Covering the best practices for building new applications on top of Box platform, including token management, error condition and program flow, architecture, and other such topics.
Better Data with Machine Learning and ServerlessJonathan LeBlanc
Creating valuable insights out of raw data files, such as audio or video, has traditionally been a very manual and tedious process, and has produced mixed results due to an influential human element in the mix.
Thanks to enhancements in machine learning systems, coupled with the rapidly deployable nature of serverless technology as a middleware layer, we are able to create highly sophisticated data insight platforms to replace the huge time requirements that have typically been required in the past.
With this in mind, we’ll look at:
- How to build end-to-end data insight and predictor systems, built on the back of serverless and machine learning systems.
- Best practices for working with serverless technology for ferrying information between raw data files and machine learning systems through an eventing system.
- Considerations and practical examples of working with the security implications of dealing with sensitive information.
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
Better Data with Machine Learning and ServerlessJonathan LeBlanc
Creating valuable insights out of raw data files, such as audio or video, has traditionally been a very manual and tedious process, and has produced mixed results due to an influential human element in the mix.
Thanks to enhancements in machine learning systems, coupled with the rapidly deployable nature of serverless technology as a middleware layer, we are able to create highly sophisticated data insight platforms to replace the huge time requirements that have typically been required in the past.
With this in mind, we’ll look at:
- How to build end-to-end data insight and predictor systems, built on the back of serverless and machine learning systems.
- Best practices for working with serverless technology for ferrying information between raw data files and machine learning systems through an eventing system.
- Considerations and practical examples of working with the security implications of dealing with sensitive information.
In May's Microsoft identity platform call, Navya Canumalla went into detail on MSAL Java and Python, including an overview, supported scenarios and calling patterns. Quickstart demo, token cache and ADAL to MSAL migration.
View recording https://youtu.be/yCCjNqFva9w
Resources:
MSAL Java https://aka.ms/msaljavadocs
MSAL Python https://aka.ms/msalpythondocs
Stay connected
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
'Claims-based identity' is known and well-documented. However I tend to encounter the same questions again and again. These slides tell what claims-based identity means to me.
First steps to create a basic app with ZF: using action methods, databases, and forms. From February presentation at ZF-NYC meetup. More to follow in March meetup.
Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
Introduction To Building Enterprise Web Application With Spring MvcAbdelmonaim Remani
This the perfect introduction for people who have absolutely no experience with the Spring framework. The session adopts a learn-by-example approach and takes the form of a practical hands-on-lab with a lot of live coding. Attendees will be presented with a sample web application and various use-case scenarios, they will build an actual Spring MVC web application backed by a MySQL database end-to-end, They will Test it, and deploy it on an Apache TomCat web server. The basics of the Spring framework, design patterns, and best practices will be picked up by example along the way. Covered topics include: Inversion of Control (Dependency Injection), Spring MVC, Spring DAO, Spring ORM (iBatis), Aspect Oriented Programming in Spring, Basic Web Security, and the Mail API. Bring your laptop! Prerequisites: Familiarity with the architecture of Java web application and its technologies (Servlets, JSP, Java EL, JSTL, etc... )
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
Apps for SharePoint were introduced in SharePoint 2013 to maximize the level of capability and flexibility that developers can deliver without risking compromise to the farm. In this demo-intensive session, we will delve into apps that leverage resources running outside the SharePoint farm—whether in another on-premises web server or in the cloud. We will use server-side and client-side code to demonstrate how cloud-hosted apps can securely access data stored in SharePoint using the client object model (CSOM/JSOM) and REST APIs, along with the pros and cons associated with each approach. We will discuss the various permissions models associated with apps for SharePoint including types of app permissions, permission request scopes, and how app developers can manage permissions.
Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014.
Presentation
Introductory talk to PicketLink from Federation through to Identity Management.
What is PicketLink?
PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.
This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.
For more information visit http://picketlink.org/
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
Exam 70-488 Developing Microsoft SharePoint Server 2013 Core Solutions Learni...Mahmoud Hamed Mahmoud
The presentation will help you to study for the beta exam it includes the exam objectives and the resources online cover this objectives.
have a look and tell me what you think and if this help you in your study and shall I create the next one for Exam 70-489 ?
Goes through 7 scenarios where a fictional developer Bob chooses ways to achieve them that work, but have some flaws in them. Must-have knowledge for any developer working with Azure Active Directory.
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1
SpoofedMe - Intruding Accounts using Social Login Providers IBM Security
IBM's X-Force Application Security Research Team devised a logical attack that allows a malicious user to intrude into user accounts on a relying website (that is, a website that relies on authentication assertions passed to it by the identity provider) by abusing the social login mechanism.
For more: http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
The story is always the same; if you want to create a JavaScript centric app with API and identity security, you’re told that you need to have a server-side component for handling your identity and application security. That’s simply not the case in modern development.
In this session we'll look at client-side identity, API, and token security, exploring token downscoping methodologies, key management tools, and security on the client.
Live Identity Services Drilldown - PDC 2008Jorgen Thelin
Live Identity Services enables developers on any platform to choose the identity integration model that best enables their scenarios, including: web or client authentication, delegated authentication, or federated authentication. Learn how to build seamless, cobranded, and customized sign-up and sign-in experiences.
Microsoft PDC 2008 - Session BB22
'Claims-based identity' is known and well-documented. However I tend to encounter the same questions again and again. These slides tell what claims-based identity means to me.
First steps to create a basic app with ZF: using action methods, databases, and forms. From February presentation at ZF-NYC meetup. More to follow in March meetup.
Anil Saldhana and Pete Muir presented securing applications with PicketLink at Red Hat Summit 2013. For more information, please refer to http://www.picketlink.org and JDF. TicketMonster is a Java EE app with HTML5 (http://www.jboss.org/jdf/examples/ticket-monster/tutorial/WhatIsTicketMonster/). This presentation talked about securing TicketMonster using PicketLink.
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
Introduction To Building Enterprise Web Application With Spring MvcAbdelmonaim Remani
This the perfect introduction for people who have absolutely no experience with the Spring framework. The session adopts a learn-by-example approach and takes the form of a practical hands-on-lab with a lot of live coding. Attendees will be presented with a sample web application and various use-case scenarios, they will build an actual Spring MVC web application backed by a MySQL database end-to-end, They will Test it, and deploy it on an Apache TomCat web server. The basics of the Spring framework, design patterns, and best practices will be picked up by example along the way. Covered topics include: Inversion of Control (Dependency Injection), Spring MVC, Spring DAO, Spring ORM (iBatis), Aspect Oriented Programming in Spring, Basic Web Security, and the Mail API. Bring your laptop! Prerequisites: Familiarity with the architecture of Java web application and its technologies (Servlets, JSP, Java EL, JSTL, etc... )
The WSO2 Gadget Server is an Enterprise Information Portal, providing a framework built on top of the Google Gadget Specification, that helps enterprises organize information in their SOA across organizational boundaries.
Build Secure Cloud-Hosted Apps for SharePoint 2013Danny Jessee
Apps for SharePoint were introduced in SharePoint 2013 to maximize the level of capability and flexibility that developers can deliver without risking compromise to the farm. In this demo-intensive session, we will delve into apps that leverage resources running outside the SharePoint farm—whether in another on-premises web server or in the cloud. We will use server-side and client-side code to demonstrate how cloud-hosted apps can securely access data stored in SharePoint using the client object model (CSOM/JSOM) and REST APIs, along with the pros and cons associated with each approach. We will discuss the various permissions models associated with apps for SharePoint including types of app permissions, permission request scopes, and how app developers can manage permissions.
Presentation by Peter Skopek (JBoss by Red Hat) delivered at the London JBoss User Group event on the 30th of April 2014.
Presentation
Introductory talk to PicketLink from Federation through to Identity Management.
What is PicketLink?
PicketLink is an umbrella project for security and identity management for Java Applications. PicketLink is an important project under the security offerings from JBoss.
A Picket Fence is a secure system of pickets joined together via some type of links. Basically, the Pickets by themselves do not offer any security. But when they are brought together by linking them, they provide the necessary security.
This project is that link for other security systems or systems to bring together or join, to finally provide the necessary secure system.
For more information visit http://picketlink.org/
Discussed the general OAuth2 features. Reviewer OAuth2 Roles and Grand Flows
Authorization code grant flow
Implicit grant flow
Resource owner password credentials grant flow
Client credentials grant flow
Reviewed access resource flow and token refresh.
see video: https://www.youtube.com/watch?v=UPsVD-A7gP0
Exam 70-488 Developing Microsoft SharePoint Server 2013 Core Solutions Learni...Mahmoud Hamed Mahmoud
The presentation will help you to study for the beta exam it includes the exam objectives and the resources online cover this objectives.
have a look and tell me what you think and if this help you in your study and shall I create the next one for Exam 70-489 ?
Goes through 7 scenarios where a fictional developer Bob chooses ways to achieve them that work, but have some flaws in them. Must-have knowledge for any developer working with Azure Active Directory.
Remote Exploitation of the Dropbox SDK for AndroidIBM Security
The IBM X-Force Application Security Research Team has discovered a vulnerability in the Dropbox SDK for Android (CVE-2014-8889) which allows attackers to connect applications on mobile devices to a Dropbox account controlled by the attacker without the victim's knowledge or authorization. This is a serious flaw in the authentication mechanism within any Android app using a Dropbox SDK Version 1.5.4 through 1.6.1
SpoofedMe - Intruding Accounts using Social Login Providers IBM Security
IBM's X-Force Application Security Research Team devised a logical attack that allows a malicious user to intrude into user accounts on a relying website (that is, a website that relies on authentication assertions passed to it by the identity provider) by abusing the social login mechanism.
For more: http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/
JavaScript App Security: Auth and Identity on the ClientJonathan LeBlanc
The story is always the same; if you want to create a JavaScript centric app with API and identity security, you’re told that you need to have a server-side component for handling your identity and application security. That’s simply not the case in modern development.
In this session we'll look at client-side identity, API, and token security, exploring token downscoping methodologies, key management tools, and security on the client.
Presentation on using Social Login based on OAuth 2.0 with Oracle APEX, this includes a demonstration on how to configure Facebook, Google and LinkedIn to be used for authentication with APEX.
This presentation was given as a webinar as part of the Oracle APEX Office Hours series:
https://asktom.oracle.com/pls/apex/f?p=100:551:::NO:551:P551_CLASS_ID:744:
In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.
Introduction to Web Application Penetration TestingRana Khalil
Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/
July’s call, hosted by Kim Brandl and Doug Mahugh, featured the following presenters and topics:
• Doug Mahugh, Senior Dev Writer, presented an overview of the Office Add-ins platform.
• Sohail Zafar, Senior Program Manager, covered what’s new in the Outlook JavaScript APIs.
• Yu Kaijun, Senior Program Manager, and Ruoying Liang, Senior Program Manager, talked about what’s new in the Excel JavaScript APIs.
• Anand Menon, Principal Program Manager Lead, presented about Microsoft 365 App Certification.
• Daniel Fylstra, President @ Frontline Systems Inc., presented about the Analytic Solver add-in for Excel, a complex and powerful analytics modeling tool that they’ve ported from a COM add-in to a JavaScript add-in.
Fragments-Plug the vulnerabilities in your AppAppsecco
Appsecco presented on the common mistakes that developers make when building mobile apps.
This session covered how these mistakes make your app vulnerable to attack and abuse? How an attacker perceives security of mobile app?
https://youtu.be/EzC86gWVPZk
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
Similar to Best Practices for Application Development with Box (20)
Improving Developer Onboarding Through Intelligent Data InsightsJonathan LeBlanc
A developer platform lives and dies by it's developer community. When huge problems need to be solved, it's easy to make valuable improvements, but what do you do when those are solved and you still see high bounce rates on your site, low developer application completion, and generally poor adoption of your product? This is where your data can save you.
In this talk we'll run through:
- How to track valuable developer path insights, from moments of anxiety to time to first valuable call.
- Overlaying support and ticketing information on top of developer path data to decrease developer friction.
- How to create automated analytics systems to measure success.
- When these systems should be built, before it's too late.
This topic will go through current standards and future trends for building a scalable security model for distributed cloud based data. We’ll look into practices and considerations behind handing highly privileged data globally, diving into topics such as:
- How global compliance and regulations affect security practices.
- Handling data permissions, identity, and security with application access to data.
- Considerations, trends, and standards for global data availability.
Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.
In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
The future of retail is in removing the divide between the offline shopping state and the enhanced online buying experience. To create this type of enhanced retail experience, we can remove complexities in the process, such as simplifying checkout.
In this session we’ll learn how to use internet-connected microelectronics to attach to a buyer’s mobile device to provide the functionality to buy products right from the aisle.
As web enabled systems become an integral part of everything we interact with, how do we secure data in potential unsecure environments?
In this session you'll learn how to apply fundamental security precepts in potentially insecure environments. Topics include:
Securing identity and payment data through voice commands or text
Tokenization and encryption security
Triggering secure transactions from communications media
We are in an age where more people have phones than toilets, and there are more active cell phones than people on the planet. How do we protect all of these devices roaming around unsecured locations, especially when they want to pay for something. Learn the secrets behind building a secure mobile backbone, as we explore how to harden security, build systems based on identity confidence, and work towards a future proofed mobile framework.
The arena of proper auth & data security standards is often some of the most misunderstood, confusing, and tricky aspects of building Node apps. Using open source auth techniques and proper data encryption standards, we’ll learn how to make intelligent decisions on creating a solid infrastructure to protect our users and data. We’ll dive into auth systems, data attack vectors, how to protect your systems, and common security pitfalls in Node.
The screencast of this presentation can be found at https://youtu.be/o3uy7dgG_n4
There is an assumption in the industry, amongst companies large and small alike, that if they store sensitive user data (and sometimes do some mild encryption) in their database, it's locked in and secured from potential attacks. People rely too heavily on their false assumptions of security, and it usually ends up costing them extensively when that is proven wrong.
In this session, Jonathan will build a foundation for identity and data security that everyone dealing with sensitive data should understand. We'll break down concepts of identity security, common attack vectors and how to protect yourself, and how to harden your web application.
Web enabled systems are now an integral part of everything we interact with, from microelectronics to voice enabled hardware, from text messages and phone calls to email, and really we’re just limited by our imaginations as to what we can connect. As we explore vast new realms of communication over mixed digital media, we have to ask ourselves how we protect our critical data within potential unsecure environments. Going beyond that, how do we protect some of our more critical data, payment information, in this same realm.
As we look at a multitude of different environments, we’ll be exploring how to secure user identity and payment information through the communication channels, covering topics like:
* Securing identity and payment data through voice commands or text.
* Tokenization and encryption security.
* Techniques for triggering secure transactions from communications media.
At the end of the session, we’ll have a stronger understanding of proper techniques for working with new communication media sources, and see how we can apply fundamental security precepts in potentially insecure environments.
Audio from the session at OSCON (Portland, OR) on July 22nd, 2015 is available at https://archive.org/details/protecting_future_mobile_payments
We are now in an age where more people have phones than toilets, and there are more active cell phones than people on the planet. How do we protect all of these devices as they’re roaming around unsecured locations, especially when we want to pay for something.
In this talk we’re going to rip apart the illusion of mobile security and explore some of the most difficult to secure experiences: payments. We’ll cover the concepts of building a rich feature set to protect the user, how to encrypt all interactions, building scalable trust zones, and extending identification with wearables and biometrics.
In a world where technology is transforming with mobile devices and wearables, its key to have a solid security backbone. From having a strong password to using biometrics, companies are finding ways to help consumers protect themselves without impacting the experience. We'll take a look at the current landscape of passwords, the importance of proper systems and how we can use wearables and mobile devices to build trust systems.
You have a solid security infrastructure, all user data is encrypted, your users are protected right? As long as passwords remain the standard methods for identifying your users on the web, people will still continue to use "letmein" or "password123" for their secure login, and will continue to be shocked when their accounts become compromised.
Passwords are not secure, they need to be replaced. In this talk we're going to explore the pitfalls of a system designed around a username and password, then dive into the ways that technology is giving us a slew of new ways to build a secure user identity system. From biometrics to wearables, hardware to tokens, we'll explore a multitude of ways that we can finally kill all passwords.
Building a Mobile Location Aware System with BeaconsJonathan LeBlanc
Audio from talk (OSCON - July 22nd, 2015): https://archive.org/details/oscon_mobile_location_aware_systems_with_beacons
What if instead of a broad location, you could have pinpoint location awareness of someone in a physical space. How could this change everything about how we interact with the physical world? In this session we will be exploring Beacon technology, which enables this, the underlying Bluetooth Smart standard, and how we can use these systems to change everything from shopping, to accessibility for the disabled, all built on top of a mobile device.
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
The audio recording of this talk is available at https://archive.org/details/identity_wearables_embeddables
Ways of identifying a person to the technology around them is shifting from antiquated external body definitions, to internal body functions. In this session, we'll explore how the technology behind this embeddable and wearable movement works, exploring vein recognition biometrics, heartbeat identification, and going into embeddable body modifications as sources of identification.
The video of this presentation is available at https://www.youtube.com/watch?v=b3nB6kZQeaQ
As startups and innovation hubs push towards grand notions of technology innovation, connecting the world around them, and building towards a truly online commerce profile, there is a huge segment of the population that falters and is left behind. The underserved community represents over 1 out of every 5 people in the US, and as we explore cash heavy societies, and heavily underbanked populations worldwide, that number increases dramatically. These are markets that are massively underserved by technology and commerce, yet represent a potential hotbed of growth for any business.
As we explore this large segment of the world population, we'll dive into how the banking and commerce industries are primed for disruption to build up the underserved communities around the planet into a new digital commerce world. From digital currency to the struggling banking industry, we'll explore how we're on the cusp of a commerce revolution, one that will completely disrupt the banking industry, and our notion of technology reach worldwide.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Best Practices for Application Development with Box
1. Best Practices for Application
Development with Box
Jonathan LeBlanc
Director of Developer Advocacy, Box
Twitter: @jcleblanc
Github: https://github.com/jcleblanc
2. 2Best Practices for Application Development with Box
1. How do you ensure data integrity, compliance, and retention?
2. How do you manage token calls and security properly?
3. How do you control program access and permissioning?
4. How can you build program flow around common error responses?
What problems are we looking at today?
3. 3Best Practices for Application Development with Box
Prerequisite Box Platform Knowledge in ~ 1min
Managed User
App User
External User
User / Account Types
Service Account
Auth Systems
JWT/OAuth 2
OAuth 2
Developer Token
4. 4Best Practices for Application Development with Box
How do you ensure data integrity,
compliance, and retention?
5. 5Best Practices for Application Development with Box
/ Where should data be stored between
your app and users?
/ How do you deal with compliance and
data retention requirements?
The Issues
6. 6Best Practices for Application Development with Box
Service Account User Account
Maintain all user an application
data within the service account.
Users will be collaborated in
on content.
User specific data is maintained
in the individual user account. All
data access requests are made on
behalf of the user.
Where to Store User and Application Data
7. 7Best Practices for Application Development with Box
Storing Data in the Service Account (Overview)
• Improved data security due to tight controls
over data location and sharing
• Data retention and migration improves
following customer deletion, as the user
collaboration is simply removed.
Benefits
• Architecture complexity increases as a
separate user folder structure needs to be
maintained in the service account.
• Single point of failure.
Concerns
8. 8Best Practices for Application Development with Box
Storing Data in the User Account (Overview)
• Data is retained and owned by each user.
• Simple repeatable architecture on each
user account.
Benefits
• Data retention after customer deletion
requires data migration or loss.
• App has no control over data integrity.
Concerns
9. 9Best Practices for Application Development with Box
How do you manage token calls and
security properly?
10. 10Best Practices for Application Development with Box
/ When should you authenticate /
authorize your users and when should
you reuse tokens?
/ How do you use access tokens in
front-end code securely?
/ How do you handle tokens within the
different SDKs?
The Issues
11. 11Best Practices for Application Development with Box
Reducing auth calls by
storing access tokens
12. 12Best Practices for Application Development with Box
Access Token Best Practices
/ Access tokens are valid for 1 hour and
should be stored / reused.
/ Tier 1 SDKs (Node, Java, .Net)
automatically refresh tokens.
/ Token expiration (for refresh) should be
tracked via expires_in value (from token
request) and 401 unauthorized errors.
13. 13Best Practices for Application Development with Box
Exposing access tokens
within front-end code
14. 14Best Practices for Application Development with Box
Downscoped TokenAccess Token Client-Side Code
Downscoped token is deployed to
client-side code, mobile
environment, or UI tool.
New access token that is tightly
restricted in access rights (read /
write) for a file or folder.
Standard OAuth2 access token
that is fully scoped for an
enterprise or user.
Token Downscoping Process
15. 15Best Practices for Application Development with Box
client.exchangeToken(appConfig.tokenScopes[service]).then((tokenInfo) => {
// token available in tokenInfo.accessToken
}).catch((err) => {
console.error(err);
});
Downscoping a Token (Node SDK)
17. 17Best Practices for Application Development with Box
Annotation Scopes
/ annotation_edit: Update existing
annotations on files.
/ annotation_view_all: View annotations
from all users.
/ annotation_view_self: View
annotations from yourself only.
18. 18Best Practices for Application Development with Box
Working with SDK differences
19. 19Best Practices for Application Development with Box
Support Levels for SDKs
/ Tier 1 (Full API parity): Java, Node, .Net
/ Tier 2 (Partial API parity): Python, Ruby, CLI
/ Mobile (Partial API parity): Android, iOS, Mobile UI Kits
/ Stable (State complete): Salesforce, JavaScript,
Chrome
20. 20Best Practices for Application Development with Box
# Define token exchange scopes / params
scopes = 'base_preview item_download'
folder_id = 'FOLDER ID'
resource = 'https://api.box.com/2.0/folders/%s' % folder_id
# Define https request info
access_token = client.auth.authenticate_instance()
headers = {'Authorization': 'Bearer '+access_token}
url = 'https://api.box.com/oauth2/token'
# Set https request post data
data = { "scope": scopes, "resource": resource, "grant_type":
"urn:ietf:params:oauth:grant-type:token-exchange", "subject_token": access_token,
"subject_token_type": "urn:ietf:params:oauth:token-type:access_token" }
# Make request to perform token exchange
response = requests.post(url, data=data, headers=headers) json = response.json()
Extracting an Access Token and Making a Manual Call (Python)
21. 21Best Practices for Application Development with Box
How do you control program access and
permissioning?
22. 22Best Practices for Application Development with Box
/ How do you set up your application to
minimize data exposure?
The Issue
23. 23Best Practices for Application Development with Box
App UsersNo User Access All Users
Service account can access
its own content, app user
content, as well as content of any
users in the enterprise
Service account can access
its own content and content for
any app users it creates
Service account can only
access its own content
User Access Levels for a Service Account
24. 24Best Practices for Application Development with Box
Application
Access
• Application: Only access data
and users within the JWT
app.
• Enterprise: Access data and
users within the app as well
as the entire enterprise that
the app is a part of.
25. 25Best Practices for Application Development with Box
Advanced
Features
• Perform actions as users: Use
an As-User header with each
request to act on behalf of a
user. Access token passed is
for service account.
• Generate user access tokens:
Create an access token
scoped to a user account and
use that token for each
request.
26. 26Best Practices for Application Development with Box
User Access Application Access Advanced Features
No User Access Application None set
App Users Only Application One or both set
App and Managed Users Enterprise One or both set
Setting User Access for the Service Account
Settings to use to get the desired level of user access for a service account
27. 27Best Practices for Application Development with Box
How can you build program flow around
common error responses?
28. 28Best Practices for Application Development with Box
/ Beyond common HTTP errors, what
are the most frequent Box API errors,
why do they occur, and how do you
deal with them?
The Issue
29. 29Best Practices for Application Development with Box
Access Token Errors
(401: unauthorized)
30. 30Best Practices for Application Development with Box
Causes of Unauthorized Errors
Access token maintenance
/ Access tokens expire after 1 hour. At that point they must be refreshed using
the refresh token.
