apidays LIVE Australia 2021 - Accelerating Digital
September 15 & 16, 2021
Levelling up database security by thinking in APIs
Lindsay Holmwood, Chief Product Officer at Cipherstash
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Asynchronous and Broadcasting APIs using Kafka
Rohit Saxena, Software Development Consultant at Guardian Life
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Top 10 API security threats every API team should know
Derric Gilling, CEO at Moesif
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Identification & Authentication for Individuals with API at eIDAS Substantial Security Level
Nicolas Bigand, CTO & COO at L'identité Numérique La Poste at Groupe La Poste
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Managing the usage of Asynchronous APIs: What does it take?
Sanjeewa Malalgoda, Architect & Associate Director at WSO
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
Security itself is a broad area and authentication and authorization is a key element in API security. Vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing. At the same time, technology stack and industry practices are under a rapid transformation, browsers are enforcing different restrictions, new privacy regulations are in place, and more. That makes the authentication and authorization best practices you relied on a few years ago obsolete now.
These slides we will discuss:
- What is new and what is old in OAuth 2.0
- Mitigate security exploits by understanding the OAuth 2.0 threat landscape
- Pick security standards and protocols to match business needs
- Federated identities to expand business APIs beyond the corporate firewall
- User strong authentication and authorization for API access
- Adaptive and risk-based access control for API
This document summarizes OAuth 2.0 threat landscapes and best practices for mitigation. It discusses threats such as CSRF, session injection, token leakage, IDP mix-up, and token reuse/misuse. Recommended mitigations include using the state parameter, PKCE, short-lived tokens, TLS, white-listing callback URLs, scoped tokens, audience restriction, OpenID Connect, and throttling. The document provides technical details on various OAuth 2.0 flows and threats as well as references to relevant IETF draft specifications.
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Digital Trust Infrastructure - Key to digital transformation
Ramesh Narayanan, CTO at Modular Open Source Identity Platform (MOSIP)
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Asynchronous and Broadcasting APIs using Kafka
Rohit Saxena, Software Development Consultant at Guardian Life
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Top 10 API security threats every API team should know
Derric Gilling, CEO at Moesif
This session is all about Gravitee.io that consists of two modules: Gravitee.io Access Management, which is responsible for providing Authentication and Authorization with help of OAuth2.0 and OpenID Connect, and Gravitee.io API Management, which is responsible for the management of APIs, by simply publishing and consuming the APIs.
apidays LIVE Paris 2021 - Identification & Authentication for Individuals wit...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
Identification & Authentication for Individuals with API at eIDAS Substantial Security Level
Nicolas Bigand, CTO & COO at L'identité Numérique La Poste at Groupe La Poste
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays
apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare
July 28 & 29, 2021
Managing the usage of Asynchronous APIs: What does it take?
Sanjeewa Malalgoda, Architect & Associate Director at WSO
[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for ...WSO2
Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints.
Security itself is a broad area and authentication and authorization is a key element in API security. Vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing. At the same time, technology stack and industry practices are under a rapid transformation, browsers are enforcing different restrictions, new privacy regulations are in place, and more. That makes the authentication and authorization best practices you relied on a few years ago obsolete now.
These slides we will discuss:
- What is new and what is old in OAuth 2.0
- Mitigate security exploits by understanding the OAuth 2.0 threat landscape
- Pick security standards and protocols to match business needs
- Federated identities to expand business APIs beyond the corporate firewall
- User strong authentication and authorization for API access
- Adaptive and risk-based access control for API
This document summarizes OAuth 2.0 threat landscapes and best practices for mitigation. It discusses threats such as CSRF, session injection, token leakage, IDP mix-up, and token reuse/misuse. Recommended mitigations include using the state parameter, PKCE, short-lived tokens, TLS, white-listing callback URLs, scoped tokens, audience restriction, OpenID Connect, and throttling. The document provides technical details on various OAuth 2.0 flows and threats as well as references to relevant IETF draft specifications.
apidays LIVE India - Digital Trust Infrastructure - Key to digital transforma...apidays
apidays LIVE India 2021 - Connecting 1.3 billion digital innovators
May 20, 2021
Digital Trust Infrastructure - Key to digital transformation
Ramesh Narayanan, CTO at Modular Open Source Identity Platform (MOSIP)
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around.
Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications.
These slides will review:
- The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns
- Sender-constrained token patterns
- Solution patterns being employed to improve user experience in client-side applications
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays
API management from a network engineer's perspective focuses on security, performance, reliability, and automation. Key capabilities include multi-layer security using tools like Cloud Armor, IAM, and VPC service controls; AI and machine learning to identify anomalies, predict traffic, and ensure compliance; global reach and high performance using Cloud CDN; and a hybrid multi-cloud architecture with private network peering between VPCs for low latency and separation of customer and Apigee networks.
[WSO2Con EU 2018] Blockchain in the Business API Ecosystem - API Consumption ...WSO2
This presentation proves a general introduction to the API Economy, to the Blockchain network Alastria, and to the open source WSO2 API Manager. It also includes a demo on how to use API Manager for API consumption management and its integration with a Smart Contract deployed in blockchain for the automatic pricing of this consumption.
Digital transformation is the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.
It is essential that you integrate digital technology into all areas of business so that your business can be agile and adapts to changing circumstances. Microservices architecture gives you the agility required to build a digital business, while APIs are the enablers for turning a conventional business into a digital business. In this webinar, we will discuss how an enterprise can adopt an API-first approach for building a digital business leveraging microservices architecture.
We will explain and show the business benefits of:
- An API-first approach for building a digital business
- How microservices enables business agility
- Building and integrating your microservices
- Modernization of your legacy applications
- How to leverage the WSO2 API integration platform to build a digital business.
Watch the webinar on-demand here - https://wso2.com/library/webinars/api-first-integration-for-microservices/
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Digital Identity Centric Approach to Accelerate HKMA OpenAPI Phase3/4 Compliance
Ajay Biyani, Regional Vice President, ASEAN at ForgeRock
apidays LIVE Hong Kong - The Future of Legacy - How to leverage legacy and on...apidays
apidays LIVE Hong Kong - The Open API Economy: Finance-as-a-Service & API Ecosystems
The Future of Legacy - How to leverage legacy and on-prem assets in your digital transformation with Digital-Driven Integration
Zeev Avidan, Chief Product Officer of OpenLegacy
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
Not only banks struggle with third-party systems needing access to their APIs. In this talk though, Daniel will discuss how this can be done in the banking sector according to the Payment Services Directive (PSD2) and also in other sectors where trust of third-parties is also of great importance.
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud
Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Avoid Building a Microservices Death Star
Przemek Kulik, Senior Director of Product Management at Software AG
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon.
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
The document discusses API security from a hacker's perspective. It notes that exploiting APIs has become easier as infrastructure security has improved, but APIs themselves are often not properly secured. The main API vulnerabilities discussed are rate limiting issues, misconfigurations, injections, authentication and authorization bypassing, and flaws in business logic flows. Critical vulnerabilities that can give attackers control include authentication/authorization issues and business logic flows. The document emphasizes that penetration testing alone is not sufficient and continuous assessment of API security is needed to identify and address vulnerabilities.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
This document discusses strategies for addressing the OWASP top 10 security risk of insufficient logging and monitoring of APIs. It begins with an overview of OWASP A10 and challenges related to monitoring APIs, as attackers rely on a lack of monitoring. It then provides recommendations for logging from OWASP, which can be complex and costly to implement. The document outlines challenges to logging APIs and proposes best practices like combining logging with DevSecOps culture and using purpose-built API logging tools. It argues that API monitoring is key to security, continuous improvement, and resisting attacks on APIs as they increase in usage.
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
How password managers are built for Privacy and Security
Frederic Rivain, CTO at Dashlane
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...apidays
INTERFACE, by apidays 2021 - It’s APIs all the way down
June 30, July 1 & 2, 2021
The future of API Management in a hybrid, multi-cloud world
Shaun Clowes, SVP of Product at Mulesoft
The Kong community is very familiar with using Kong as an ingress gateway, but what about as an egress gateway? Checkr, a Kong open source user, managed to migrate 90 percent of its egress traffic using Kong. In this session, Software Engineer Zhuojie Zhou will cover the benefits of building out an egress gateway pattern, how Kong supports egress, and how he and his team built a solution of efficient HTTP auditing through the egress gateway.
