This document provides an overview of SecureYourApp and OWASP (Open Web Application Security Project). It introduces Bünyamin Demir, the founder of SecureYourApp and leader of OWASP Turkey. It then discusses various OWASP projects like the OWASP Top 10, ZAP Proxy, and Application Security Verification Standard. Finally, it covers some common web application vulnerabilities like injection, XSS, and insecure direct object references, providing examples and mitigation techniques like input validation.
Her ne kadar yazılımların saldırı vektörleri çok fazla olsa da aslında güvenli yazılım geliştirme adına yapılacak pratik çözümler ile çok sayıda uygulama güvenliği problemi ortadan kaldırılabilir. Bu sunum içeriği; güvenli yazılım geliştirme adına yapılması gereken en yaygın 10 pratik çözümü ve örneklerini içeriyor olacaktır.
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebAlexandro Silva
Mitigar vulnerabilidades levando em conta a peculiaridade do sistema hospedado, falta de acesso administrativo, limitações técnicas e ativos de proteção de borda que não contribuem efetivamente com esta tarefa é um dos grandes desafios em segurança de aplicações.
Nesta palestra apresentarei como implantar uma camada de segurança em alta disponibilidade a qual contribui na prevenção proativa contra ataques direcionados a aplicações web.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Her ne kadar yazılımların saldırı vektörleri çok fazla olsa da aslında güvenli yazılım geliştirme adına yapılacak pratik çözümler ile çok sayıda uygulama güvenliği problemi ortadan kaldırılabilir. Bu sunum içeriği; güvenli yazılım geliştirme adına yapılması gereken en yaygın 10 pratik çözümü ve örneklerini içeriyor olacaktır.
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações WebAlexandro Silva
Mitigar vulnerabilidades levando em conta a peculiaridade do sistema hospedado, falta de acesso administrativo, limitações técnicas e ativos de proteção de borda que não contribuem efetivamente com esta tarefa é um dos grandes desafios em segurança de aplicações.
Nesta palestra apresentarei como implantar uma camada de segurança em alta disponibilidade a qual contribui na prevenção proativa contra ataques direcionados a aplicações web.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity. Both Firefox and Chrome have initial implementations of this new specification and a few early adopters are currently evaluating this feature.
Scott Helme, renowned security researcher and international speaker, shares his unique perspective on content security policy and how security has evolved.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Configuring SSL on NGNINX and less tricky serversAxilis
Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
Elasticsearch offers the snapshot/restore API for handling backups. How do you actually get data back from a snapshot? Have you ever tried. This lightning talk demonstrates usages of the restore API and strategies for restoring data back into Elasticsearch with and without downtime.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
Scott Helme, renowned security researcher and international speaker, shares his unique perspective on content security policy and how security has evolved.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Configuring SSL on NGNINX and less tricky serversAxilis
Sergej Jakovljev explains how to setup different levels of security over SSL. What's the difference between different SSL certificates and how to set them up on NGINX, Heroku and Node.js.
10 Excellent Ways to Secure Your Spring Boot Application - Devoxx Belgium 2019Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure.
This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more!
You’ll learn how to add these features to a real application, using the Java language you know and love.
* YouTube video: https://www.youtube.com/watch?v=PpqNMhe4Bd0
* Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
* Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Kan du få data tilbake igjen fra dine Elasticsearch snapshots?Jan Fredrik Wedén
Elasticsearch offers the snapshot/restore API for handling backups. How do you actually get data back from a snapshot? Have you ever tried. This lightning talk demonstrates usages of the restore API and strategies for restoring data back into Elasticsearch with and without downtime.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
Caution: This is a dated presentation; uploaded for reference. While the principles remain valid, specifics may have changed.
This presentation was made for software developers in Chandigarh - as a part of the NULL & OWASP Chandigarh Chapter activities.
It covers the basics of secure software development and secure coding using OWASP Top 10 as a broad guide.
Webinar: Developing with the modern App Stack: MEAN and MERN (with Angular2 a...MongoDB
Users increasingly demand a far richer experience from web applications – expecting the same level of performance and interactivity they get with native desktop and mobile apps.
At the same time, there's pressure on developers to deliver new applications faster and continually roll-out enhancements, while ensuring that the application is highly available and can be scaled appropriately when needed.
