The document provides information about a Drupal training session on fixing a broken Drupal site. It includes an agenda for the lab session which involves fixing issues related to site building, security, performance, and content architecture through exercises. Participants will be split into teams and each given a broken Drupal site to work on fixing. Automated tools and techniques for profiling site performance will be demonstrated.
How to investigate and recover from a security breach in WordPressOtto Kekäläinen
Talk given at the first ever WordCamp Nordic on March 8th, 2019.
How to investigate and recover from a security breach – real-life experiences with WordPress
Sometimes the bad guys get in, despite all the protections and precautions. If that happens, there are many techniques that can be used to stop further damage, track down what the intruder did and how they got in. Finally the site needs to be cleaned up and re-opened for visitors. In this talk the most important techniques are presented along with real-life examples when they were used.
How to investigate and recover from a security breach in WordPressOtto Kekäläinen
Talk given at the first ever WordCamp Nordic on March 8th, 2019.
How to investigate and recover from a security breach – real-life experiences with WordPress
Sometimes the bad guys get in, despite all the protections and precautions. If that happens, there are many techniques that can be used to stop further damage, track down what the intruder did and how they got in. Finally the site needs to be cleaned up and re-opened for visitors. In this talk the most important techniques are presented along with real-life examples when they were used.
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
This deck is a conference-agnostic one, suitable to be shown anywhere without site-specific jokes!
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
10 things every developer should know about their database to run word press ...Otto Kekäläinen
Talk from WordCamp Barcelona 2018
https://2018.barcelona.wordcamp.org/session/10-things-every-developer-should-know-about-their-database-to-run-wordpress-optimally/
The database is perhaps the most important piece of your infrastructure. The database contains all your important e-commerce data and must be kept secured. The database performance often defines the overall performance of your WordPress site. In this talk I the most important things every WordPress developer should know about MariaDB/MySQL to be able to build and operate their site optimally.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
The 5 most common reasons for a slow WordPress site and how to fix them – ext...Otto Kekäläinen
Presentation given in WP Meetup in October 2019.
Includes fresh new tips from summer/fall 2019!
A Must read for all WordPress site owners and developers.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Wrangling Large Scale Frontend Web ApplicationsRyan Roemer
Web applications are massively shifting to the frontend, thanks to exciting new JavaScript / CSS technologies, expanding browser capabilities (visualizations, real-time apps, etc.) and faster perceived user experiences. However, client web applications can be a nightmare to maintain at scale, even for seasoned software architects and operations engineers. Deployment and production infrastructures are complex and rapidly changing. And, frontend JavaScript / CSS code ships to browsers worldwide, where errors and issues are notoriously difficult to systematically detect and diagnose.
In this talk, we will tackle the wild west of the frontend with pragmatic steps and seasoned advice from helping organizations from startups to Fortune 500 companies create some of the largest frontend web applications on the Internet. In particular, we will examine the many hard lessons gleaned from leading frontend application development and education for a team of 50+ engineers rearchitecting a top-five e-commerce site. Some of the topics we will cover include:
* Managing and building very large (500K+ line) frontend application / test code bases.
* Surviving production traffic and errors on the frontend and handling spikes like Black Friday / Cyber Monday for one of the highest traffic e-commerce websites in existence.
* How, where, and why your frontend application is likely to fail.
* Monitoring, logging, and debugging frontend web applications out in the wild.
* Automating checks, tests, and code introspection to protect your code in production.
* Creating an effective, fast, and engineer-friendly development-test-deployment frontend pipeline.
Whether your frontend application already supports millions of transactions a day or you are about to launch your first single-page-application, our aim is to prepare teams of all sizes for the most critical challenges and solutions facing modern frontend web applications.
My Site is slow - Drupal Camp London 2013hernanibf
Drupal is a powerful and flexible tool to create web applications without building everything from scratch. This ability can drive developers to build complex websites without understanding what is Drupal doing behind the scenes.
The majority of Drupal performance talks mostly focus in aspects like infrastructure changes, caching strategies or comparisons between modules and architectures. Unfortunately when performance problems occur, development teams also follow strategies to replace different aspects of the platform looking only to standard aspects like slow queries without understanding and profiling the real problem.
The majority of times it is fundamental to measure and analyze what is the application is actually doing to understand te real problems. Drupal is a platform used by million of websites worlwide and its performance can in most cases be compared after measured.
In Acquia we do dozens of performance assessments per year, and even in most clients we find the same problems, often we find situations that only can be detected when measured and analized when looking to a profiler report.
In this session, I will explain how to detect performance problems looking to simple data, from logs to profiler data and providing some nice targets that can be analyzed to understand what is causing the uncommon bad performance of a site.
One Drupal to rule them all - Drupalcamp Londonhernanibf
Dries famous sentence (http://buytaert.net/one-drupal-to-rule-them-all) is becoming a reality for many organisations from small shops to the enterprise space. More and more stakeholders are following the idea of standardising their online presence in Drupal and leverage the same code and infrastructure amongst their different sites. What they are seeking is a drastic reduction in the time needed to create, launch and configure a Drupal site at the same time that they reduce the maintenance effort of the whole sites' network.
To achieve it, a drastic change needs to happen on the standardisation of development processes, more strict control of the overall architecture while supporting new changes and requirements, and repeatable and trustable deployment process to avoid the opposite pitfall of "one site to break them all".
In this session we will look to what needs to be thought when creating such an architecture from the development process to the infrastructure to host the different environments needed. We will look at different solutions that allow maintain these sites factories and walk you through several architectures explaining their advantages and differences.
Finally, we will look in detail to Acquia's Cloud Site Factory, a fully-hosted SaaS solution that allows organisations to quickly deploy and manage websites by the hundreds. Pre-define site templates, create new sites in a single click, manage roles and permissions across sites and connect to existing analytics and data systems.
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
This deck is a conference-agnostic one, suitable to be shown anywhere without site-specific jokes!
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
10 things every developer should know about their database to run word press ...Otto Kekäläinen
Talk from WordCamp Barcelona 2018
https://2018.barcelona.wordcamp.org/session/10-things-every-developer-should-know-about-their-database-to-run-wordpress-optimally/
The database is perhaps the most important piece of your infrastructure. The database contains all your important e-commerce data and must be kept secured. The database performance often defines the overall performance of your WordPress site. In this talk I the most important things every WordPress developer should know about MariaDB/MySQL to be able to build and operate their site optimally.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
The 5 most common reasons for a slow WordPress site and how to fix them – ext...Otto Kekäläinen
Presentation given in WP Meetup in October 2019.
Includes fresh new tips from summer/fall 2019!
A Must read for all WordPress site owners and developers.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Wrangling Large Scale Frontend Web ApplicationsRyan Roemer
Web applications are massively shifting to the frontend, thanks to exciting new JavaScript / CSS technologies, expanding browser capabilities (visualizations, real-time apps, etc.) and faster perceived user experiences. However, client web applications can be a nightmare to maintain at scale, even for seasoned software architects and operations engineers. Deployment and production infrastructures are complex and rapidly changing. And, frontend JavaScript / CSS code ships to browsers worldwide, where errors and issues are notoriously difficult to systematically detect and diagnose.
In this talk, we will tackle the wild west of the frontend with pragmatic steps and seasoned advice from helping organizations from startups to Fortune 500 companies create some of the largest frontend web applications on the Internet. In particular, we will examine the many hard lessons gleaned from leading frontend application development and education for a team of 50+ engineers rearchitecting a top-five e-commerce site. