) del token puede ser
verificada
• payload (JSON > Base64 URL Encoded)
• Json map de información que desees incluir
• Campo estándar como el de Expiración
• signature (Binary > Base64 URL Encoded)
• La firma digital
• Hecha exclusivamente por el endpoint: /oauth2/token
104. #RESTSecurity @CesarHgt @tomitribe
EcuadorJUG2018
Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future