/ The .Net, Java, and Node SDKs handle this refresh action automatically. For
any other SDK or direct API integration token expiration responses (401:
unauthorized) will need to be handled through the app.
31. 31Best Practices for Application Development with Box
Scoping Errors
(403: access_denied_insufficient_permissions)
32. 32Best Practices for Application Development with Box
Causes of Insufficient Permissions Errors
User and application scoping
/ There are typically two causes of a 403:
access_denied_insufficient_permissions error, either the user an access
token is scoped for doesn’t have permission to perform an action, or the
application doesn’t.
/ For user permissions, try logging in as the user via the “Log in as this User”
option in the admin console. Attempt to access the content manually.
/ For an application, ensure that the application has the correct scopes defined
for the action that it is trying to perform.
33. 33Best Practices for Application Development with Box
Item Location Errors
(404: not_found)
34. 34Best Practices for Application Development with Box
Causes of Not Found Errors
Access Token Scoping
/ This may be encountered when trying to work with files and folders within Box when
using a JWT / OAuth 2 based application with a service account. If the ID of the file /
folder that is being accessed has been verified as present, this error will typically be
caused by the account that the client is pointing to. For instance, if a file exists on a
user account but the access token client is scoped for the service account, then a
404 error may be produced.
/ In cases of an access token that is scoped to the wrong account, use the As-User
header or user scoped access token for user access, or a service account scoped
access token for service account files.
35. 35Best Practices for Application Development with Box
Name Conflicts
(409: item_name_in_use)
36. 36Best Practices for Application Development with Box
Causes of Name Conflicts
Checking name uniqueness
/ File / folder names within a given folder must be uniquely named. When there is an
attempt to create a new file / folder with a name that already exists, a 409:
item_name_in_use, or a standard 409: conflict may be produced.
/ In case of a duplicate user login information being used when creating new
managed users, a 409: user_login_already_used error would be produced.
/ These errors should be handled. Possible next steps in the program flow would be
to attempt the same API request / login with revised information.
37. 37Best Practices for Application Development with Box
Metadata Conflicts
(409: tuple_already_exists)
38. 38Best Practices for Application Development with Box
Causes of Metadata Conflicts
Checking if metadata is already present on a file
/ If metadata for a template is already present within a file and a request to add
metadata is made, the API will return a 409: tuple_already_exists error.
/ This error should be handled in a try / catch. When found, a request to update the
existing metadata should then be made.
/ Update requests will need to use a JSON patch object.
39. 39Best Practices for Application Development with Box
Rate Limits
(429: rate_limit_exceeded)
40. 40Best Practices for Application Development with Box
Causes of Rate Limiting
Check Retry-After header for amount of time until next call
/ Making requests to auth a user each time they visit. Access tokens should be stored
for future use.
/ Polling the event stream too often. Cache results when possible.
/ Producing too many requests from a single user (e.g. a service account). Limit is 10
API calls per second per user.
/ Making too many simultaneous upload requests from a single user. Limit is 4
uploads per second per user.
/ Making too many search requests too quickly. Limit is 6 searches per user per
second (up to 60 searches per minute) and 12 searches per second per enterprise.
41. 41Best Practices for Application Development with Box
Docs
• Service Account docs: https://developer.box.com/docs/service-account
• Error codes and solutions: https://developer.box.com/docs/error-codes
• Auth guides: https://developer.box.com/docs/authentication-types-and-security
• Quickstart guides: https://developer.box.com/docs/quickstart-guides
Code
• Use case samples: https://developer.box.com/docs/use-case-recipes
• Sample code (all SDKs): https://github.com/jcleblanc/box-examples/
• Sample apps: https://github.com/box/samples
Wrap-up Links
Be careful about load order of the .js file – placing before the div will cause a react-modal error
Be careful about load order of the .js file – placing before the div will cause a react-modal error
10 API calls per second per user.
4 uploads per second per user.
6 searches per second per user, up to 60 searches per minute.
12 searches per second per enterprise.