Cryptography is a complex and confusing subject. In this talk you will learn about the core components of cryptography used in software development: securing data with encryption, ensuring data integrity with hashes and digital signatures, and protecting passwords with key derivation functions. While learning how to use these components, you will also learn the best practices that drive strong cryptography . This talk won’t make you a cryptography expert but it will give you the knowledge necessary to use cryptography properly. No prior knowledge of cryptography is required for this presentation.
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
Cryptography is a complex and confusing subject. In this talk you will learn about the core components of cryptography used in software development: securing data with encryption, ensuring data integrity with hashes and digital signatures, and protecting passwords with key derivation functions. While learning how to use these components, you will also learn the best practices that drive strong cryptography. This talk won’t make you a cryptography expert but it will give you the knowledge necessary to use cryptography properly. No prior knowledge of cryptography is required for this presentation.
Fighting back against constantly Evolving Google play Android MalwareJagadeesh Chandraiah
Google play is the official application store for Android platform recommended by Google. This year we have already seen several headline-grabbing Android malware with millions of infections [1]. In September alone, security researchers have discovered four different instances of Google play malware, besides several other instances of infections all year along with hundreds of millions of user installations. According to Google’s own stats [2], several hundred malware applications also called as PHA infiltrated into Google play store. Google play malware have been evolving and will continue to evolve in future. It is important to verify these evolutions and update our defense systems.
Initially developed Google play malware were simple SMS senders, Ransomware and Downloaders, and then they moved on to multi-stage Downloaders like Ghost push and Android Clickers. Now, they are developing targeted attacks like Lipizzan, several banker bots built from leaked source code. We have also seen evolution in the techniques used by malware authors to infiltrate and succeed in infecting Google play user devices. Many interesting techniques are used, some of them are -
Abuse of Accessibility service for installing malicious applications, legitimate use of this service is to assist disabled users in using Android apps.
Abuse of Android Webview interface to run malicious JavaScript code for stealing device information, loading malicious ads and sending premium messages.
Abuse of permission to draw over other apps for fake overlays and steal credentials
In this presentation, we want to dissect recent Google play malware and investigate interesting techniques, like the ones described above and then present remedial action how changes can be done to prevent these infections again.
Learn how RBC Shield® Tiles protect against radiological, biological & chemical threats caused by terrorists or accidents; see the extent of the worldwide market
Node.js interactive NA 2016: Tales From the CryptAdam Englander
Cryptography is a complex and confusing subject. There seems to be more disinformation than actual information. Learn how to properly use cryptography to secure user credentials and sensitive data. We will discuss cryptographic methodologies and algorithms available to Node.js. The focus will be on encryption, digital signatures, and hashing. We will discuss methodologies as part of a compare and contrast based on cryptography strength and randomness.
php[world] 2016 - Tales From the Crypto: A Cryptography PrimerAdam Englander
Cryptography is a complex and confusing subject. There seems to be more misinformation than actual information. Learn how to properly use cryptography to secure user credentials and sensitive data. We will discuss cryptographic methodologies and algorithms available to PHP. The focus will be on encryption, digital signatures, and hashing. We will discuss methodologies as part of a compare and contrast; based on cryptography strength and randomness.
php[tek] 2018 - Biometrics, fantastic failure point of the futureAdam Englander
This presentation attempts to prepare developers for the coming storm of biometric authentication. It is coming; for many, it is already here. Unfortunately, few of us have been prepared to select tools for utilizing biometric authentication properly. In this presentation, Adam Englander will express the special dangers of biometrics with regards to lifespan and storage. Due to the user's inability to change a biomteric, it is much more valuable to bad actors as the lifespan will undoubtedly exceed the lifespan of the cryptography. Any biometric database stolen today will likely be able to be cracked by the average computer in 20 years. This creates a unique problem many of us have not had to tackle before. We need a different mindset when thinking about biometrics. This presentation will try and give that much-needed perspective.
Dutch PHP 2018 - Cryptography for BeginnersAdam Englander
Cryptography is a complex and confusing subject. In this talk you will learn about the core components of cryptography used in software development: securing data with encryption, ensuring data integrity with hashes and digital signatures, and protecting passwords with key derivation functions. While learning how to use these components, you will also learn the best practices that drive strong cryptography. This talk won’t make you a cryptography expert but it will give you the knowledge necessary to use cryptography properly. No prior knowledge of cryptography is required for this presentation.
