In Practical DevSecOps - DevSecOps Live online meetup, you’ll learn Automating security tests using Selenium and OWASP ZAP.
Join Srinivas, Red Team Member at Banking Industry, also Offensive Security Certified Professional(OSCP) and Offensive Security Certified Expert(OSCE.
He will cover Automating security tests using Selenium and OWASP ZAP.
In this intriguing meetup, you will learn:
1. Introduction to automated vulnerability scans and their limitations.
2. A short introduction to how functional tests can be useful in performing robust security tests.
3. Introduction to selenium and OWASP ZAP
4. Proxying selenium tests through OWASP ZAP
5. Invoking authenticated active scans using OWASP ZAP
6. Obtaining scan reports
… and more useful takeaways!
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]raj upadhyay
What is ZAP(Zed Attack Proxy)?An easy to use web application pentest tool.
Completely free and open source.
An OWASP(Open Web Application Security Project) flagship project.
Ideal for beginners.
But also used by professionals.
Becoming a framework for advanced testing.
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
Security teams are often seen as roadblocks to rapid development or operations implementations, slowing down production code pushes. As a result, security organizations will likely have to change so they can fully support and facilitate cloud operations.
This presentation will explain how DevOps and information security can co-exist through the application of a new approach referred to as DevSecOps.
ZAP may not be featured in movies as much as nmap, but is a real hacker tool! If you are a tester in a DevOps organization you know that security is everybody's job, so you MUST add this tool to your toolbox! Attend this talk to see ZAP in action and learn how to use ZAP to test your web applications and web services for OWASP Top 10 vulnerabilities.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
1. Overview of DevOps
2. Infrastructure as Code (IaC) and Configuration as code
3. Identity and Security protection in CI CD environment
4. Monitor Health of the Infrastructure/Application
5. Open Source Software (OSS) and third-party tools, such as Chef, Puppet, Ansible, and Terraform to achieve DevOps.
6. Future of DevOps Application
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017
http://cybersecurity.withthebest.com
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications
1. Overview of DevOps
2. Infrastructure as Code (IaC) and Configuration as code
3. Identity and Security protection in CI CD environment
4. Monitor Health of the Infrastructure/Application
5. Open Source Software (OSS) and third-party tools, such as Chef, Puppet, Ansible, and Terraform to achieve DevOps.
6. Future of DevOps Application
A talk on ZAP Automation in CI/CD given remotely to OWASP Switzerland on 9th Febrary 2021 by Simon Bennetts.
Full video: https://www.youtube.com/watch?v=5oMp5O9CeSg
SAST vs. DAST: What’s the Best Method For Application Security Testing?Cigital
High profile security breaches are leading to heightened organizational security concerns. Firms around the world are now observing the consequences of security breaches that are becoming more widespread and more advanced. Due to this, firms are ready to identify vulnerabilities in their applications and mitigate the risks.
Two ways to go about this are static application security testing (SAST) and dynamic application security testing (DAST). These application security testing methodologies are used to find the security vulnerabilities that make your organization’s applications susceptible to attack.
The two methodologies approach applications very differently. They are most effective at different phases of the software development life cycle (SDLC) and find different types of vulnerabilities. For example, SAST detects critical vulnerabilities such as cross-site scripting (XSS), SQL injection, and buffer overflow earlier in the SDLC. DAST, on the other hand, uses an outside-in penetration testing approach to identify security vulnerabilities while web applications are running.
Let us guide you through your application security testing journey with more key differences between SAST and DAST:
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Security will always be our top priority. Agile deployment methods require a set of dynamic built-in security controls that keep pace with innovation and scale. In this session we will utilise the power of automation with the AWS platform to increase the agility of developers while maintaining a strong security posture.
Speaker: David Faulkner, Senior Technical Account Manager, Amazon Web Services
Security Testing is deemed successful when the below attributes of an application are intact
- Authentication
- Authorization
- Availability
- Confidentiality
- Integrity
- Non-Repudiation
Testing must start early to minimize defects and cost of quality. Security testing must start right from the Requirements Gathering phase to make sure that the quality of end-product is high.
This is to ensure that any intentional/unintentional unforeseen action does not halt or delay the system.
