This document proposes a two-factor authentication method called BeamAuth that uses a bookmark to improve web security. BeamAuth uses a bookmark containing a token delivered via a separate channel like email. When the user clicks the bookmark, it processes the token stored in the URL fragment identifier to log the user into the site. This provides an additional authentication factor beyond a password. The method aims to strengthen security without requiring browser upgrades by hijacking existing bookmark and fragment identifier features for authentication purposes. It discusses potential attacks and compares BeamAuth to long-lasting cookies for multi-device synchronization.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
Dale Olds, VMware
A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from
SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.
Live Identity Services presentation at Microsoft's MIX09 Conference.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
These slides are supposed to help you understand the basics of application security, and how the latest technologies come together to enable you to reduce the number of times people at your organization need to authenticate.
For more information visit. http://gluu.org
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
Dale Olds, VMware
A pinch of authentication theory and methods, a taste of the sweet and the bitter of the much maligned password, and then larger portions of federated authentication protocols from
SAML to OpenID Connect, clearing up along the way some confusion between federated authentication and tokens used for delegated authorization.
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
Adam Lewis, Office of the CTO, Motorola
RESTful APIs, WS-* / SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms… and the glue to tie all that together? Are you kidding? Tune-in to this technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
Web Components for Microservices and IoTChris Lorenzo
Developing cutting edge experiences for IoT is challenging. With hundreds of new IoT products added every year developers need a better way to build front-ends for constantly evolving backends and products, but how?
At Comcast we’re working on solving this problem with Web Components. By having our API’s return a web component reference to display an IoT device - we can create dynamic front ends that work on web and mobile while also reducing complexity. These lightweight, decoupled, framework agnostic components can be built quickly and independently of one another - even by separate teams. During this talk I’ll give an overview of Web Components, why they are critical for mobile browsers, and how Comcast is using them to create a more universal experience for our customers. You’ll get a deep understanding of Comcast’s web application architecture which we use to serve millions of customers daily.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
A short and sweet version of my voting talk for the Harvard College Fund meeting. The talk started with Stuart Shieber and ended with Greg Morrisett. I haven't included their slides here, as I'm not sure what license they'd like to use.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
Adam Lewis, Office of the CTO, Motorola
RESTful APIs, WS-* / SOAP APIs, Proprietary APIs, protocols beyond APIs, OAuth for Authentication, Federated Authorization Servers across security domains, Token Translation between SAML and JWT, SSO across native applications, all running across Windows desktops and Android mobile computing platforms… and the glue to tie all that together? Are you kidding? Tune-in to this technical chat on a real-life case study of a small but dedicated band of engineers’ attempts to harmonize identity in a very un-harmonized world.
Web Components for Microservices and IoTChris Lorenzo
Developing cutting edge experiences for IoT is challenging. With hundreds of new IoT products added every year developers need a better way to build front-ends for constantly evolving backends and products, but how?
At Comcast we’re working on solving this problem with Web Components. By having our API’s return a web component reference to display an IoT device - we can create dynamic front ends that work on web and mobile while also reducing complexity. These lightweight, decoupled, framework agnostic components can be built quickly and independently of one another - even by separate teams. During this talk I’ll give an overview of Web Components, why they are critical for mobile browsers, and how Comcast is using them to create a more universal experience for our customers. You’ll get a deep understanding of Comcast’s web application architecture which we use to serve millions of customers daily.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
A short and sweet version of my voting talk for the Harvard College Fund meeting. The talk started with Stuart Shieber and ended with Greg Morrisett. I haven't included their slides here, as I'm not sure what license they'd like to use.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
Learn how Microsoft provides a range of identity solutions for helping developers more easily build seamless user experiences that include Federation, Authentication, UX Customization, Open Standards, Open ID and more.
With a complete new Identity/Access Management Suite on the Oracle market,
one might forget the good old SSO server, bundled with each and every IAS server.
Although it has some out-of-the-box capabilities like WNA and X509 certificate support,
it can be quite hard to set up an authentication scheme just the way you (or your customers) like it.
Using a case study, this presentation discusses how you can extend Oracle’s Single
Sign On (SSO) server to your needs. It will discuss :
- Integration & authentication with smartcard passports (eID)
- Authentication with digital certificates
- Implementing fallback authentication schemes
- Integration with SSL terminators and reverse proxies
- DIY federated authentication
- writing your own SSO plugin
The solutions presented are part of AXI NV/BV's portfolio.
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Amazon Web Services
In this hands-on session, we crack open the IDE and transform a SaaS web app comprised of several monolithic single-tenant environments into an efficient, scalable, and secure multi-tenant SaaS platform using ReactJS and NodeJS serverless microservices. We use Amazon API Gateway and Amazon Cognito to simplify the operation and security of the service’s API and identity functionality. We enforce tenant isolation and data partitioning with OIDC’s JWT tokens. We leverage AWS SAM and AWS Amplify to simplify authoring, testing, debugging, and deploying serverless microservices, keeping operational burden to a minimum, maximizing developer productivity, and maintaining a great developer experience.