Fighting back against constantly Evolving Google play Android MalwareJagadeesh Chandraiah
Google play is the official application store for Android platform recommended by Google. This year we have already seen several headline-grabbing Android malware with millions of infections [1]. In September alone, security researchers have discovered four different instances of Google play malware, besides several other instances of infections all year along with hundreds of millions of user installations. According to Google’s own stats [2], several hundred malware applications also called as PHA infiltrated into Google play store. Google play malware have been evolving and will continue to evolve in future. It is important to verify these evolutions and update our defense systems.
Initially developed Google play malware were simple SMS senders, Ransomware and Downloaders, and then they moved on to multi-stage Downloaders like Ghost push and Android Clickers. Now, they are developing targeted attacks like Lipizzan, several banker bots built from leaked source code. We have also seen evolution in the techniques used by malware authors to infiltrate and succeed in infecting Google play user devices. Many interesting techniques are used, some of them are -
Abuse of Accessibility service for installing malicious applications, legitimate use of this service is to assist disabled users in using Android apps.
Abuse of Android Webview interface to run malicious JavaScript code for stealing device information, loading malicious ads and sending premium messages.
Abuse of permission to draw over other apps for fake overlays and steal credentials
In this presentation, we want to dissect recent Google play malware and investigate interesting techniques, like the ones described above and then present remedial action how changes can be done to prevent these infections again.
Learn how RBC Shield® Tiles protect against radiological, biological & chemical threats caused by terrorists or accidents; see the extent of the worldwide market
Node.js interactive NA 2016: Tales From the CryptAdam Englander
Cryptography is a complex and confusing subject. There seems to be more disinformation than actual information. Learn how to properly use cryptography to secure user credentials and sensitive data. We will discuss cryptographic methodologies and algorithms available to Node.js. The focus will be on encryption, digital signatures, and hashing. We will discuss methodologies as part of a compare and contrast based on cryptography strength and randomness.
php[world] 2016 - Tales From the Crypto: A Cryptography PrimerAdam Englander
Cryptography is a complex and confusing subject. There seems to be more misinformation than actual information. Learn how to properly use cryptography to secure user credentials and sensitive data. We will discuss cryptographic methodologies and algorithms available to PHP. The focus will be on encryption, digital signatures, and hashing. We will discuss methodologies as part of a compare and contrast; based on cryptography strength and randomness.
php[tek] 2018 - Biometrics, fantastic failure point of the futureAdam Englander
This presentation attempts to prepare developers for the coming storm of biometric authentication. It is coming; for many, it is already here. Unfortunately, few of us have been prepared to select tools for utilizing biometric authentication properly. In this presentation, Adam Englander will express the special dangers of biometrics with regards to lifespan and storage. Due to the user's inability to change a biomteric, it is much more valuable to bad actors as the lifespan will undoubtedly exceed the lifespan of the cryptography. Any biometric database stolen today will likely be able to be cracked by the average computer in 20 years. This creates a unique problem many of us have not had to tackle before. We need a different mindset when thinking about biometrics. This presentation will try and give that much-needed perspective.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
Securing the Web without site-specific passwordsFrancois Marier
Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.
We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.
The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
User authentication in mobile and web applications is a very common and integral use case. Implementing basic authentication is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account.
In this talk the security flaws and UX implications of passwords will be discussed and Tim will highlight which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters.
Cryptography is a complex and confusing subject. In this session we'll distill PHP encryption down to its essential drivers. You'll learn what makes cryptography weak and strong. You'll learn the important questions to ask when making decisions regarding modules and libraries. This session won’t make you a cryptography expert but it will give you the knowledge necessary to protect your software from attack. No prior knowledge of cryptography is required for this session.
Amanda Sopkin - Computational Randomness: Creating Chaos in an Ordered Machin...Codemotion
There are many computational needs for randomness, from video games to making a cryptographically secure id. Generally, using the default random libraries to create random numbers is sufficient, but for secure cases we require something better. We will begin by reviewing some historical examples of hacks that exploited weaknesses in random number generators. Next we will look at common random number generators and the algorithms and seeds that are used. Finally, we will explore modern random number generators that take different approaches and discuss the best uses for each type.
Ioan Iacob and Marius Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
OSDC 2019 | Automating Security in Your Data Pipline by Troy HarveyNETWAYS
Carta helps companies manage and secure their cap table and equity plans. Highly sensitive data. And in a post-GDPR world, data engineers play a critical role in protecting data and limiting access at each step in a data pipeline. In this session, Troy will walk through the steps that Carta’s data team has taken to secure the data pipeline using open source tools. You will leave with a checklist of things to consider when building a data lake, data warehouse, or deploying a data orchestration system. Some of the technologies covered include Apache Airflow, dbt, Docker, S3, Redshift, and Looker. Become a better steward of your customer’s data.
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerAdam Englander
This presentation is meant to help PHP developers gain a working understanding of common terms used in cryptography, understand the key drivers for choosing cryptography methodologies, algorithms and strengths,
and know which PHP modules and packages to use.
Encryption Basics Everyone Should KnowJason Truppi
Encryption is a core component to security and a product of strong cryptography. What should you know as a casual user of the Internet, digital wallets or as an application developer.
Converting a plain text into non readable format to maintain a confidentiality and integrity of data is called Encoding. And the technique used to decode that into readable format, is called Decryption. To encrypt and decrypt, algorithms we have developed. This entire theory, The whole technology is called Cryptography. Many algorithms were developed, many are Decoded, and many of the algorithms are still running nowadays also. So, here I came up with the new algorithm, with new technique, with new idea in algorithm. Sweety Gone | Kuldeep B. Vayadande "CipherKey Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37924.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-network/37924/cipherkey-algorithm/sweety-gone
From the last several years data and Security has become a main concern for anyone who connected to the internet. Data security prevents any modification in our data and ensures that our data is only accessible by the intended receiver. We have redeveloped methods and algorithm to achieve this level of security. Cryptography Is a technique for securing data, information and communication using some algorithms that make the data unreadable for human eye. We can decrypt the data using algorithm that is predefined by the sender. Devendra Kumar Meena | Dr. A. Rengarajan "Cryptography Methodologies" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-6 , October 2022, URL: https://www.ijtsrd.com/papers/ijtsrd52232.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/52232/cryptography-methodologies/devendra-kumar-meena
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the FutureAdam Englander
Biometrics is all the rage. It has been touted as the best of all possible authentication methods. Very soon, your customers and standards boards will require you to implement some sort of biometric factor for authentication. Before you head down that road, you need to know the pitfalls to avoid before becoming the next big breach in the news. Learn a few tricks to help safely secure biometrics to protect your users.
How Raft consensus algorithm will make replication even better in MongoDB 3.2...Ontico
MongoDB exhibits a fairly classic leader-based replication architecture, with builtin automatic provisioning and failovers. Since it was developed, an academic paper from Stanford has introduced a distributed consensus algorithm called Raft — which happens to be rather similar to the home grown algorithm of MongoDB. This talk will give a brief overview of Raft and how we are retrofitting some of it into MongoDB 3.2 to make our replication even more robust.
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
Even the coolest user interfaces won’t cover for apps that are insecure and leak private information. As JavaScript developers, we need to build apps that stand up to the demands of our industry and protects the data and privacy of our users.
In this talk, you will learn:
* Why your app requires data control to guard against data proliferation.
* How HTTP Interceptors work in Angular.
* How class decorators work in Angular / Typescript.
* How to add policy based encryption to your application using HTTP Interceptors and decorators.
* How to separate what data to encrypt from who should be able to decrypt it.
* How data control works under the hood.
Gain a practical understanding of how to integrate AI capabilities into your PHP projects with examples from the leading sources of hosted AI: OpenAI and Hugging Face. Armed with this knowledge, you can unlock new possibilities for intelligent, dynamic, and user-centric PHP applications that leverage the power of Artificial Intelligence.
So, join us for this transformative journey as we bridge the gap between PHP and AI, opening the door to a world of smarter and more innovative web applications.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
Securing the Web without site-specific passwordsFrancois Marier
Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.
We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.
The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
User authentication in mobile and web applications is a very common and integral use case. Implementing basic authentication is an easy solution for developers but comes with several pitfalls that impair user experience like (re-)entering passwords, the need to create a new unique password or even just the input of personal data on a flaky keyboard while registering a new account.
In this talk the security flaws and UX implications of passwords will be discussed and Tim will highlight which different techniques exist that are able to offer a more mobile friendly flow. Highlighting authorization and authentication techniques like OAuth, OpenID Connect and even hardware features like Bluetooth Low Energy this talk will be interesting for anyone who's facing a situation where creating and storing user accounts matters.
Cryptography is a complex and confusing subject. In this session we'll distill PHP encryption down to its essential drivers. You'll learn what makes cryptography weak and strong. You'll learn the important questions to ask when making decisions regarding modules and libraries. This session won’t make you a cryptography expert but it will give you the knowledge necessary to protect your software from attack. No prior knowledge of cryptography is required for this session.
Amanda Sopkin - Computational Randomness: Creating Chaos in an Ordered Machin...Codemotion
There are many computational needs for randomness, from video games to making a cryptographically secure id. Generally, using the default random libraries to create random numbers is sufficient, but for secure cases we require something better. We will begin by reviewing some historical examples of hacks that exploited weaknesses in random number generators. Next we will look at common random number generators and the algorithms and seeds that are used. Finally, we will explore modern random number generators that take different approaches and discuss the best uses for each type.
Ioan Iacob and Marius Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
OSDC 2019 | Automating Security in Your Data Pipline by Troy HarveyNETWAYS
Carta helps companies manage and secure their cap table and equity plans. Highly sensitive data. And in a post-GDPR world, data engineers play a critical role in protecting data and limiting access at each step in a data pipeline. In this session, Troy will walk through the steps that Carta’s data team has taken to secure the data pipeline using open source tools. You will leave with a checklist of things to consider when building a data lake, data warehouse, or deploying a data orchestration system. Some of the technologies covered include Apache Airflow, dbt, Docker, S3, Redshift, and Looker. Become a better steward of your customer’s data.
SunshinePHP 2017: Tales From The Crypt - A Cryptography PrimerAdam Englander
This presentation is meant to help PHP developers gain a working understanding of common terms used in cryptography, understand the key drivers for choosing cryptography methodologies, algorithms and strengths,
and know which PHP modules and packages to use.
Encryption Basics Everyone Should KnowJason Truppi
Encryption is a core component to security and a product of strong cryptography. What should you know as a casual user of the Internet, digital wallets or as an application developer.
Converting a plain text into non readable format to maintain a confidentiality and integrity of data is called Encoding. And the technique used to decode that into readable format, is called Decryption. To encrypt and decrypt, algorithms we have developed. This entire theory, The whole technology is called Cryptography. Many algorithms were developed, many are Decoded, and many of the algorithms are still running nowadays also. So, here I came up with the new algorithm, with new technique, with new idea in algorithm. Sweety Gone | Kuldeep B. Vayadande "CipherKey Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37924.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-network/37924/cipherkey-algorithm/sweety-gone
From the last several years data and Security has become a main concern for anyone who connected to the internet. Data security prevents any modification in our data and ensures that our data is only accessible by the intended receiver. We have redeveloped methods and algorithm to achieve this level of security. Cryptography Is a technique for securing data, information and communication using some algorithms that make the data unreadable for human eye. We can decrypt the data using algorithm that is predefined by the sender. Devendra Kumar Meena | Dr. A. Rengarajan "Cryptography Methodologies" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-6 , October 2022, URL: https://www.ijtsrd.com/papers/ijtsrd52232.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/52232/cryptography-methodologies/devendra-kumar-meena
ConFoo Vancouver 2017 - Biometrics: Fantastic Failure Point of the FutureAdam Englander
Biometrics is all the rage. It has been touted as the best of all possible authentication methods. Very soon, your customers and standards boards will require you to implement some sort of biometric factor for authentication. Before you head down that road, you need to know the pitfalls to avoid before becoming the next big breach in the news. Learn a few tricks to help safely secure biometrics to protect your users.
How Raft consensus algorithm will make replication even better in MongoDB 3.2...Ontico
MongoDB exhibits a fairly classic leader-based replication architecture, with builtin automatic provisioning and failovers. Since it was developed, an academic paper from Stanford has introduced a distributed consensus algorithm called Raft — which happens to be rather similar to the home grown algorithm of MongoDB. This talk will give a brief overview of Raft and how we are retrofitting some of it into MongoDB 3.2 to make our replication even more robust.
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
Even the coolest user interfaces won’t cover for apps that are insecure and leak private information. As JavaScript developers, we need to build apps that stand up to the demands of our industry and protects the data and privacy of our users.
In this talk, you will learn:
* Why your app requires data control to guard against data proliferation.
* How HTTP Interceptors work in Angular.
* How class decorators work in Angular / Typescript.
* How to add policy based encryption to your application using HTTP Interceptors and decorators.
* How to separate what data to encrypt from who should be able to decrypt it.
* How data control works under the hood.
Similar to Cryptography for Beginners - Sunshine PHP 2018 (20)
Gain a practical understanding of how to integrate AI capabilities into your PHP projects with examples from the leading sources of hosted AI: OpenAI and Hugging Face. Armed with this knowledge, you can unlock new possibilities for intelligent, dynamic, and user-centric PHP applications that leverage the power of Artificial Intelligence.
So, join us for this transformative journey as we bridge the gap between PHP and AI, opening the door to a world of smarter and more innovative web applications.
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
Cryptography is the invisible layer protecting everything around us. As software engineers, we are required to have some understanding of cryptography. Most of us only have a cursory understanding. Let’s dive deep into algorithms and modes for encryption, digital signatures, hashing, and key derivation. To get the most from this presentation, it is expected that you have a basic understanding of cryptography.
Threat Modeling for Dummies - Cascadia PHP 2018Adam Englander
No developer wants to be responsible for a major data breach. Unfortunately, when it comes to application security, most developers have more questions than answers. How do I get started? Who should I be protecting against? How much security is enough? Is there a best practice to follow? In less than an hour, I will give you the tools you need to begin integrating threat modeling into your existing application lifecycle. Start building secure applications today.
php[tek] 2108 - Cryptography Advances in PHP 7.2Adam Englander
There were some pretty substantial cryptography advances in PHP 7.2. Most of these changes were made to make advanced cryptography easier to use. That’s a good thing for developers and end users alike. The addition of libsodium is a game changer. It makes synchronous and asynchronous cryptography a no-brainer and adds better hashing than we've ever had. Argon2i for passwords is pretty substantial as well. We’ll go over the changes and have some practical examples of each. Developers need to know about these advances and just how awesome they are.
Biometric identification might be more secure than passwords, but it’s still vulnerable to hacking. Why not hold up a photograph of the phone owner to fool the new facial recognition system? In this presentation, Adam Englander will walk through the risks and dangers of leveraging biometrics for user authentication, and why we all should be thinking twice about it.
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
In this tutorial, you will learn how to write a secure API with future proof security utilizing JOSE. JOSE is a collection of complimentary standards: JWT, JWE, JWS, JWA, and JWK. JOSE is used by OAuth, OpenID, and others to secure communications between APIs and consumers. Now you can use it to secure your API.
With the dominance of Mobile Apps, Single Page Apps for the Web, and Micro-Services, we are all building more APIs than ever before. Like many other developers, I had struggled with finding the right mix of security and simplicity for securing APIs. Some standards from the IETF have made it possible to accomplish both. Let me show you how to utilize existing libraries to lock down you API without writing a ton of code.
Cryptography for Beginners - Midwest PHP 2018Adam Englander
Cryptography is a complex and confusing subject. In this talk you will learn about the core components of cryptography used in software development: securing data with encryption, ensuring data integrity with hashes and digital signatures, and protecting passwords with key derivation functions. While learning how to use these components, you will also learn the best practices that drive strong cryptography. This talk won’t make you a cryptography expert but it will give you the knowledge necessary to use cryptography properly. No prior knowledge of cryptography is required for this presentation.
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
Are you worried that your REST API may be the next victim of an attack by ruthless hackers? Don't fret. Utilizing the same standards implemented by OAuth 2.0 and OpenID Connect, you can secure your REST API. JSON Object Signing and Encryption (JOSE) is the core of a truly secure standards-based REST API. Let me show you how to ensure the data sent too and received from your API is as safe and secure as is reasonably possible.
The Red Team, hackers, criminal organizations, and nation states, are a constant threat. The systems we build are the targets. We need to understand the human collateral that hangs in the balance. We embrace methodologies to write better code and make our lives better. They do nothing for the rest of humanity that is directly affected by security vulnerabilities we introduce. In this session we'll put a human face on the users of our software. It will challenge you to think in terms of flesh and blood rather than ones and zeros. We are all the Blue Team. We protect the rest of humanity. Join us in the fight. The Red Team is coming!