Cloud Native Application Integration With APIsNirmal Fernando
Cloud native application architectures focus on building applications as microservices and running them on containers that run on dynamic orchestration platforms and utilize cloud computing functionalities. Agile DevOps and continuous delivery pipelines ensure agility and speed of application development and faster time to market. These systems follow a number of design principles to ensure they are built as loosely coupled services designed for cloud scale and performance.
A core design principle is the use of APIs for application integration. Underlying cloud orchestration layers provide certain functionalities for integration via APIs - be it RESTful or internal formats such as Protbuf, Thrift, gRPC, NATS, etc. APIs thus play an important role for both internal services communications as well as integration between composite apps. A cloud-native API gateway that also provides features of a full lifecycle API Management is key.
In this deep dive workshop, we look at the concepts of cloud-native app integration via APIs which utilize cloud-native API management. We focus on the architecture, design concepts followed by the implementation of API led microservices and then look at the runtime component which includes DevOps, CICD and hybrid clouds.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...WSO2
Client-side applications are becoming an increasingly popular technology to build applications owing to the advanced user experience that they provide consumers. Authentication and API authorization for these applications are also becoming equally popular topics that many developers have a hard time getting their heads around.
Check these slides, where Johann Nallathamby, Head of Solutions Architecture for IAM at WSO2, will attempt to demystify some complexities and misconceptions surrounding this topic and help you better understand the most important features to consider when choosing an authentication and API authorization solution for client-side applications.
These slides will review:
- The broader classification of client-side applications and their legacy and more recent authentication and API authorization patterns
- Sender-constrained token patterns
- Solution patterns being employed to improve user experience in client-side applications
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays
API management from a network engineer's perspective focuses on security, performance, reliability, and automation. Key capabilities include multi-layer security using tools like Cloud Armor, IAM, and VPC service controls; AI and machine learning to identify anomalies, predict traffic, and ensure compliance; global reach and high performance using Cloud CDN; and a hybrid multi-cloud architecture with private network peering between VPCs for low latency and separation of customer and Apigee networks.
[WSO2Con EU 2018] Blockchain in the Business API Ecosystem - API Consumption ...WSO2
This presentation proves a general introduction to the API Economy, to the Blockchain network Alastria, and to the open source WSO2 API Manager. It also includes a demo on how to use API Manager for API consumption management and its integration with a Smart Contract deployed in blockchain for the automatic pricing of this consumption.
Digital transformation is the integration of digital technology into all areas of a business, fundamentally changing how you operate and deliver value to customers. It's also a cultural change that requires organizations to continually challenge the status quo, experiment, and get comfortable with failure.
It is essential that you integrate digital technology into all areas of business so that your business can be agile and adapts to changing circumstances. Microservices architecture gives you the agility required to build a digital business, while APIs are the enablers for turning a conventional business into a digital business. In this webinar, we will discuss how an enterprise can adopt an API-first approach for building a digital business leveraging microservices architecture.
We will explain and show the business benefits of:
- An API-first approach for building a digital business
- How microservices enables business agility
- Building and integrating your microservices
- Modernization of your legacy applications
- How to leverage the WSO2 API integration platform to build a digital business.
Watch the webinar on-demand here - https://wso2.com/library/webinars/api-first-integration-for-microservices/
The cloud is rapidly becoming the de-facto standard for deploying enterprise applications. Microservices are at the core of building cloud-native applications due to its proven advantages such as granularity, cloud-native deployment, and scalability. With the exponential growth of the consumer base of these service offerings, enforcing microservice/API security has become one of the biggest challenges to overcome.
In this deck, we discuss:
- The need for API/Microservices Security
- The importance of delegating security enforcement to an API Gateway
- API Authentication and Authorization methodologies
- OAuth2 - The de-facto standard of API Authentication
- Protection against cyber attacks and anomalies
- Security aspects to consider when designing Single Page Applications (SPAs)
Watch the webinar on-demand here - https://wso2.com/library/webinars/2019/11/api-security-in-a-cloud-native-era/
apidays LIVE Hong Kong 2021 - Digital Identity Centric Approach to Accelerate...apidays
apidays LIVE Hong Kong 2021 - API Ecosystem & Data Interchange
August 25 & 26, 2021
Digital Identity Centric Approach to Accelerate HKMA OpenAPI Phase3/4 Compliance
Ajay Biyani, Regional Vice President, ASEAN at ForgeRock
apidays LIVE Hong Kong - The Future of Legacy - How to leverage legacy and on...apidays
apidays LIVE Hong Kong - The Open API Economy: Finance-as-a-Service & API Ecosystems
The Future of Legacy - How to leverage legacy and on-prem assets in your digital transformation with Digital-Driven Integration
Zeev Avidan, Chief Product Officer of OpenLegacy
OAuth and OpenID Connect for PSD2 and Third-Party AccessNordic APIs
Not only banks struggle with third-party systems needing access to their APIs. In this talk though, Daniel will discuss how this can be done in the banking sector according to the Payment Services Directive (PSD2) and also in other sectors where trust of third-parties is also of great importance.
apidays LIVE Paris 2020 - Data Gateways: building “Data-as-a-Service” for the...apidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Data Gateways: building “Data-as-a-Service” for the Hybrid Cloud
Hugo Guerrero, APIs & Messaging Developer Advocate at Red Hat
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
apidays LIVE Paris - Avoid Building a Microservices Death Star by Przemek Kulikapidays
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society
December 8, 9 & 10, 2020
Avoid Building a Microservices Death Star
Przemek Kulik, Senior Director of Product Management at Software AG
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
Identity is ubiquitous. Regardless of the kind of applications you develop you will, at some point, almost certainly have to deal with identifying users of the app. Yet it's seldom a central part of the app’s value proposition and rarely a core competency for developers. Wouldn’t it be nice to outsource user authentication and free yourself from the liability and complexity of storing and managing passwords? OpenID Connect, just ratified earlier this year and backed by some big industry names, is emerging as the go to standard way to do exactly that. Connect allows you to easily and securely get an answer to the question: “What is the identity of the person currently using this browser or native app?” Unlike some of it’s predecessors, however, Connect has roots spanning the consumer, SaaS and enterprise space and is better suited to serve a diverse set of deployments. Come find out more about Connect in this talk from a seasoned veteran of the prestigious basement conference rooms at GlueCon.
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
The document discusses API security from a hacker's perspective. It notes that exploiting APIs has become easier as infrastructure security has improved, but APIs themselves are often not properly secured. The main API vulnerabilities discussed are rate limiting issues, misconfigurations, injections, authentication and authorization bypassing, and flaws in business logic flows. Critical vulnerabilities that can give attackers control include authentication/authorization issues and business logic flows. The document emphasizes that penetration testing alone is not sufficient and continuous assessment of API security is needed to identify and address vulnerabilities.
OIDF Workshop at Verizon Media -- 9/30/2019 -- OpenID Connect Federation UpdateOpenIDFoundation
Roland Hedberg with Catalogix and the OpenID Foudation provided an update on OpenID Connect Federation at the OIDF Workshop at Verizon Media on Monday, September 30, 2019 in Sunnyvale, CA.
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
This document discusses strategies for addressing the OWASP top 10 security risk of insufficient logging and monitoring of APIs. It begins with an overview of OWASP A10 and challenges related to monitoring APIs, as attackers rely on a lack of monitoring. It then provides recommendations for logging from OWASP, which can be complex and costly to implement. The document outlines challenges to logging APIs and proposes best practices like combining logging with DevSecOps culture and using purpose-built API logging tools. It argues that API monitoring is key to security, continuous improvement, and resisting attacks on APIs as they increase in usage.
apidays LIVE Paris 2021 - How password managers are built for Privacy and Sec...apidays
apidays LIVE Paris 2021 - APIs and the Future of Software
December 7, 8 & 9, 2021
How password managers are built for Privacy and Security
Frederic Rivain, CTO at Dashlane
INTERFACE, by apidays - The future of API Management in a hybrid, multi-clou...apidays
INTERFACE, by apidays 2021 - It’s APIs all the way down
June 30, July 1 & 2, 2021
The future of API Management in a hybrid, multi-cloud world
Shaun Clowes, SVP of Product at Mulesoft
The Kong community is very familiar with using Kong as an ingress gateway, but what about as an egress gateway? Checkr, a Kong open source user, managed to migrate 90 percent of its egress traffic using Kong. In this session, Software Engineer Zhuojie Zhou will cover the benefits of building out an egress gateway pattern, how Kong supports egress, and how he and his team built a solution of efficient HTTP auditing through the egress gateway.