Fortunately, there’s a set of open source technologies using JavaScript that make all of this possible.
Watch this presentation to learn about the two dominant JavaScript web app stacks – MEAN (MongoDB, Express, Angular, Node.js) and MERN (MongoDB, Express, React, Node.js).
These technologies are also used outside of the browser – delivering the best user experience, regardless of whether accessing your application from the desktop, from a mobile app, or even using your voice.
By watching this presentation you will learn:
What these technologies and how they’re used in combination:
NodeJS
MongoDB
Express
Angular2
ReactJS
How to get started building your own apps using these stacks
Some of the decisions to take:
Angular vs Angular2 vs ReactJS
Javascript vs ES6 vs Typescript
What should be implemented in the front-end vs the back-end
This presentation at the SOA Workshop in Colombo, Sri Lanka (September 17, 2009) by Samisa Abeysinghe, Director of Engineering,WSO2 highlights SOA in a heterogeneous world and explains how WSO2 Web Services Framework (WSF) for C,C++,PHP solves the enterprise expectations on interoperability.
Ülkelerin Siber Güvenlik Stratejileri ve Siber Güvenlik Stratejilerinin Oluşumu
Geçtiğimiz on yıl içerisinde siber güvenliğin hızlı bir şekilde ülkelerin milli güvenlik politikalarının önemli bir unsuru haline gelmiştir. 2003 yılında ABD ilk kez ulusal siber güvenlik stratejisini yayınlayan ülke olmuştur. 35 farklı ülke de ABD’yi izleyerek siber güvenlik strateji dökümanı hazırlamış ve yayınlamışlardır. Askeri siber operasyonlar, siber suçlarla mücadele, siber casusluk, kritik alt yapı güvenliği, siber diplomasi ve İnternet yönetişimi stratejik siber güvenliğin çeşitli alanları olarak değerlendirilmiştir. Hazırlanan sunumda Hollanda, İngiltere, ABD ve Türkiye’nin siber güvenlik stratejileri incelenerek, her bir ülkenin stratejisini hangi alan üzerine inşa ettiği incelenmiştir.
Elektrik kesintisinden kredi kartı hırsızlığına, filmlerden dizilere; siber güvenlik başlığı haberler ve magazin gündeminde baş köşelere yerleşmeye başladı. Peki kurumlar ve devlet yönetimleri hangi alanlara odaklanmalı? Ya da bu başlığın tam adı ne olmalı ve kavram karmaşasına nasıl yaklaşmalıyız? Information Security Forum raporları ile son yıllarda Türkiye ve Dünya'daki kurumların gündeminde en ön sıralarda yer alan başlıklardan yola çıkarak hazırlanan bu sunumda, önümüzdeki yıllarda sadece siber güvenlik camiasının değil, kurum ve devlet yönetimlerinin de odaklanması gereken alanlara ışık tutulmaya çalışılacak.
Uluslararası siber savaşlarda kullanılacak en önemli bileşenlerden biri de son kullanıcıların internet bağlantıları için kullandıkları soho modemlerdir. Bu sistemler genellikle aynı özellikleri taşıdığından tespit edilecek bir açıklık tüm ülkeyi etkileyecektir. Sunum süresince böyle bir kitle saldırısının nasıl gerçekleştirileceği, ev kullanıcılarının modemlerini hedef alan bir ar-ge çalışmasının adımları ve sonuçları üzerinden ele alınacaktır. Çalışmanın içeriğindeki ana başlıklar, belli özelliklerdeki hedeflerin belirlenmesi, etkili bir zafiyetin bulunması, gömülü sistemler (MIPS) gibi farklı zorlukları olan platformlar için istismar kodunun yazılması, toplu istismarı gerçekleştirecek betiklerin yazılması, büyük ölçekli taramalar için performans optimizasyonlarının yapılması olarak sayılabilir.
Gerçekleştirmesi planlanan sunumda web ve mobil bankacılık uygulamalarında sıklıkla karşılaşılan güvenlik açıklıklarından ve bu açıklıkların doğurduğu risklerden bahsedilecektir.
2014 yılı sistem yöneticileri için kabus, hackerlar için rüya gibi bir yıldı. Geçtiğimiz yıl, Heartbleed, Shellshock, Sandworm, Schannel, POODLE, Drupal SQL enjeksiyonu gibi sıfır-gün ataklarının yanı sıra Dragonfly, Regin, Turla gibi devletlerin sponsor olduğu zararlı yazılım ataklarının adından söz ettirdiği ve Sony, HomeDepot ve Domino's Pizza gibi dev şirketlerin, hatta iCloud üzerinden ünlülerin hacklendiği bir yıl oldu.2014'te 15.000 civarında güvenlik açığı ortaya çıktı, fakat bunlardan sadece %5'inin sömürü kodu var. Peki, bu kadar az istismar kodu varken hackerlar nasıl bu kadar başarılı oluyor? IT departmanlarının korkulu rüyası herkese açık herkese açık istismar kodlarıyla yapılan saldırılar mı, sıfır-gün atakları mı, yoksa zararlı yazılım saldırıları mı? Bu saldırılardan nasıl korunabiliriz? Bütün bu soruların cevaplarını bu sunumda bulacaksınız.
Mass surveillance, dinlenmeler, yasadışı yetkisiz erişimler gibi konularla çalkalandığımız bu dönemde mahremiyet ve güvenlik giderek insanların dikkat etmeye çalıştığı bir konu haline geldi. Bu sunumda, Internet ve sosyal medya'nın dogğurdugu mahremiyet ihlalleri ve özel olarak geliştirdiğimiz sosyal medya aracılığı ile istihbarat ve mahremiyet ihlali yöntemleri açıklanacaktır. Artık "geçen yaz ne yaptığınız"dan daha fazlasını, sabah ilk kahvenizi kiminle içtiğinizden, favori mekanlarınıza ve günlük rutinlerinize kadar tüm mahremiyetiniz ifşa oluyor.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
2. Bünyamin Demir ( @bunyamindemir )
– Lisans Kocaeli Üni. Matematik Bölümü
– Yüksek Lisans Kocaeli Üni Fen-Bilimleri, Tez; Oracle Veritabanı
Güvenliği
– Uygulama Geliştirici
– OWASP Türkiye Bölüm Lideri
– Sızma Testleri Uzmanı
• Web, Mobil, Network, SCADA, Wireless,
Sosyal Mühendislik, ATM, DoS/DDoS ve Yük testi
• Kaynak kod analizi
– Eğitmen
• Web/Mobil Uygulama Güvenlik Denetimi
• Güvenli Kod Geliştirme
• Veritabanı Güvenliği
2
13. Anatomy of SQL Injection Attack
13
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) &
“’ AND password = ‘” & Request
(“password”) & ”’”
What the developer intended:
username = john
password = password
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password = ‘password’
14. Anatomy of SQL Injection Attack
14
sql = “SELECT * FROM user_table WHERE username = ‘” & Request(“username”) & “ ’ AND
password = ‘ ” & Request(“password”) & “ ’ ”
(This is DYNAMIC SQL and Untrusted Input)
What the developer did not intend is parameter values like:
username = john
password =
SQL Query:
SELECT * FROM user_table WHERE username = ‘john’ AND password =
causes all rows in the users table to be returned!
15. Bind Parameters (PHP)
15
$stmt = $dbh->prepare(”update users set
email=:new_email where id=:user_id”);
$stmt->bindParam(':new_email', $email);
$stmt->bindParam(':user_id', $id);
16. Parametrized Query (.NET)
16
SqlConnection objConnection = new
SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name
AND Password = @Password", objConnection);
objCommand.Parameters.Add("@Name",
NameTextBox.Text);
objCommand.Parameters.Add("@Password",
PassTextBox.Text);
SqlDataReader objReader =
objCommand.ExecuteReader();
17. Prepare Statement (Java)
17
String newName = request.getParameter("newName") ;
String id = request.getParameter("id");
//SQL
PreparedStatement pstmt = con.prepareStatement("UPDATE
EMPLOYEES SET NAME = ? WHERE ID = ?");
pstmt.setString(1, newName);
pstmt.setString(2, id);
//HQL
Query safeHQLQuery = session.createQuery("from
Employees where id=:empId");
safeHQLQuery.setParameter("empId", id);
26. A4 – Insecure Direct Object References
26
• Attacker notices his acct
parameter is 6065
?acct=6065
• He modifies it to a nearby
number
?acct=6066
• Attacker views the victim’s
account information
https://www.onlinebank.com/user?acct=6065