Asynchronous software development is rapidly moving from the niche to the mainstream. That mainstream now includes PHP. This workshop will give you hands on instruction in building an asynchronous application in PHP. We'll build a Twitter Bot utilizing the Amp concurrency framework for PHP and the Twitter Streaming API. During this time you'll learn the basics regarding the Amp event loop, generators and co-routines, and writing non-blocking code. Get ready for the future of PHP today.
Symfony Live San Franciso 2017 - BDD API Development with Symfony and BehatAdam Englander
BDD API Development with Symfony and Behat You may have built an API in Symfony before. You may have even written some browser tests in Beta. Did you ever consider using Behat to write integration tests for your API? If not, you definitely should. The portability and reusability of Behat steps make it the perfect platform for API integration tests. The Symfony kernel integration for Behat and absence of JavaScript in an API makes this match made in heaven. Pull up a cloud and let me show you the pure awesomeness that is BDD API Development with Symfony and Behat.
Coder Cruise 2017 - The Red Team Is ComingAdam Englander
The Red Team, hackers, criminal organizations, and nation states, are a constant threat. The systems we build are the targets. We need to understand the human collateral that hangs in the balance. We embrace methodologies to write better code and make our lives better. They do nothing for the rest of humanity that is directly affected by security vulnerabilities we introduce. In this presentation, I will put a human face on the users of our software. I will challenge you to think in terms of flesh and blood rather than ones and zeros. We are all the Blue Team. We protect the rest of humanity. Join me in the fight. The Red Team is coming!
Many developers struggle with how to properly secure REST APIs. If you are like me, you followed a process from a trusted provider like Amazon, Google, etc. What if I told you there was a better way? It’s JOSE, a collection of open standards from the IETF that has strong library support. It’s also the basis of OAuth 2.0 and OpenID Connect. Let me show you how to make a highly secure API for today and well into the future built on the framework of JOSE.
Build a bot workshop async primer - php[tek]Adam Englander
Asynchronous software development is rapidly moving from the niche to the mainstream. That mainstream now includes PHP. This workshop will give you hands-on instruction in building an asynchronous application in PHP. We will build a Twitter bot utilizing the Amp concurrency framework for PHP and the Twitter Streaming API. During this time you will learn the basics regarding the Amp event loop, generators and co-routines, and writing non-blocking code. Get ready for the future of PHP today.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
22. @adam_englander
Any modern hashing algorithm will
never create collision for an input
value whose size is equal to or less
then the hash output size
62. @adam_englander
–iovation: August 2015 Password Survey
https://s3.amazonaws.com/launchkey-blog/LaunchKey_Password_Survey_Results.pdf
“68% of people reuse passwords”
63. @adam_englander
–Keeper Security: The Most Common Passwords of 2016
https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf
“The top 25 passwords of 2016
constitute over 50% of the 10M
passwords that were analyzed.”
64. @adam_englander
–Keeper Security: The Most Common Passwords of 2016
https://keepersecurity.com/public/Most-Common-Passwords-of-2016-Keeper-Security-Study.pdf
“Nearly 17% of users are safeguarding
their accounts with “123456."”
72. @adam_englander
English Message Patterns
• Spaces can be determined based on predictable word patterns
• Single letter words will be either the letter i or a
• In a two letter word, one of the letters is a vowel
• Three letter words mostly start and end with consonants and nearly
always have a vowel in the middle
• The letter e is the most common of all letters
88. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
89. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
// Using your key to encrypt information
$ciphertext = sodium_crypto_secretbox('test', $nonce, $key);
90. @adam_englander
// Generating your encryption key
$key = random_bytes(SODIUM_CRYPTO_SECRETBOX_KEYBYTES);
// Generate a random nonce
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
// Using your key to encrypt information
$ciphertext = sodium_crypto_secretbox('test', $nonce, $key);
// Decrypting a message requires the nonce and key used to encrypt
$plaintext = sodium_crypto_secretbox_open($ciphertext, $nonce, $key);
if ($plaintext === false) {
throw new Exception("Bad ciphertext");
}
92. @adam_englander
Books
• The Code Book: The Science of Secrecy from
Ancient Egypt to Quantum Cryptography -
Simon Singh - ISBN: 0-385-49532
• Cryptography Engineering: Design Principles
and Practical Applications - Niels Ferguson,
Bruce Schneider, Tadayoshi Kohno - ISBN:
978-0-470-47424-2