This document discusses how automated requests from bots and spiders can unexpectedly load servers. It begins by describing the nature of automated requests, including search engine crawlers, RSS readers, APIs, and security scans. It notes the high volume of requests bots can generate by hitting all pages of a site daily. The document outlines both general impacts on resources and specific impacts for ColdFusion, such as creating many sessions without cookies. It provides suggestions for observing bot traffic through web server logs, tracking sessions, and mitigating impacts through techniques like robots.txt, caching, and bot-blocking services.
Best And Worst Practices Building Ria with Adobe and MicrosoftJosh Holmes
Come listen to leading Rich Internet Applications (RIA) experts from Microsoft and Adobe discuss many of the best and worst practices when building RIAs. RIAs provide a similar user experience to traditional desktop applications combined with the ease of deployment of web/browser based applications. This produces a fair amount of confusion because there are a number of potentially conflicting practices depending on whether you approach your RIA as a desktop or a web application. This session dives into the definition of RIA and walks through the best and worst practices that have appeared over and over again. We will explore architectural patterns and practices such as state management, fault tolerance, service composition, communications protocols and message formats and goes into details on how RIAs can be developed using runtime environments such as Adobe AIR or Microsoft Silverlight.
For more read our blogs at
http://www.jamesward.com
http://www.joshholmes.com
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Best And Worst Practices Building Ria with Adobe and MicrosoftJosh Holmes
Come listen to leading Rich Internet Applications (RIA) experts from Microsoft and Adobe discuss many of the best and worst practices when building RIAs. RIAs provide a similar user experience to traditional desktop applications combined with the ease of deployment of web/browser based applications. This produces a fair amount of confusion because there are a number of potentially conflicting practices depending on whether you approach your RIA as a desktop or a web application. This session dives into the definition of RIA and walks through the best and worst practices that have appeared over and over again. We will explore architectural patterns and practices such as state management, fault tolerance, service composition, communications protocols and message formats and goes into details on how RIAs can be developed using runtime environments such as Adobe AIR or Microsoft Silverlight.
For more read our blogs at
http://www.jamesward.com
http://www.joshholmes.com
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The talk will contain specific details on the many attack vectors that hackers will use to attempt to access and exploit your site and how you can improve your development process to avoid them.
Topics covered will include some old chestnuts like XSS (Cross Site Scripting) and SQL injection through to issues like aSession Hijacking.
The talk is aimed at developers who have perhaps not truly considered security of their applications before to developers who would like to extend their knowledge. The talk is aimed at software developers and will contain practical code-based examples and solutions.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
The Nitty Gritty of Affiliate Marketing ComplianceAffiliate Summit
We’ll review the ground-up approach for implementing compliance methods for your affiliate program, from setting policies to how-to’s of monitoring and detection.
Experience level: Beginner
Target audience: Merchants/Advertisers
Niche/vertical: Compliance
Kellie Stevens, President, AffiliateFairPlay.com (Twitter @KellieAFP)
Presentation on monitoring the web, including synthetic, UEUM, web analytics, interaction analysis. Given at www.meshconference.com/meshu on May 20, 2008
Building Reliability - The Realities of ObservabilityAll Things Open
Presented at Open Source South Carolina
Presented by Jeremy Proffit, Director of DevSecOps & SRE for Customer Care and Communications, Ally
Title: Building Reliability - The Realities of Observability
Abstract: Join me as we discuss true observability, learn what works and what doesn't. We'll not only discuss dashboards, monitoring and alerting, but how these can be built by automation or included in your IAC modules. We'll talk about how to properly alert staff based on priority to keep your staff and yourself sane. And even discuss architecture and how it impact reliably and why serverless isn't always the best at being reliable.
Building Reliability - The Realities of ObservabilityAll Things Open
Presented at the ATO RTP Meetup
Presented by Jeremy Proffit, Director of DevSecOps & SRE for Customer Care and Communications, Ally
Title: Building Reliability - The Realities of Observability
Abstract: Join me as we discuss true observability, learn what works and what doesn't. We'll not only discuss dashboards, monitoring and alerting, but how these can be built by automation or included in your IAC modules. We'll talk about how to properly alert staff based on priority to keep your staff and yourself sane. And even discuss architecture and how it impacts reliably and why serverless isn't always the best at being reliable.
Did you know 30% of Ecommerce website visitors are unsavory competitors, hackers, and fraudsters?
Fact is, online retailers are particularly susceptible to the effects of advanced bot threats, including competitive tactics like price scraping, product matching, variation tracking and availability targeting. Even worse, security breaches such as transaction fraud and account takeovers endanger the overall security of your website, customer base, and brand.
When aggressive scrapers caused repeated site slowdowns, Brian Gress, Director of IT Systems & Governance at Hayneedle, said enough was enough.
Key takeaways include how to:
- Stop competitors from scraping your prices and monitoring your inventory
- Reduce chargeback fees due to transaction fraud, carding and account hijacking
- Optimize your conversion funnel and enjoy clean analytics and KPIs
- Protect your brand image, reputation and SEO rankings
Advanced Error Handling Strategies for ColdFusion Mary Jo Sminkey
A number of years ago I presented a talk at cfObjective on building an advanced, custom CF error handler. This talk will go above and beyond that, covering not just CF but JS/Ajax and SQL Server error logging and strategies for debugging errors on live sites. Developers should come away from this talk with lots of ideas for both custom code they can add to their sites as well a variety of open source and 3rd party solutions for error logging and use site analytics to track and fix issues on their live sites. Blog articles expanding on the information presented in this talk will also be published concurrent with the presentation at coldfusionmuse.com.
The Retail Strategy and Planning Series is designed to provide retail executives with the tactical tips, insights, metrics and trend data needed to guide 2017 strategies. Tune into Are Bot Operators Eating Your Lunch? and learn how to protect your brand image, reputation and SEO rankings from bad bots: rtou.ch/2c5cPmx.
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Caktus Group
Keeping users happy after your site launches is easier if you know about problems before users complain. This presentation by Caktus developer Dan Poirier, delivered at PyTennessee 2018, lays out which problems you may want to be notified about and a number of tools that can help.
Account Entrapment - Forcing a Victim into an Attacker’s AccountDenim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it. Presented by Ben Broussard, CISSP of Denim Group
Account Entrapment: Forcing a Victim into an Attacker's Account. This talk answers the questions: why would anyone do this, wouldn't the victim notice, how does it work, and how do we protect against it.
Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The talk will contain specific details on the many attack vectors that hackers will use to attempt to access and exploit your site and how you can improve your development process to avoid them.
Topics covered will include some old chestnuts like XSS (Cross Site Scripting) and SQL injection through to issues like aSession Hijacking.
The talk is aimed at developers who have perhaps not truly considered security of their applications before to developers who would like to extend their knowledge. The talk is aimed at software developers and will contain practical code-based examples and solutions.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
The Nitty Gritty of Affiliate Marketing ComplianceAffiliate Summit
We’ll review the ground-up approach for implementing compliance methods for your affiliate program, from setting policies to how-to’s of monitoring and detection.
Experience level: Beginner
Target audience: Merchants/Advertisers
Niche/vertical: Compliance
Kellie Stevens, President, AffiliateFairPlay.com (Twitter @KellieAFP)
Presentation on monitoring the web, including synthetic, UEUM, web analytics, interaction analysis. Given at www.meshconference.com/meshu on May 20, 2008
Building Reliability - The Realities of ObservabilityAll Things Open
Presented at Open Source South Carolina
Presented by Jeremy Proffit, Director of DevSecOps & SRE for Customer Care and Communications, Ally
Title: Building Reliability - The Realities of Observability
Abstract: Join me as we discuss true observability, learn what works and what doesn't. We'll not only discuss dashboards, monitoring and alerting, but how these can be built by automation or included in your IAC modules. We'll talk about how to properly alert staff based on priority to keep your staff and yourself sane. And even discuss architecture and how it impact reliably and why serverless isn't always the best at being reliable.
Building Reliability - The Realities of ObservabilityAll Things Open
Presented at the ATO RTP Meetup
Presented by Jeremy Proffit, Director of DevSecOps & SRE for Customer Care and Communications, Ally
Title: Building Reliability - The Realities of Observability
Abstract: Join me as we discuss true observability, learn what works and what doesn't. We'll not only discuss dashboards, monitoring and alerting, but how these can be built by automation or included in your IAC modules. We'll talk about how to properly alert staff based on priority to keep your staff and yourself sane. And even discuss architecture and how it impacts reliably and why serverless isn't always the best at being reliable.
Did you know 30% of Ecommerce website visitors are unsavory competitors, hackers, and fraudsters?
Fact is, online retailers are particularly susceptible to the effects of advanced bot threats, including competitive tactics like price scraping, product matching, variation tracking and availability targeting. Even worse, security breaches such as transaction fraud and account takeovers endanger the overall security of your website, customer base, and brand.
