The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Learn all the tricks of the trade that penetration testers use to practice their skills, test out new attacks, and prepare for upcoming penetration tests. Joe will be covering things like:
Pentester Tips
- How to keep up with the latest vulnerabilities and exploits
- Deciding what types of vulnerabilities to put in the network
- Deciding how to design the network
- Deciding what defensive measures to put into the network
Hardware Tips
- Should you use an old machine/old laptop
- Should you build a whitebox for this
-What types of hardware should you buy
Software Tips
- Where do you get all of the operating systems from
- Where do you get all of the vulnerable applications from
VMWare Tips
- Creating linked clones in ESXI
- Deploying Snort or Surricata in ESXI
- vSwitch features that you may want to use in your environment
VirtualBox Tips
- Building and running VirtualBox Headless with PHPVirtualbox
- Creating Backups and clones of running VMs in VirtualBox
- Using raw devices to create a Virtualbox VM
- Setting up a serial port between VirtualBox VMs
- Taking screenshots of VirtualBox VMs
Writing secure applications is critical. Whether you're writing code at the SMT level, MivaScript level, server level or anywhere else, it's important to keep security in mind. Come in and learn how to mitigate exploits, initiate exploits, and learn about incidence handling.
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
Learn all the tricks of the trade that penetration testers use to practice their skills, test out new attacks, and prepare for upcoming penetration tests. Joe will be covering things like:
Pentester Tips
- How to keep up with the latest vulnerabilities and exploits
- Deciding what types of vulnerabilities to put in the network
- Deciding how to design the network
- Deciding what defensive measures to put into the network
Hardware Tips
- Should you use an old machine/old laptop
- Should you build a whitebox for this
-What types of hardware should you buy
Software Tips
- Where do you get all of the operating systems from
- Where do you get all of the vulnerable applications from
VMWare Tips
- Creating linked clones in ESXI
- Deploying Snort or Surricata in ESXI
- vSwitch features that you may want to use in your environment
VirtualBox Tips
- Building and running VirtualBox Headless with PHPVirtualbox
- Creating Backups and clones of running VMs in VirtualBox
- Using raw devices to create a Virtualbox VM
- Setting up a serial port between VirtualBox VMs
- Taking screenshots of VirtualBox VMs
Writing secure applications is critical. Whether you're writing code at the SMT level, MivaScript level, server level or anywhere else, it's important to keep security in mind. Come in and learn how to mitigate exploits, initiate exploits, and learn about incidence handling.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
So you wanna be a pentester - free webinar to show you howJoe McCray
I’ll be covering things like:
- Some of the various types of penetration testing jobs
- Education/Certification/Experience/Skill requirements
- Should I have a degree – if so what type?
- Should I have certifications – if so which ones?
- Should I have work experience – if so what type?
- What skills should I have prior to applying?
- Do I need to be a good programmer?
- Where can I get these skills if I’m not currently working in the field?
- Security clearance requirements
- What are good key words to use when searching IT job sites for pentesting jobs?
- What to expect during the interview process
- I’m not in the US, where can I find pentester work abroad?
- How much money can I expect to make as a pentester?
- The good the bad and the ugly…what the work is actually like day-in and day-out
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Technical Architecture of RASP TechnologyPriyanka Aash
APPSEC CHALLENGES
- Writing Secure Code is not Easy
- Most follows agile development strategies
- Frequent releases and builds
- Any release can introduce or reintroduce vulnerabilities
- Problems by design.
Ex: Session Hijacking, Credential Stuffing
This presentation was given to some fresh graduate developers to help them understand how to protect their web apps against some famous attacks like XSS . the presentation was a part of a bigger course that was designed to asset them
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
So you wanna be a pentester - free webinar to show you howJoe McCray
I’ll be covering things like:
- Some of the various types of penetration testing jobs
- Education/Certification/Experience/Skill requirements
- Should I have a degree – if so what type?
- Should I have certifications – if so which ones?
- Should I have work experience – if so what type?
- What skills should I have prior to applying?
- Do I need to be a good programmer?
- Where can I get these skills if I’m not currently working in the field?
- Security clearance requirements
- What are good key words to use when searching IT job sites for pentesting jobs?
- What to expect during the interview process
- I’m not in the US, where can I find pentester work abroad?
- How much money can I expect to make as a pentester?
- The good the bad and the ugly…what the work is actually like day-in and day-out
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
This presentation talks about OWASP Mobile Risk M2 i.e. Insecure Data Storage. The agenda of the presentation is to understand the Data Storage and effect of insecure data storage. Then it also had demo's of known insecure data storage flaws. Methods to identify this flaw and various precautions that a developer should take to prevent this flaw.
The presentation was done as part of null/OWASP/G4H Monthly Meet
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
The OWASP team recently released the 2017 revised version of the ten most critical web application security risks. This presentation brief the OWASP Top 10 - 2017 for you to learn more about these important security issues.
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
A live hacking session demonstrating the different tools and techniques used by hackers and an in-depth understanding of the problems of insecure application and the solutions to solve the vulnerability.