Presentation by Junaid Loonat at the 2010 internet show South Africa.
The presentation is about the insecurities of the Web 2.0 server. The presentation begins by looking at how the likely targets of an attack have changed from Web 1.0 to Web 2.0 servers. Other Changes from web 1.0 to web 2.0 such as authentication enforcement and CAPCHA validation are also discussed. The presentation ends with a brief discussion on how to limit your own risk when deploying a web application
This topic introduces tools to automate the development and deployment workflow of a WordPress web application.
I am showing the main benefits of such a workflow and how it allows making the installation and update of the project fully automatic, predictable, versioned, and ready to be integrated into a continuous deployment system. Tools like Docker and WP-CLI, will be introduced to implement that process along with a simple tool that I have developed to automatically deploy the basic data that a project needs to be up and running.
My mantra? No manual clicks whatsoever in the web interface for configuring WordPress!
Building Voice Controls and Integrating with Automation Actions on an IoT Net...Intel® Software
Voice recognition is a natural method that people can use to interact with and automate smart devices. In this session, we build a microservice for automation of IoT using local fog computing resources and cloud-based serverless functions. We also create a voice-enabled chatbot that triggers automatic actions on an IoT network.
Mist.io helps you manage and monitor your virtual machines across multiple clouds with a mobile friendly web app. This presentation took place in CoLab, Athens 27 September 2012, during the Greek AWS user group meetup.
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
12. Update the Browser
- Dynamic Security Skins [DT2005]
secure password-based key exchange
new browser chrome to auth web site.
- PwdHash [RJMBM2005]
domain-specific password pre-processing.
- MS CardSpace
change the entire auth infrastructure
built into the operating system.
15. Can We Do Something Now?
HTML & JavaScript
HTTP
16. Can We Do Something Now?
Application Code
HTML & JavaScript
HTTP
17. Can We Do Something Now?
Application Code
HTML & JavaScript
HTTP
18. Can We Do Something Now?
- The web is a (limited) platform
Application Code
HTML & JavaScript
HTTP
19. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
HTTP
20. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
- Maybe by hijacking certain
HTTP features for security purposes?
(Active Cookies, Subspace, ...)
21. Can We Do Something Now?
- The web is a (limited) platform
Application Code
- Can we build better security
in the application layer?
HTML & JavaScript
- Maybe by hijacking certain
HTTP features for security purposes?
(Active Cookies, Subspace, ...)
Goal: preventing easy phishing
26. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Login Click Your
BeamAuth
Phase Login Button
27. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Login Click Your
BeamAuth
Phase Login Button
28. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Password
BeamAuth
Phase Login Button
log in
29. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Password
BeamAuth
Phase **********
Login Button
log in
log in
30. The General Idea
Setup proof of identity OpenID
Phase Server
Alice
token
Username
benadida
Login Click Your
Welcome,
Password
BeamAuth
Phase Ben Adida.
**********
Login Button
log in
log in
32. Let’s Build this Button!
- Browser add-on
not an easy solution for most users
complexity of add-on across browsers
significant trust delegated to the login site
33. Let’s Build this Button!
- Browser add-on
not an easy solution for most users
complexity of add-on across browsers
significant trust delegated to the login site
- Bookmark
Delicious, etc. use bookmarks as buttons
can we do the same for security?
BookMark Auth = BM Auth = BeamAuth
42. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.
43. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript
44. The URL Fragment Identifier
http://site.com/page#paragraph
- used to designate a portion of a page
browser scrolls to the appropriate location.
- never sent over the network but accessible from JavaScript
- navigation between fragments does not cause a page reload.
45. Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]
46. Fragment in a Bookmark
http://login.com/login#[benadida|8x34202]
var hash = document.location.hash;
if (hash != ‘’) {
// parse the hash, get username and token
process_beamauth_hash(hash);
// clear the hash from the URL
document.location.replace(‘/login’);
}
55. Attacks
- Trick User into Not Clicking Bookmark
password compromised, token safe.
- Lock User into Site
password compromised, token safe.
- Maliciously Replace Bookmark
password compromised, token safe.
- Pharming
all compromised.
- “Drag-and-Drop” Attack
all compromised on Firefox.
56. Comparison to
Long-Lasting Cookies
- Second-channel setup – though long-
lasting cookies could do the same thing there.
- Synchronization across browsers
using existing bookmark-sync tools.
- Better behavior for non-SSL sites
57. BeamAuth: Summary
- Bookmark as second authentication factor
- Token delivered via a separate channel (email)
- Use the fragment identifier to store token
- Tweaked Login Ritual: whisk users to safety
58. Can we do more?
- The fragment identifier might be
used for more tricks.
- JavaScript bookmarks
may be useful for security.
- Security in the app layer: help evolve the
browser platform without anticipating all
security requirements.
generalize concept of site-specific extension?