When aggressive scrapers caused repeated site slowdowns, Brian Gress, Director of IT Systems & Governance at Hayneedle, said enough was enough.
Key takeaways include how to:
- Stop competitors from scraping your prices and monitoring your inventory
- Reduce chargeback fees due to transaction fraud, carding and account hijacking
- Optimize your conversion funnel and enjoy clean analytics and KPIs
- Protect your brand image, reputation and SEO rankings
Advanced Error Handling Strategies for ColdFusion Mary Jo Sminkey
A number of years ago I presented a talk at cfObjective on building an advanced, custom CF error handler. This talk will go above and beyond that, covering not just CF but JS/Ajax and SQL Server error logging and strategies for debugging errors on live sites. Developers should come away from this talk with lots of ideas for both custom code they can add to their sites as well a variety of open source and 3rd party solutions for error logging and use site analytics to track and fix issues on their live sites. Blog articles expanding on the information presented in this talk will also be published concurrent with the presentation at coldfusionmuse.com.
The Retail Strategy and Planning Series is designed to provide retail executives with the tactical tips, insights, metrics and trend data needed to guide 2017 strategies. Tune into Are Bot Operators Eating Your Lunch? and learn how to protect your brand image, reputation and SEO rankings from bad bots: rtou.ch/2c5cPmx.
Teach Your Sites to Call for Help: Automated Problem Reporting for Online Ser...Caktus Group
Keeping users happy after your site launches is easier if you know about problems before users complain. This presentation by Caktus developer Dan Poirier, delivered at PyTennessee 2018, lays out which problems you may want to be notified about and a number of tools that can help.
The control panel is a vital part of any web hosting account. Without some sort of control panel, you would not be able to do very much. The control panel is where you perform actions on your website, such as creating email accounts, creating databases, setting up security, and many other things
"Atomization" - a new trend in online marketing and how to exploit itEconsultancy
A 53-slide presentation by Internet Authtor and CEO of E-consultancy.com Ashley Friedlein looking at what he calls 'atomisation'. Ashley shows how internet content and services are increasingly being 'atomised' across the internet; your would-be site users are consuming your content in many other places than your actual site. So what can you do about it? How can you embrace this trend?
Hide and seek - Attack Surface Management and continuous assessment.Eoin Keary
Attack surface management and visibility is key to maintaining a robust cyber security posture. Continuous assessment, accuracy and scale are key to enterprise security.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
Are spiders eating your server
1. ARE SPIDERS EATING YOUR
SERVERS?
THE IMPACT OF THEIR UNEXPECTED LOAD
AND HOW TO COUNTER IT
Charlie Arehart, Independent Consultant
CF Server Troubleshooter
charlie@carehart.org
@carehart (Tw, Fb, Li, Slack)
Updated July 17, 2017
3. THERE IS GOOD NEWS
Good news: there are solutions to mitigate impact, perhaps reduce load
That said, some automated requests are getting smarter, harder to control
Beware: think your intranet/private/login-required site is safe from impact?
We’ll cover all this and more in this talk
4. ABOUT ME
Focus on CF server troubleshooting, as an independent consultant
Satisfaction guaranteed. More on rates, approach, etc at carehart.org/consulting
Love to share info, with my clients and the community
Contributor to/creator of many CF community resources
Online CFMeetup, CF411.com, UGTV, CF911.com, CFUpdate.com, and more
I’m also manning the Intergral (FusionReactor) booth for them
5. TOPICS
Understanding automated requests
The nature of such automated requests (many, varied, not always friendly)
How we can generally identify such requests
Their generally unexpected volume
The impact of such request volume, CF-specific and more generally
Observing the volume in your environment
Dealing with automated requests: tools and techniques
Preventing undesirable ones
Mitigating the impact of expected ones, CF-specifically and more generally
Resources for more
Slides at carehart.org/presentations
7. THE NATURE OF SUCH AUTOMATED
REQUESTS: CRAWLERS
Of course most common automated agents are search engine crawlers
The intent/approach of such search engine crawlers/bots/spiders
There are many:
Some legit and desirable (google, bing, yahoo, etc.)
Some legit but maybe not your market: Yandex (Russian search engine), Baidu
(China, also SoGou, Youdau), Goo (Japan), Naver (Korea), etc.
Some may be legit but perhaps unfamiliar to you (Rogerbot, for seomoz.org,
mj12bot, for majestic12.co.uk)
Analogy: restaurant scrambling to serve crush of non-paying reviewers
…
8. THE NATURE OF SUCH AUTOMATED
REQUESTS: CRAWLERS (CONT.)
Some crawlers visit your site for other purposes:
Some are looking to find copyright violations (maybe ok)
Some grab ecommerce site prices to show elsewhere (may be dubious)
Some grab content to sell to competitors context about your site/business (not cool)
Then there are RSS/atom readers/services, calling into feeds on your sever
And you may expose APIs, web and REST services that are called in auto. ways
And before you feel safe with non-public/intranet site, behind firewall or login
Beware: site may be crawled by internal search appliances
But that’s not all (that can affect both intranet and traditional web sites)…
9. THE NATURE OF SUCH AUTOMATED
REQUESTS: OTHER CHECKS
And how about load balancer health checks?
And monitoring checks (setup by you, your IT folks, or your clients)?
Consider also site security scans
May be run by folks in your IT org, to find vulnerabilities
These often run requests at high rates, trying many ways to “break in”
Analogy: restaurant scrambling to serve free-loading family members
10. THE NATURE OF SUCH AUTOMATED
REQUESTS: ERRORS
And consider also the added impact of error handling of those, or 404s
Still another cause: coding mistakes leading to repeated requests
Such as a runaway ajax client call
11. THE NATURE OF SUCH AUTOMATED
REQUESTS: MISCREANTS
And of course hackers, thieves, miscreants attempting increasing harm:
Comment and other forms of spam
Theft of content
Break-in/takeover of accounts
Including outsiders running security scans to find vulnerabilities
Fraudulent transactions
Denial of service (ddos)
Which could be as simple as them running load test tools against your server
Analogy: restaurant scrambling to serve folks stealing from the register,
blocking the door, etc.
OK, so now we know some common kinds of automated requests…
12. IDENTIFYING SUCH BOTS
Requests typically self-identify with a “user agent” header
Browsers identify the kind of browser they are (Chrome, FF, Safari, Opera, IE, etc.)
And most legit bots will also provide a user agent (UA) string
Some bots also provide a URL in the UA as well
A page to explain perhaps what they do, how to manage their requests
Nice free web site to lookup and better understand UA strings
https://www.distilnetworks.com/bot-directory/
Gives ratings (good/bad), known IP ranges, more
13. IDENTIFYING SUCH BOTS (CONT.)
Do beware: a requestor can lie about their user agent
Some may look like “real browser”, others like “legit spider”, to throw you off
If you see a “Googlebot” UA from an IP on Amazon, they’re a liar!
Still others may provide no user agent at all
And we could use that against them, in rejecting requests without any UA
Let’s talk about other ways to identify them, then how we may handle them
14. BOT CHARACTERISTICS WE MIGHT
WATCH FOR TO BLOCK THEM
Most automated agents also present no cookie (important impact, later)
Of course, a real first-time user will also have no cookie from your site
But if we get many frequent requests from same IP with no cookie, we might
count that against them
Many automated requests might show no “referrer” header
Of course, neither will a request where someone types your URL into a browser
IP addresses of many requests at once may be same, or in a small range
Or may have same UA but totally random IPs, which could be suspicious
We’ll revisit consideration of such characteristics under “mitigation” later
15. THEIR GENERALLY UNEXPECTED VOLUME
So again, why might all this be a problem?...
Most of these automated requests (of all types) tend to come every day
Generally hitting ALL your site pages
And a given single “page” may be reached by different URLs (bot won’t know)
Not unusual for folks to have “paging” links, accessing all pages of a type
For instance, all products, and as viewed over all categories, then all vendors, etc
And remember, each kind of bot may visit thousands of your pages per day
This is why it’s not unusual to find these being 80% of site requests!
And so what? ….
17. GENERAL IMPACT
Of course, such high volumes of requests have impact on:
General compute resources (cpu, memory, disk)
Some may be tempted to increase hardware to “handle the site’s load”
Consider also the bandwidth used to serve each page requested
And all associated files (CSS, JS, image files)
Perhaps millions per day, per bot, day after day ad infinitum
Someone‘s paying for that bandwidth!
Then consider impact on entire infrastructure
Web server, application server, database server, san/nas, network, perhaps mail
server, etc.
For CFML pages specifically, impact is even more significant…
18. CF-SPECIFIC IMPACT: SESSIONS
First, session and client creation
Talking here about CF sessions (or J2EE sessions), stored in memory of CF/heap
Not referring to “web sessions” as tracked by web servers, Google Analytics, etc
CF sessions are used to track data for a user across many requests
Based on sessionid cookie being passed from client on each request
But most automated agents send no cookie, thus creating a new
session/client for EACH page requested!