Static Analysis Security Testing for Dummies... and YouKevin Fealey
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Security as Code: A DevSecOps ApproachVMware Tanzu
SpringOne 2021
Session Title: Security as Code: A DevSecOps Approach
Speakers: Alvaro Muñoz, Staff Security Researcher at GitHub; Tony Torralba, Software Engineer at GitHub
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oct 15 2017
http://cybersecurity.withthebest.com
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017#tab=Conference_0101_talks
In this talk we will explore the many different ways of automating security testing with the OWASP Zed Attack Proxy and how it ties to an overall Software Security Initiative. Over the years, ZAP has made many advancements to its powerful APIs and introduced scripts to make security automation consumable for mortals. This talk is structured to demonstrate how ZAP's API, and scripts could be integrated with Automated Testing frameworks beyond selenium, Continuous Integration and Continuous Delivery Pipelines beyond Jenkins, scanning authenticated parts of the application, options to manage the discovered vulnerabilities and so on with real world case studies and implementation challenges.
This is a demonstration oriented talk that explains OWASP ZAP automation strategies for Security Testing by example.
Security DevOps: Wie Sie in agilen Projekten trotzdem sicher bleiben // JAX 2015Christian Schneider
Diese Session zeigt Ihnen, welche Automatisierungsoptionen zur Überwachung bestimmter Sicherheitsaspekte in der agilen Softwareentwicklung bestehen. Ausgehend von dem etablierten DevOps-Konzept, mit dem im Übergang von Entwicklung zu Betrieb Prozesse automatisiert und verzahnt werden, wird mit "Security-DevOps" dieser Antrieb aufgegriffen und auf die Absicherung von Anwendungen gegen Hackerangriffe übertragen.
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up on 21 Feb 2015
Watch the screen recording of this presentation at https://vimeo.com/120481276
This presentation explains how to perform security testing using ZAP in Salesforce .Learn how to Install and configure ZAP to Automate Security Testing !!
Slides from my 'Introduction to the OWASP Zed Attack Proxy' presentation as part of the 2013 OWASP EU Tour in Amsterdam.
For more info about ZAP see: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015Peter Sabev
If you count the alternatives, there are 50 tools for software testing focused on open source projects - test planning and management, test execution, test reporting, front-end and backend testing, automated mobile testing, security scanners, issue tracking and others
Ten Commandments of Secure Coding - OWASP Top Ten Proactive ControlsSecuRing
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
In this Practical DevSecOps's DevSecOps Live online meetup, you’ll learn DevSecOps Challenges and Opportunities.
Join Mohan Yelnadu, head of application security at Prudential Insurance on his DevSecOps Journey.
He will cover DevSecOps challenges he has faced and how he converted them into opportunities.
He will cover the following as part of the session.
DevSecOps Challenges.
DevSecOps Opportunities.
Converting Challenges into Opportunities.
Quick wins and lessons learned.
… and more useful takeaways!
Security is tough and is even tougher to do, in complex environments with lots of dependencies and monolithic architecture. With emergence of Microservice architecture, security has become a bit easier however it introduces its own set of security challenges. This talk will showcase how we can leverage DevSecOps techniques to secure APIs/Microservices using free and open source software. We will also discuss how emerging technologies like Docker, Kubernetes, Clair, ansible, consul, vault, etc., can be used to scale/strengthen the security program for free.
More details here - https://www.practical-devsecops.com/
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
In graph we trust: Microservices, GraphQL and security challenges - Mohammed A. Imran
Microservices, RESTful and API-first architectures are rage these days and rightfully so, they solve some of the challenges of modern application development. Microservices enable organisations in shipping code to production faster and is accomplished by dividing big monolithic applications into smaller but specialised applications. Though they provide great benefits, they are difficult to debug and secure in complex environments (different API versions, multiple API calls and frontend/backend gaps etc.,). GraphQL provides a powerful way to solve some of these challenges but with great power, comes great responsibility. GraphQL reduces the attack surface drastically(thanks to LangSec) but there are still many things which can go wrong.
This talk will cover the risks associated with GraphQL, challenges and solutions, which help in implementing Secure GraphQL based APIs. We will start off with introduction to GraphQL and its benefits. We then discuss the difficulty in securing these applications and why traditional security scanners don’t work with them. At last, we will cover solutions which help in securing these API by shifting left in DevOps pipeline.
We will cover the following as part of this presentation:
GraphQL use cases and how unicorns use them
Benefits and security challenges with GraphQL
Authentication and Authorisation
Resource exhaustion
Backend complexities with microservices
Need for tweaking conventional DevSecOps tools for security assurance
Security solutions which works with GraphQL
The practical DevSecOps course is designed to help individuals and organisations in implementing DevSecOps practices, to achieve massive scale in security. This course is divided into 13 chapters, each chapter will have theory, followed by demos and any limitations we need to keep in my mind while implementing them.
More details here - https://www.practical-devsecops.com/
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
Pentesting RESTful webservices talks about problems penetration testers face while testing RESTful Webservices and REST based web applications. The presentation also talks about tools and techniques to do pentesting of RESTful webservices.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
This presentation covers very basics of assembly language with some computer organization concept. I took this session as part of on going series on assembly at NULL Hyderabad meets. PART II will cover instruction sets and more in detail.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
PHP Frameworks: I want to break free (IPC Berlin 2024)
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
1.
2. • I am Srinivasarao Kotipalli
• Lives in Singapore
• 8 years of experience in Cyber Security
• Authored Hacking Android – Packt Pub
• OSCP & OSCE
whoami
3. • Introduction to automated vulnerability scans and their limitations.
• How functional tests can be useful in performing powerful security tests.
• Introduction to selenium and OWASP ZAP.
• Proxying selenium tests through OWASP ZAP.
• Invoking authenticated active scans using OWASP ZAP.
• Obtaining scan reports.
Agenda
4. OWASP ZAP (short for Zed Attack Proxy)
is an open-source web application
security scanner. It is intended to be
used by both those new to application
security as well as professional
penetration testers.
It can also run in a daemon mode which is
then controlled via a REST API.
Source: https://en.wikipedia.org/wiki/OWASP_ZAP
Introduction to OWASP ZAP
5. • Many commercial tools are available
• Maximum crawling and an active session are crucial for better coverage
• They come with two most important features :
1. An option to record the login sequence
2. Manually explore the Web Application
• Why are these features important?
• DEMO
Automated vulnerability scans
6. • Selenium automates browsers.
• Selenium comes in different flavors and we are specifically talking about Selenium Web Driver.
• Commonly used for automation testing.
• After the product is fully integrated, these tests are run to make sure that the application
is working as expected.
Introduction to Selenium
8. So, what problem are we solving?
• Login Pages in web Applications may stop Automated scanners.
• Features that require authentication may not be properly scanned, with default scans.
• QA teams are already writing scripts to properly crawl through the web apps.
• Security teams may not leverage these QA automation scripts in security testing.
9. So, what problem are we solving?
• knows how to login and crawl through important features.
• knows how to find security issues in crawled pages.
• Login Pages in web Applications may stop Automated scanners.
• Features that require authentication may not be properly scanned, with default scans.
Use them together to achieve better DAST
12. Integrating Selenium and ZAP in CICD pipeline
• Launch ZAP – listens on a port
• Proxy Selenium traffic through ZAP
• Run functional tests (Passive scan is automatically done)
• Invoke ZAP Active scan:
• As a bash command from CI Server
• As a python script on CI Server
• As a test from Selenium
• Get the results:
• As a bash command from CI Server
• As a python script on CI Server
• As a test from Selenium
https://www.zaproxy.org/docs/api/#introduction
13. Proxy proxy = new Proxy();
proxy.setHttpProxy("localhost:8081");
proxy.setSslProxy("localhost:8081");
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
capabilities.setCapability("proxy", proxy);
[Selenium Tests here]
[Optionally, Security Tests here]
Proxying Selenium requests through ZAP
ZAP is run on localhost:8081
16. curl "http://localhost:8081/OTHER/core/other/htmlreport/" -o zap.html
curl "http://localhost:8081/OTHER/core/other/jsonreport/" -o zap.json
curl "http://localhost:8081/OTHER/core/other/xmlreport/" -o zap.xml
Get HTML/XML report from command line
ZAP is run on localhost:8081
XML/JSON formats can be useful if you want to import the findings into a Vulnerability Management tool
19. • You can possibly take advantage of any functional testing framework to perform security scans.
• If you have existing Selenium test cases written for your web apps, use them to drive security scans.
• If you already spent time and efforts on writing Selenium scripts, you already explored the website for
your scanner. Proxy the Selenium traffic through ZAP.
• OWASP ZAP comes with the best and easy to use REST APIs, use them for DAST.
• ZAP is an OWASP project, you can trust its abilities to discover common vulnerabilities.
Key takeaways