Cloud Native Application Integration With APIsNirmal Fernando
Cloud native application architectures focus on building applications as microservices and running them on containers that run on dynamic orchestration platforms and utilize cloud computing functionalities. Agile DevOps and continuous delivery pipelines ensure agility and speed of application development and faster time to market. These systems follow a number of design principles to ensure they are built as loosely coupled services designed for cloud scale and performance.
A core design principle is the use of APIs for application integration. Underlying cloud orchestration layers provide certain functionalities for integration via APIs - be it RESTful or internal formats such as Protbuf, Thrift, gRPC, NATS, etc. APIs thus play an important role for both internal services communications as well as integration between composite apps. A cloud-native API gateway that also provides features of a full lifecycle API Management is key.
In this deep dive workshop, we look at the concepts of cloud-native app integration via APIs which utilize cloud-native API management. We focus on the architecture, design concepts followed by the implementation of API led microservices and then look at the runtime component which includes DevOps, CICD and hybrid clouds.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Security is more critical than ever with new computing environments in the cloud and expanding access to the Internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. We'll walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments.
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
1. The document discusses various security best practices for visibility, least permissions, encryption, keeping systems updated, application security, office IT, and databases. It covers aggregating logs in a central location, limiting permissions through processes/files and SSH security, using encryption for data in transit and at rest, automating updates, and implementing security measures in development pipelines and the office.
How vulnerable are your systems after the first line of defense? Do attackers get a stronger foothold after each compromise? How valuable is the data your systems can leak?
“Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users.
David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence.
A good written summary of the key talking points: https://www.infoq.com/news/2016/04/oreilysacon-day-one
The Notorious 9: Is Your Data Secure in the Cloud?BCS ProSoft
The first part of this presentation is designed to scare the cloud out of you by talking about some of the common and often overlooked concerns with cloud security. Then we'll bring you right back by showing you how cloud technology publishers as well as VARS, like BCS Prosoft are taking steps to mitigate potential threats and keep you business up and running 24/7/365.
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
Richard Bullington-McGuire presented this talk on PKI enabling web applications for the DoD at the 2009 MIL-OSS conference:
http://www.mil-oss.org/
It is a case study that shares some of the challenges and solutions surrounding the implementation of the Forge.mil system.
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...MongoDB
MongoDB introduces new capabilities that change the way micro-services interact with the database, capabilities that are either absent or exist only partially in high-end commercial databases such as Oracle. In this session I will share from my experiences building a cloud-based, multi-tenant SaaS application with extreme security requirements. We will cover topics including considerations for storing multi-tenant data in the database, best practices for authentication and authorization, and performance considerations specific to security in MongoDB.
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
All companies should build with security and protection of customer data as the number one priority. This talk will cover a wide range of best practices from MFA, root accounts, encrypting laptops, inventory management, MDM, and incident response. You'll learn key principles of how to build a secure organization to protect your data. Don't wait until your first security incident before putting these best practices in place.
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
This document outlines a presentation on securing .NET/C# applications. It discusses designing defendable systems through layered defenses, segmentation, and establishing a common security language between different teams. Examples are provided of strong versus weak software designs. The importance of security user stories and testing is emphasized to prevent vulnerabilities like SQL injection.
Will St. Clair: AWS San Francisco Startup Day, 9/7/17
Operations: Security Crash Course & Best Practices! All companies should build with security and protection of customer data as the number one priority. This talk will cover a wide range of best practices from MFA, root accounts, encrypting laptops, inventory management, MDM, and incident response. You'll learn key principles of how to build a secure organization to protect your data. Don't wait until your first security incident before putting these best practices in place.
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Arnaud Le Hors
This presentation gives a quick technical overview of what Hyperledger Fabric is about and how to get started using it to develop a blockchain application.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
Windows Azure SQL Database for Beginners (tips & tricks)
The document provides an overview and introduction to Windows Azure SQL Database including:
- Key features such as scalability, availability, data protection, and programmatic DBA functionality.
- Performance levels are described in DTU (database transaction units) with different tiers for Basic, Standard, and Premium databases.
- Limitations are discussed around database sizing, collations, logins/users, and compatibility with on-premises SQL Server features.
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
The document discusses Perspectives, a system that aims to strengthen SSH-style host authentication by using multiple network notaries to monitor and verify public keys for hosts. It describes how Perspectives works, including how notaries probe hosts to monitor keys over time, how clients query notaries to check key consistency, and how this approach provides improved security compared to traditional PKI or SSH-style authentication alone while retaining simplicity and low cost.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
SQL Server 2017 will be available on Linux, providing customers choice in platforms. It will include the database engine, integration services and support for technologies like in-memory processing and always encrypted. The same SQL Server licenses can be used on Windows or Linux, with previews available free of charge. Early adopters can test SQL Server 2017 on Linux through a special program and provide feedback to Microsoft.
Towards Securing Computer Network Environment By Using Kerberos-based Network...FATIN FAZAIN MOHD AFFANDI
This document discusses securing computer networks by implementing a Kerberos-based authentication protocol. It begins with an introduction that outlines the need for secure authentication when transmitting passwords over insecure networks. The document then reviews related work on authentication protocols like PAP, CHAP, and Kerberos. The proposed methodology will analyze Kerberos architecture and involve setting up Kerberos servers to validate user and server authentication. The expected results are that implementing Kerberos will securely authenticate users and prevent unauthorized access to protected resources.
Similar to apidays LIVE Australia 2021 - Levelling up database security by thinking in APIs by Lindsay Holmwood, Cipherstash (20)
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...apidays
Sustainable IT and API Performance - How to Bring Them Together
Merja Kajava, Founder - Aavista Oy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...apidays
Keynote 1: APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines, ShortSea
Vesa Vähämaa, Head of Group IT, Software at Finnlines Plc
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...apidays
From Chaos to Calm: Navigating Emerging API Security Challenges
Eli Arkush, Principal Solutions Engineer, API Security at Akamai
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - What is next now that your organization created a (si...apidays
What is next now that your organization created a (significant) set of APIs?
Rogier van Boxtel, Director, Pre Sales Consulting - Axway
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...apidays
There’s no AI without API, but what does this mean for Security?
Timo Rüppell, VP of Product - FireTail.io
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...apidays
Security Vulnerabilities in your APIs
Lukáš Ďurovský, Staff Software Engineer at Thermo Fisher Scientific
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...apidays
Data, API’s and Banks, with AI on top
Sergio Giraldo, IT Lead - ING
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...apidays
Data Ecosystems Driving the Green Transition
Olli Kilpeläinen, VP - Data Platform & Ecosystem at Betolar
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...apidays
Bridging the Gap Between Backend and Frontend API Testing with K6
Ayush Goyal, Senior Software Engineer - Grafana Labs
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaangoapidays
API Compliance by Design
Marjukka Niinioja, APItalista & Founding Partner - Osaango
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...apidays
ABLOY goes API economy – Transformation story
Hanna Sillanpää Head of Digital Solutions PU - Abloy
Apidays Helsinki & North 2024 - Connecting Physical and Digital: Sustainable APIs for the Era of AI, Super and Quantum Computing (May 28 and 29, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuploapidays
The subtle art of API rate limiting
Josh Twist, Co-founder & CEO at Zuplo
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...apidays
ESTful API Patterns and Practices
Mike Amundsen, Author of "Design and Build Great APIs", API Strategist & Advisor at amundsen.com, Inc.
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adamsapidays
Putting AI into API Security
Corey Ball, Author and Sr. Manager Pentest at Moss Adams
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Prototype-first - A modern API development workflow b...apidays
Prototype-first - A modern API development workflow
Tom Akehurst, CTO and Co-Founder at WireMock
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...apidays
Post-Quantum API Security: Preparing your APIs for Q-day
Francois Lascelles, Distinguished Engineer at Broadcom and CTO at Layer7
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...apidays
Increase your productivity with no-code GraphQL mocking
Hugo Guerrero, Chief Software Architect, APIs & Integration Developer Advocate at Red Hat
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danoneapidays
Driving API & EDA Success: Comparing CoE & C4E Models for Organizational Enablement
Marcelo Caponi, Global Product Manager - API & Integration at Danone
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...apidays
Build a terrible API for people you hate
Jim Bennett, Principal Developer Advocate at liblab
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...apidays
API Secret Tokens Exposed: Insights from Analyzing 1 Million Domains
Tristan Kalos, Co-founder and CEO at Escape
Antoine Carossio, Co-Founder & CTO at Escape
Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024)
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
High performance Serverless Java on AWS- GoTo Amsterdam 2024Vadym Kazulkin
Java is for many years one of the most popular programming languages, but it used to have hard times in the Serverless community. Java is known for its high cold start times and high memory footprint, comparing to other programming languages like Node.js and Python. In this talk I'll look at the general best practices and techniques we can use to decrease memory consumption, cold start times for Java Serverless development on AWS including GraalVM (Native Image) and AWS own offering SnapStart based on Firecracker microVM snapshot and restore and CRaC (Coordinated Restore at Checkpoint) runtime hooks. I'll also provide a lot of benchmarking on Lambda functions trying out various deployment package sizes, Lambda memory settings, Java compilation options and HTTP (a)synchronous clients and measure their impact on cold and warm start times.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
5. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here
6. The landscape is changing
○ Compliance requirements (e.g.,
GDPR, CCPA are becoming
more stringent
○ Ransomware cost $20B
globally in 2020
○ Attackers are becoming more
sophisticated (exploiting supply
chains, brokering access) and
are moving faster
Notable breaches
2015 Anthem Health
80 million health records
2020 Nintendo
160,000 user accounts exposed
2020 BigFooty.com
132GB sensitive data in Elastic
2020 Antheus Tecnologia
81.5 million personal records
2019 CapitalOne
100m personal records
7. In 2020, over 300,000 patient records (including detailed
consult notes) were leaked and used to extort users.
Vastaamo’s system violated one of the “first principles of
cybersecurity”: It didn’t anonymize the records. It didn’t even
encrypt them. The only thing protecting patients’ confessions and
confidences were a couple of firewalls and a server login screen.
Mikael Koivukangas, OneSys Medical
Case study: Vastaamo
9. Techniques sorted by breach
Source: IBM Cost of a Data Breach Report 2021
Compromised credentials
10. Attackers use stolen credentials to gain access
to a target.
Credentials can come from:
● Public data breaches
● Version control
● BEC & phishing
● Password stores
Compromised credentials
Source: IBM Cost of a Data Breach report 2021
Source: MITRE ATT&CK
Average time to discovery:
250 days
11. Cloud misconfiguration
Types of misconfiguration:
● Default
● Unused features
● Untested
Can be used to:
● Expose information
● Gain access Source: IBM Cost of a Data Breach report 2021
Source: OWASP Top Ten
Average time to discovery:
186 days
12. SQL injection
Malicious user input used in SQL queries.
Can be used to:
● Exfil data
● Tamper with data
● Escalate privileges
Average time to discovery:
154 days
Source: IBM Cost of a Data Breach report 2021
Source: OWASP Top Ten
13. Observer can:
○ view data in transit
○ manipulate data in
request/response
Person in the Middle
Source: OWASP Top Ten
14. Denial of Service
Make the service unavailable for legitimate users
Resource exhaustion (network, CPU, memory, storage, IO
Can be used as cover for remote code execution and data exfil
Source: OWASP Top Ten
15. What are the big API security
advances in the last decade?
18. Strongly typed communication for:
● Network transport
● Storage
Reduces attack surface, to mitigate attacks like
● SQL injection
Serialisation formats
19. Example: Protocol Buffers
Binary representation of data
structures:
1. Describe data structure using
built in types
2. Compile bindings for languages
3. Encode/decode data structure in
efficient binary format
Supports basic backwards
compatibility via tags.
service SearchService {
rpc Search(SearchRequest) returns (SearchResponse);
}
message SearchRequest {
required string query = 1;
optional int32 page_number = 2;
optional int32 result_per_page = 3;
}
message SearchResponse {
repeated Result results = 1;
}
message Result {
string url = 1;
string title = 2;
repeated string snippets = 3;
}
20. Example: BSON
Lightweight binary representation of
data structures.
Binary encoding of JSON-like data
(includes field names in encoded
data).
Handle marshal/unmarshal in each
language.
{"hello": "world"} →
x16x00x00x00 // total document size
x02 // 0x02 = type String
hellox00 // field name
x06x00x00x00worldx00 // field value
x00 // 0x00 = type EOO
22. Build secure clients, faster:
● Automatically generate clients for different languages
● Automatically generate documentation
● Backwards compatibility baked in
Serialisation formats for databases
23. Deserialization attacks:
● Injection — data injection, only support primitive data types
● Privilege escalation — gaining RCE through object deserialisation
Denial of Service attacks:
● Resource exhaustion — drop and log bad deserialisations
Serialisation formats — defend against:
24. Defence in depth:
● Use strongly typed languages to stop injection attacks
propagating from client to server
“New” attacks like request smuggling
Serialisation formats — but also consider:
30. Example: GraphQL
“Query language for APIs”
Single API endpoint.
Clients request the data and the
structure.
New fields and types can be added
without affecting existing queries.
Query:
{
person {
name
height
}
}
Response:
{
“person”: {
“name”: “Ada Lovelace”,
“height”: 166
}
}
32. RPC for databases
Ensure protocol compatibility between client and server
● Force clients to upgrade to latest versions
Reduce attack surface
● To only what the endpoint explicitly exposes
● Stop enumeration
33. Broken authentication
● Session timeouts to limit foothold, through short lived tokens
Broken access controls
● Privilege escalation, through scoped credentials
Denial of service
● Strict encoding and deserialization
● Logging of deserialization failures
RPC defend against:
34. gRPC reflection
● Enumerates gRPC services
● Exposes protobufs in human readable format (arguments, fields)
You can use this now!
● ProfaneDB defines schema in protobufs and talks gRPC
RPC but also consider:
39. Auth for databases
Don’t roll your own auth — use third party identity provider
Untrusted clients, trusted servers:
● Client authenticates to IDP
● IDP sets up session with database
● Database is ignorant of users — only knows if IDP gives an OK
40. Auth for databases
Benefits:
● Less code, lower ongoing costs
● Database is integrated with broader organisational IAM controls
You can use this now!
● MongoDB, OpenSearch, CouchDB all support JWT authentication
41. Auth — defend against:
Broken authentication
● Limit impact of compromised credentials and account takeovers
⬆ involved in 20% of all breaches
Broken access controls
● Privilege escalation, through strictly scoped credentials
43. Certs were costly!
Economise by not using TLS everywhere:
● TLS termination at your load balancers
● Unencrypted from load balancers onwards
Poor automation for managing cert lifecycle
Poor visibility into certificate supply chain
TLS before
44. Certificates are basically free
Proliferation of end-to-end TLS
Better developer experience for the entire lifecycle:
○ Let’s Encrypt — automates nearly the entire cert lifecycle
○ mkcert — can use certs in local dev
Certificate Transparency logs create supply chain visibility
TLS now
46. TLS for databases
Terminate TLS in the database server itself
Handle the cert lifecycle in the database server itself
Use well-automated PKI infrastructure
Strictly use Forward Secrecy ciphers (ECDHE, DHE
47. Sensitive data exposure:
● Observer can view data in transit (PITM
Injection attacks:
● Attacker can inject data into request/response (PITM
Replay attacks (with TLS 1.2
● Attacker can perform operations repeatedly
Impersonation:
● Monitor cert transparency logs for compromised CAs
TLS defend against:
48. $ subfinder -silent -d cipherstash.com
discuss.cipherstash.com
landing.cipherstash.com
docs.cipherstash.com
dev.cipherstash.com
Easier passive asset discovery:
● Cert transparency logs fasttrack some asset discovery
TLS but also consider:
50. “never trust, always verify”
Build all your systems like they are connected to the public internet
All input is untrusted — sanitise everything
Expose database to the network?
51. Thank you!
🙋 What questions do you have?
💖 the talk? Let @auxesis know.
53. Appendix: JWT-based database authentication
● Custom JWT Authentication [docs.mongodb.com]
● Use JSON Web Tokens (JWTs) to Authenticate in Open Distro for
Elasticsearch and Kibana [aws.amazon.com]
● Authentication — Apache CouchDB [docs.couchdb.org]
55. Other security advances
● Web Application Firewalls
● Infracode static analysis
○ Semgrep
● Reproducible builds
○ Bazel
56. New York
JULY
Australia
SEPTEMBER
Singapore
APRIL
Helsinki & North
MARCH
Paris
DECEMBER
London
OCTOBER
Jakarta
FEBRUARY
Hong Kong
AUGUST
JUNE
India
MAY
Check out our API Conferences here
50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees,
300k+ online community
Want to talk at one of our conferences?
Apply to speak here