Not unusual for me to help folks find 20k, 100k, or more “active” sessions!
19. CF-SPECIFIC IMPACT: SESSIONS (CONT.)
Such high session count could have impact on heap use within CF, of course
And “weight” of session influenced by what your code puts into session
Consider also session timeout: how long unused sessions remain in memory
May be hours or even days in some setups
Max and default timeout set in CF admin, of course
Can be overridden in application.cfc/cfm
Longer timeout X more mem per session X more sessions = more heap
20. CF-SPECIFIC IMPACT: SESSIONS (CONT.)
Still worse: consider your session startup code, running for each new “session”
Talking about onsessionstart in application.cfc
Or perhaps code in application.cfm within a test for session existence
You may create queries, CFCs, arrays/structs, stored in session scope for user
Consider then the incredibly high rate of executions per minute, hour, day
May be executed FAR more often than the developer ever anticipated
21. CF-SPECIFIC IMPACT: CLIENT VARS
Consider also impact if your code enables client variables
(clientmanagement=“yes”)
Default behavior is that each request creates/updates client repository “global
variables” (hitcount, last visit)
So that’s still more activity per request
Worse: such automated requests create NEW client repo entries on EACH
request!
Bad enough if these are stored in a database: lots of i/o, possible congestion
Again to track information for what may be just a single visit ever
Worst still if client vars might be stored in registry
Or worst of all, if on *nix where such “registry” processing is really just a “reg” file!
22. CF-SPECIFIC IMPACT: ERRORS & MORE
Consider also impact of spiders/bots on your 404 and error handing
Automated agents may call many pages that don’t exist (repeatedly)
Or they may call pages in an unexpected “order”, triggering errors
Or their high volume may create still more errors
Consider needless filling of caches (query cache, template cache, etc)
Consider also impact on cfhttp calls your code may make to other sites
Maybe to obtain information, or to share it, on each/many/most requests
Such high volume of automated requests may cause YOU to be abusing others
Your requests may be throttled by such other sites, affecting your “real” users
23. CF-SPECIFIC IMPACT (CONT.)
So I hope I’ve made the case that you may well need to worry
How can you know if you should?
25. OVERVIEW OF A COUPLE OF SIMPLE
WAYS
There are a couple of relatively straightforward ways to observe such traffic
You may know that some built-in tools log every request
And tools exist (free and commercial) to help analyze such logs
Such logs can also be configured to track user agent, cookies, referrer
Some tools also let you track count of sessions
Let’s look at these a bit more closely
26. ANALYZING LOGGING OF REQUESTS
Web server logs (IIS, Apache, nginx) track every request
Of course, they track requests of every type: images, js, css, etc.
These can optionally be configured to track user agent, cookies, referrer
Tools exist to monitor such web server logs, track web site “traffic”
Some are more “marketing” oriented, may literally hide spider/bot traffic!
Some may well distinguish spider traffic
Other tools can analyze an CSV logs, which is useful because …
27. ANALYZING LOGGING OF REQUESTS
(CONT.)
ColdFusion (Tomcat) “access” logs can also be enabled to track CF requests
Turned on by default in CF10, off by default in CF11, 2016
These track ONLY CF page requests, of course, assuming CF is behind a web server
These can also be configured to track user agent, cookie, referrer
FusionReactor logs also track every request
And can be configured to track UA; already tracks incoming session cookies if any
Tools for log analysis: http://www.cf411.com/loganal
28. TRACKING OF REQUESTS VIA
BEACONS
Again there are tools/services that can track visits via tracking beacons
You implement a small bit of javascript in your code
When that page is visited, a request is made from the client to some server service,
which tracks requests
Examples: Google Analytics, Google and Bing Webmaster Tools, and more
And better versions of such tools do distinguish spider/bot traffic
Do beware, some “clients” won’t execute the Javascript that triggers such
tracking
And so some such automated requests may not be tracked at all
29. TRACKING SESSIONS AND MORE
CF10 and above track session count in metrics.log; enabled in CF Admin
FusionReactor and CF Enterprise Svr Monitor track current count of CF sessions
FR also tracks session count over time and across restarts, in realtimestats.log
Beyond sessions, CF tracks cfhttp calls in cfhttp.log
404s and application errors tracked in application.log, or handled by your app
So once you confirm you DO have lots of automated traffic, how do you
handle it?...
31. PREVENTING UNDESIRABLE ONES
First thought may be “block” undesirable requests by IP address
Beware: most come from a block of them (and bad guys may falsify IP)
Becomes game of “whack-a-mole”
May think to block by user agent
Beware: some bad guys present legit-looking user agents
The black hats are trying always to stay a step ahead of the white hats
Consider also Perimeterx’s “4 generations of bots”
https://www.perimeterx.com/resources/4th-gen-bots-whitepaper
Still, for a large amount of most common automated traffic, these simplistic
approaches may be better than doing nothing (more in a moment)
32. MITIGATING THE IMPACT OF EXPECTED
ONES, MORE GENERALLY
Simplistic solutions to manage such agents may exist already in your env
Robots.txt: simple, but could be ignored
Web server IP blocking features: like playing whack-a-mole
URL rewrite tools could block requests by a variety of characteristics
IIS request filtering can block by user agent string
Any of these might work just fine for some, but may be too simplistic for many
There are still other options…
33. MITIGATING THE IMPACT OF EXPECTED
ONES, MORE GENERALLY (CONT.)
Some firewalls (software or hardware) can manage bots
Some web app firewall solutions in or available for most web servers can help
Indeed, some cloud services offer protections against spiders/bots/hacks
https://aws.amazon.com/blogs/aws/new-aws-waf/
https://azure.microsoft.com/en-us/blog/azure-web-application-firewall-waf-
generally-available/
You could also consider also web content caching proxy solutions
To at least reduce impact reaching your server
Or we can get still more sophisticated about this specific problem…
34. MITIGATING THE IMPACT OF EXPECTED
ONES, MORE GENERALLY (CONT.)
There are tools/services that detect/mitigate negative bot impact
Some free, some commercial
Some easily implemented, others even offered as SAAS with virtually no change
Examples: Distil, Incapsula, Shieldsquare, PerimeterX, Akamai
These companies are making it their job to watch for and block bots
Even the most sophisticated ones
Most offer options to report-only at first, and then tweak/turn on to block bad guys
And may want to consider those focused more on blocking hacks rather than
bots, per se
Shape Security, Securi, Cloudflare, etc
Now on to more CF-specific mitigations…
35. MITIGATING THE IMPACT OF EXPECTED
ONES, CF-SPECIFICALLY
May want to modify session timeout on per-request basis, lower for bots
Consider watching programmatically for characteristics like:
No user agent, no referrer, and no cookie
Can implement either in:
In application.cfm, where you can vary cfapplication sessiontimeout
In application.cfc, may not want to vary this.sessiontimeout (applies to loaded
app)
Instead, could handle in onrequestend
Can either “invalidate” session, or lower session timeout for that request only via java
36. MITIGATING THE IMPACT OF EXPECTED
ONES, CF-SPECIFICALLY (CONT.)
May also want to reconsider coding choices in your session startup code
Maybe don’t store large amounts of info at session startup (queries, arrays, structs,
CFCs) if request is determined to be for an automated agent
Given that session won’t be re-used anyway by most automated request agents
Also, reconsider error handling, to only respond to cfm/cfc pages
And maybe html pages if you must, but not image/css/js files
Consider admin config options related to sessions and/or client variables
Session timeout: reconsider default/max times, and times set per app
Reconsider client var storage options (cookie vs db/registry)
37. MITIGATING THE IMPACT OF EXPECTED
ONES, CF-SPECIFICALLY (CONT.)
Could also add code to at least throttle excessively frequent requests
http://www.carehart.org/blog/client/index.cfm/2010/5/21/throttling_by_ip_address
Note that ContentBox incorporates a variant this code, enabled by a checkbox
“Outside the box” possibility (for CF Enterprise, Lucee/Railo)
Create a separate instance to JUST serve automated traffic
Direct such traffic there with web server rewrite features
38. So, phew, that’s a lot to take in!
Understanding issue, mitigating it
I’ve provided a broad overview
You may want to dig in to the topic further
There are many resources that focus on the topic generically in significant depth
40. SUMMARY
The nature, volume and impact of automated requests is often hidden
It is possible to observe the volume, mitigate the impact, perhaps easily
Can lead to a substantial improvement in performance, bandwidth savings
Again, my contact info for follow-up:
Charlie Arehart
charlie@carehart.org
@carehart (Tw, Fb, Li, Slack)
carehart.org/consulting
Thanks, and hope you’ve enjoyed the rest of the conference
Come see me at the FusionReactor booth, where I am manning it for them