One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Security breaches are becoming more common in today’s world, from large vulnerable corporations being attacked to cyber attacks causing physical damage. With Drupal becoming increasingly more popular, it has become a perfect target for these automated attacks. Last year's SA-CORE-2014-005 vulnerability has demonstrated that hackers have learned how to take advantage of Drupal’s functionality to infect a site and remain unnoticed.
Site builders and maintainers have a large role to play in preventing these kinds of disasters. With a solid knowledge base of the most common security threats, developers can quickly identify those security issues and learn how to address them. In this webinar, learn about how to protect your Drupal site against security threats, with topics including:
- How Drupal can protect against DDoS attacks
- Configuration mistakes that make you vulnerable, and how to avoid them
- Fast updates: the single most important security element
Security improvements in Drupal 8
- Modules to enhance security and evaluating contributed module quality
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
We cannot “firewall” or “patch” our way to secure websites. In the past, security professionals thought firewalls, Secure Sockets Layer (SSL), patching, and privacy policies were enough. Today, however, these methods are outdated and ineffective, as attacks on prominent, well-protected websites are occurring every day. Most every organization in the world have something in common – they have had websites compromised in some way. No company or industry is immune. Programmers need to learn to build websites differently. This talk will review the top coding techniques developers need to master in order to build a low-risk, high-security web application.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
OWASP London talk on AngularJS Security, video here: https://www.youtube.com/watch?v=DcpD5Wh4uOQ&feature=youtu.be&t=4244
Similar talk presented at FluentConf San Jose - https://www.slideshare.net/LewisArdern/so-you-thought-you-were-safe-using-angularjs-think-again
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
A single-page application means putting a lot of traditionally server-side internals in the great unknown of a client's browser. The move of data and logic towards frontend requires a different model for application security. In addition to old foes like cross-site scripting, we now have to consider concepts like local storage, routing, JWTs and OAuth2 frameworks, and understand their implications in locking down our apps. Let's clear up the confusion and zero in on thew approaches and techniques you need to secure your React app.
We'll examine several layers of security relevant to React apps, including UI-level security (preventing XSS attacks and securing routes with React Router and Higher-Order Components), and API security using JWTs and third-party authentication-providers.
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
OWASP London talk on AngularJS Security, video here: https://www.youtube.com/watch?v=DcpD5Wh4uOQ&feature=youtu.be&t=4244
Similar talk presented at FluentConf San Jose - https://www.slideshare.net/LewisArdern/so-you-thought-you-were-safe-using-angularjs-think-again
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
A single-page application means putting a lot of traditionally server-side internals in the great unknown of a client's browser. The move of data and logic towards frontend requires a different model for application security. In addition to old foes like cross-site scripting, we now have to consider concepts like local storage, routing, JWTs and OAuth2 frameworks, and understand their implications in locking down our apps. Let's clear up the confusion and zero in on thew approaches and techniques you need to secure your React app.
We'll examine several layers of security relevant to React apps, including UI-level security (preventing XSS attacks and securing routes with React Router and Higher-Order Components), and API security using JWTs and third-party authentication-providers.
From previously developed a simple web application (based on X-Files tv series) the aim will be to set both user authentication and authorization of web resources both for themselves and for the invocation of business components. It’ll be established a minimum security settings, which will be completed with more sophisticated mechanisms. All of these emphasizing the novelties of version 3.x of Spring Security as the use of SPEL, Annotations, Namespace, Java config, etc. Attendees will see many of the features that implements Spring Security to set security mechanisms within JEE applications. The tools to be used are Spring Tool Suite 3.4, Springframework 3.2, Maven 3 and Spring Tc Server 2.9.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
Going on an HTTP Diet: Front-End Web PerformanceAdam Norwood
Is your web site or web app feeling sluggish? Getting tired of watching your pages slowly render, the long seconds ticking away before your snazzy jQuery doohickey even has a chance to fire? Chances are it’s not that slow bit of code or that clunky database behind the scenes that’s to blame – 80% of the time spent loading most web pages is on the client side! At this talk, we’ll take a look at some of the easiest low-hanging fruit you can go after to help speed up web performance on the front end, from slimming down the size of content to optimizing HTTP requests, and more.
HTML5 and CSS3 Techniques You Can Use TodayTodd Anglin
As more browsers deliver rich support for the next generation of standards-based web development, new techniques are enabling web developers to design with unprecedented levels of control. In this session, you’ll learn practical HTML5 and CSS3 techniques that you can use in any web project today. Learn how to easily add drop shadows to HTML objects, how to quickly create rounded corners, how to use custom fonts, and even how to animate with CSS. All techniques will be demonstrated with special attention to cross-browser support and tips for supporting older browsers.
Content Security Policy (CSP) allows web site administrators to control resources the user agent is allowed to load for a given page. It's an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. We learn what they are and how to used them.