Technical Architecture of RASP TechnologyPriyanka Aash
APPSEC CHALLENGES
- Writing Secure Code is not Easy
- Most follows agile development strategies
- Frequent releases and builds
- Any release can introduce or reintroduce vulnerabilities
- Problems by design.
Ex: Session Hijacking, Credential Stuffing
This presentation was given to some fresh graduate developers to help them understand how to protect their web apps against some famous attacks like XSS . the presentation was a part of a bigger course that was designed to asset them
Altitude #Users meeting in Spain ASES2015Raquel1704
Recorriendo el pasado llegamos a la conclusión de que venimos hablando de lo mismo desde hace mucho tiempo. La tecnologia esta madura, tiene un impacto directo en la Estrategia que queramos definir para relacionarnos con nuestros clientes, solo es cuestión de empezar. ALTITUDE TE PUEDE AYUDAR.
Posisi dan peran agama sebagai spirit, energi dan motivasi yang melahirkan ide-ide, gagasan-gagasan dan perilaku budaya bangsa yang berkarakter dan bermartabat, meliputi dan menyentuh seluruh dimensi kehidupan. Di sinilah tugas berat kita sesungguhnya, karena hampir semua persoalan bangsa ini. dapat dihubungkan dengan masalah lemahnya pembinaan mentalitas, rendahnya religiusitas dan moralitas, dan belum memadainya pelayanan keagamaan yang nota bene menjadi tanggungjawab aparatur di lingkungan Departemen Agama
Working with micro-services is arguably the best part of OSGi development. However, everyone agrees that tracking service dependencies with the bare-bones OSGi API is not ideal. So, you pick one of the available dependency managers: either Declarative Services, Felix Dependency manager, Blueprint or iPojo.
But how do you pick the right one? Easy! After this shoot-out you’ll know all about the performance, usability and other aspects of the existing dependency managers. We show the strengths and weaknesses of the implementations side-by-side. How usable is the API? What about performance, does it scale beyond trivial amounts of services? Does it matter which OSGi framework you run the dependency manager in?
Make up your mind with the facts presented in this session.
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
In this presentation I'm trying to describe the "Top 10 Vulnerabilities in Web Application" according to OWASP (Open Web Application Security Project).
--The top 10 security mistakes that developers make
--How to design software with an assurance of security
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
NOTES
--
Slide 8
Some of the categories we will discuss are very broad like this one.
Untrusted command – get / post / rest style params
Clicks
Surprise inputs
Slide 13
Very broad too
Little or no auth
Auth with some bypass possibilities
Some problem with how session is generated, managed, expired
Insufficient sessionID protection
Slide 18
When a user is tricked into clicking on a malicious link, submitting a specially crafted form, or even just browsing to a malicious site, the injected code travels to the vulnerable web site, which reflects the attack back to the user’s browser.
Slide 27
Security hardening throughout Application Stack
Unnecessary features enabled or installed?
ports, services, pages, accounts, privileges
Security settings in your development frameworks (e.g., Struts, Spring, ASP.NET) and libraries not set to secure values?
Default accounts/ passwords still enabled and unchanged?
Error handling reveal stack traces or other overly informative error messages to users?
Software out of date?
OS, Web Server, DBMS, applications, code libraries
Slide 41
sign up for updates or do regular audits to see versions
there might be technical dependencies
easily exploited by attackers using metaspoilt, info gathering using headers & responses, etc.
Slide 47
We can look at the architecture, give you tips around what you could use, what would be good. This would avoid making any major changes when the product is ready which would save everyone’s time in the long run.
Have sprints with dedicated security features and use those as a selling point for our security conscious customers
Slide 48
Carefully look at the license to make sure you can use it in your type of product. Ask Fallon if you are not sure
Research how much support it gets, how popular it is
Look to find out any vulnerabilities in it before you start using it
Maintain it; Sign up for CVE updates
Ask us if you need to get something reviewed
Slide 50
Not only better and more features
Security vulnerabilities get patched in new versions
New versions get most attention by the companies and old ones stop getting support after some time fully
Most Security Support by the community
Turn on auto updates for Chrome; always look at updates on AppStore
Slide 51
Use different passwords for different sites
Password managers let you set complexity, generate random passwords, etc.
Slide 52
Only grant access to whats needed to get the job done
employee leaves; mistakes; vulnerabilities in other s/w which leverages this;
Don’t install redundant software, plugins, etc.
This opens up so much risk
People forget to uninstall them; s/w doesn't get much attention from community; open ports are left; boom exploited by attackers;
Slide 55
To prevent unintended execution actions
e.g., fail open auth errors
Leak minimal info about infrastructure as this info is leveraged by attackers to carry out further attacks
SQL Injection is a vulnerability that is often missed by web application security scanners, and it\'s a vulnerability that is often rated as NOT exploitable
by security testers when it actually can be exploited.
Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.
The key areas are:
* IDS Evasion
* Privilege Escalation
* Re-Enabling stored procedures
* Obtaining an interactive command-shell
* Data Exfiltration via DNS
Slides for web-vulnerabilities talk I had at Evo Summer Python Lab'17 (Internship at EVO.company).
Overview of main types of vulnerabilities in the web applications as well as ways to prevent them. Damn Vulnerable Web Application (http://dvwa.co.uk/) and Damn Vulnerable Python Web Application (https://github.com/anxolerd/dvpwa) were used as demonstration software.
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Architecture vulnerabilities in SAP platformsERPScan
SAP security becomes a hot theme nowadays. Attacks on SAP can put a business at risk of Espionage, Sabotage and Fraud.
The presentation covers the following architecture and unusual issues:
Authentication Bypass
1. Verb tampering
2. Invoker servlet
Encryption
3. Storage – SAPGUI
4. Authentication – P4
5. Transfer – RFC, Diag
SSRF
6. Port Scan
7. Command execution
8. Security bypass
Also, the presentation gives advice for developers and describes future trends in SAP Security area.
Meeting Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Exploiting the Tiredful API
Matt Scheurer
https://twitter.com/c3rkah
Abstract:
The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. Matt has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. He maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Sharing our agency experience of developing secure web applications for some of the UK's leading high street banks and brands with a focus on the pitfalls you face when developing code in PHP. The talk will contain specific details on the many attack vectors that hackers will use to attempt to access and exploit your site and how you can improve your development process to avoid them.
Topics covered will include some old chestnuts like XSS (Cross Site Scripting) and SQL injection through to issues like aSession Hijacking.
The talk is aimed at developers who have perhaps not truly considered security of their applications before to developers who would like to extend their knowledge. The talk is aimed at software developers and will contain practical code-based examples and solutions.
Similar to Don't get stung - an introduction to the OWASP Top 10 (20)
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Don't get stung - an introduction to the OWASP Top 10
1. Don’t get Stung(An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
2. Contents OWASP Top Ten http://www.owasp.org A worldwide free and open community focused on improving the security of application software
3. Introduction Do not try this at home. Or at work. These are not just ASP.NET vulnerabilities If you don’t want to ask public questions ...barryd@idunno.org / http://idunno.org
5. Unvalidated Redirect and Forwards Users don’t check the address bar MVC authentication (pre-3.0) is vulnerable. Check the ReturnUrlparameter – http://weblogs.asp.net/jgalloway/archive/2011/01/25/preventing-open-redirection-attacks-in-asp-net-mvc.aspx
7. Insufficient Transport Layer Protection Use SSL Protection communications between web server and backend systems (SSL, IPSEC etc.) Replay attacks – use time limited tokens
9. Failure to restrict URI access Security by obscurity is useless Restrict via ASP.NET – no rolling your own! Integrated pipeline restricts everything Use [PrincipalPermission] to protect yourself IIS7 replaces file ACLs with a web.config based authorization list.
11. Insecure Cryptographic Storage Symmetric – same key Asymmetric – public/private keys Use safe algorithms –Hashing : SHA256Symmetric: AESAsymmetric: CMS/PKCS#7 Encrypt then sign
12. Insecure Cryptographic Storage Use symmetric when All systems are under your control No need to identify who did the encryption Use asymmetric when Talking/accepting from external systems Non-repudiation on who encrypted/signed (X509) All in memory – so no large plain tex! Combine the two for speed and security
13. Insecure Cryptographic Storage Do not reuse keys for different purposes Store keys outside the main database Use CryptGenRandom for random numbers Use & rotate salts Use unique IVs DAPI can provide a key store
19. Cross Site Request Forgery WebForms Lock ViewState using ViewStateUserKey Needs a way to identify user Set in Page_Init Use a CSRF token – http://anticsrf.codeplex.com MVC<%= Html.AntiForgeryToken() %> - in form[ValidateAntiForgeryToken] – on action method Encourage users to log out When is a postback not a postback?
21. Insecure Direct Object Reference Use indirect object references Always check access permissions For MVC don’t allow binding to your ID field[Bind(Exclude="id")]
26. XSS All input is evil Work from white-lists not black-lists. Store un-encoded data in your database Use HttpOnly cookies AntiXSS project http://antixss.codeplex.com Better HTML/URL Encoding Adds HTML Attribute, Javascript, VBScript XSS Cheat Sheet http://ha.ckers.org/xss.html
28. Injection Flaws SQL Use SQL parameters Remove direct SQL table access When building SQL strings within SPs parameterise those too! Xpath Use XsltContext http://mvpxml.codeplex.com/
29. Injection Flaws DECLARE @cmd= 'SELECT * FROM Customer WHERE FirstName LIKE @first OR LastName LIKE @last' EXEC @cmd, N'@firstnvarchar(25), @last nvarchar(25)', @first, @last
30. Changes from 2007 Malicious File Execution Information Leakage / Improper Error Handling Security Misconfiguration Un-validated Redirects and Forwards
31. The OWASP Top Ten A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication and Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Protection A10-Unvalidated Redirects and Forwards