Unleashing Creative Freedom with MODX - 2015-08-26 at PHP Zwolle Mark Hamstra
Introducing MODX Revolution and the concept of Creative Freedom at the first PHP Zwolle Meetup on August 27th.
Relevant links:
MODX.com => official website
rtfm.modx.com => official documentation
github.com/modxcms/revolution => source code
MODX.today => daily links/articles about MODX
modmore.com => premium extras for MODX
https://joind.in/talk/view/15031 => for feedback on the talk
Deep Dive: Alfresco Core Repository (... embedded in a micro-services style a...J V
Alfresco Summit 2014 (London)
Though best practice is to leverage Alfresco through the well defined API's, it can be useful to understand the internals of the repository so that your development efforts are the most effective. A deep understanding of the repository will help you to evaluate performance bottlenecks, look for bugs, or make contributions. This session provides an overview of the repository internals, including the major components, the key services, subsystems, and database. We then provide an example where we leverage the repository in a micro-service architecture while building Alfresco's future cloud products and show how the different parts of the repository interact to fulfill requests.
http://summit.alfresco.com/london/sessions/diving-deep-alfresco-repository
https://www.youtube.com/watch?v=TAE9UjC0xxc
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
Palestra ministrada no OWASP Floripa Day - Florianópolis - SC |
A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).
In this one hour tutorial Simon Collison will demonstrate why convention, order and understanding are vital to web design and development teams. He'll give insights into how Erskine approach projects and will help attendees explore ways of creating and evolving their own "Ultimate Package".
Why conventions are essential for successful web projects. How Erskine approach HTML, CSS & JavaScript in their own projects. What to consider when developing your own "Ultimate Package".
Pradeep Sharma from OSSCube presents on Securing your web server at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
La cryptographie n’est pas facile à comprendre, et encore moins à l’implanter.
De la cryptographie asymétrique et symétrique à un bon hachage pour les mots de passe, cette présentation est une introduction complète à la cryptographie par définition, historique, des exemples (PHP) et la mise en œuvre.
Version pour PHP Québec
The password is currently the most commonly used way to identify a user. It does not, however, have the level of security required to protect sensitive information.
The addition of new identification factor allows to solve this problem. But what, where, when do you have them? In this session we'll see the concepts of strong authentication, the introduction of alternative free or low cost second-factor identification.
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database, and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated, and configured from your web server or webpage. In this session we'll explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), browsing compatibility, XSS and clickjacking protection, SSL/TLS Control, and content security policy.
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done? Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You'll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Il existe plusieurs techniques pour améliorer la qualité de code de vos équipes, mais aussi leurs performances. Après les tests unitaires, les méthodes agiles, le TDD et l’intégration continue, que reste-t-il ? Ajouté un programmeur ? Rendu à un certain nombre de personnes, la performance décente. Reste a améliorer la qualité de votre force de travail.
Intervient l’amélioration continue de vos équipes directement en entreprise et hors entreprise. Dans cette présentation, je vais parler des formations internes et externes, des groupes d’usagers, les conférences, les « Lunch and Learn », les dojos de code, les revus de codes et encore plus.
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.
OWASP Enterprise Security API Toolkits help software developers guard against security-related design and implementation flaws. Because it's an API, it can be easely be add to applications and services to protect themselves from attackers. In this talk, I'll present the project, it's PHP implantation and how to add it to your projects.
The password is currently the most commonly used way to identify a user. It does not, however, have the level of security required to protect sensitive information.
The addition of new identification allows to solve this problem. In this presentation we will see the concepts of strong authentication, the presentation of alternative free or low cost multi-factor identification.
Durant ce laboratoire, nous allons réaliser un audit sécurité d'une application Web Open Source. L'objectif technique est de dresser un rapport complet, et d'assimiler toutes les phases du travail d'enquête : analyse boîte noire, analyse à code ouvert, recensement des vulnérabilités (XSS, injections, dévoilement, etc), recommandations de renforcement, priorisation des tâches. Toutes les compétences seront mises à l'épreuve dans cet excercice complexe.
Nous travaillerons sur une application réelle : (Nom de l'application à venir ultérieurement). Le laboratoire se terminera avec la remise du rapport aux auteurs de l'application pour qu'ils puissent avoir un regard extérieur sur le niveau de sécurité de l'application.
This presentation is biligual (french/english).
Durant un audit sécurité d'une application web, il y a plusieurs phases au travail d'enquête : interview, recensement des vulnérabilités (XSS, injections, dévoilement, etc.) par avec des tests d'intrusion, analyse du code, suivi d'un rapport expliquant les problèmes, des recommandations de renforcement et priorisation des tâches. Toutes ces étapes sont importantes, mais certaines sont plus connues que les autres. Dans cette présentation, nous apprendrons les étapes et les outils pour faire un audit du code d'une application Web. Les techniques présentés peuvent être utilisés en plusieurs langages de programmation, mais plusieurs outils seront axé sur le langage de programmation PHP.
Auditing and securing PHP applications - FRHACK 2009Philippe Gamache
This presentation is biligual (french/english).
In this laboratory, we will carry out a safety audit on the code of a web application. The technical objective is to provide a report and treat all phases of investigative work: source analysis, identifying vulnerabilities (XSS, injections, disclosure, etc.), recommendations for strengthening, and prioritization of tasks.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
2. ABOUT ME
HI I’M PHILIPPE
I’m a Developer Evangelist for kuzzle.io.
Long-time internet developer, author,
screen caster, podcaster and speaker. I’m
specializes in PHP, Symfony, Kuzzle,
security, code quality, performance, real
time and geolocation.
• Sécurité PHP 5 et MySQL 5
• OWASP Montreal
• PHP Quebec
• Table Top Game Developer
• Pen & Paper RPG Writer
3. PURPOSE OF THE PRESENTATION
• Improve the code of your website
• Protect your site against certain attacks
• Protect your users from certain attacks
• Protect your development sites
WHY WE ARE TALKING ABOUT THIS?
4. PROTECT YOUR DEV SITES
• Dev/test/qa/regression servers
• If they are available via the web
• Robots.txt is not enough
• forget
• File compliance
AVOID LEEKS
13. IMPROVE YOUR CODE
• Normally, for IE8 +
• Requests IE to use the latest render engines or a particular version.
• Should use the ChromeFrame renderer (for IE6 and IE7)
• Does not validate
• Reduce the display speed of the site if it needs to change mode
• Does not work in a conditional comment ( <!--[if lt IE 7]> )
META/HEADER : X-UA-COMPATIBLE
16. HEADER: X-UA-COMPATIBLE
APACHE EXAMPLE
#apache
<IfModule mod_headers.c>
Header set X-UA-Compatible “IE=Edge,chrome=1”
# Mod_headers Does not use the content type,
# but we do not want to send this header
<FilesMatch “.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|
m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|
crx|oex|xpi|safariextz|vcf)$” >
Header unset X-UA-Compatible
</FilesMatch>
</IfModule>
22. PROTECT AGAINS DRIVE-BY ATTAQUE
• Only one value: nosniff
HEADER : X-CONTENT-TYPE-OPTIONS
Android Chrome Edge Firefox Internet Explorer Opera Safari
nosniff 3+ 1.0+* 11+ 50+** 8+ 13+ N/A
* during download
** or with NoScript
25. XSS PROTECTION
• Automatic protection against XSS
• mode=block
• report=<reporting-URI>
META/HEADER : X-XSS-PROTECTION
Android Chrome Edge Firefox Internet Explorer Opera Safari
X-XSS-Protection (Yes) 4+ 11+ N/A* 8+ Yes 4+
report No Chromium No No No No No
* yes with NoScript
48. PROTECT YOUR SESSIONS
• Stealing session (session cookie) is quite simple.
• Use HTTPS on your server if you use sessions.
• But it is not enough...
PHP CONFIGURATION
52. PROTECT IN TRANSIT DATA
• Require the browser to use a site in SSL (and retains the information)
HTTP STRICT TRANSPORT SECURITY
Android Chrome Edge Firefox Internet Explorer Opera Safari
Strict-Transport-
Security
4.4+ 4+ 12+ 4+ 11+ 12+ 7+
54. HTTP STRICT TRANSPORT SECURITY
APACHE EXAMPLE
#apache
<VirtualHost *:80>
ServerAlias *
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]
</VirtualHost>
<VirtualHost *:443>
ServerAlias *
...
<IfModule mod_headers.c>
Header set Strict-Transport-Security “max-age=16070400; preload"
</IfModule>
</VirtualHost>
55. HTTP STRICT TRANSPORT SECURITY
PHP EXAMPLE
<?php
// IIS defines the HTTPS protocol to be “off” for non-SSL requests
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
header(’Strict-Transport-Security: max-age=16070400’);
} else {
header('Location: https://’.$_SERVER[’HTTP_HOST'] .
$_SERVER['REQUEST_URI'], true, 301);
exit;
}
56. PROTECT IN TRANSIT DATA
• Tells a Web client to associate a specific public cryptographic public key
to a Web server to reduce the risk of MITM attacks with falsified
certificates.
HTTP PUBLIC KEY PINNING (HPKP)
Android Chrome Edge Firefox Internet Explorer Opera Safari
Public-Key-Pins 38+ 38+ N/A 35+ N/A 25+ N/A
Report-uri 46+ 46+ N/A N/A N/A 33+ N/A
60. PROTECT YOUR
• Allows you to specify when the browser will define a Referer header.no-
referrer
• no-referrer
• no-referrer-when-downgrade
• origin
• origin-when-cross-origin
• same-origin
• strict-origin
• strict-origin-when-cross-origin
• unsafe-url
HEADER: REFERRER-POLICY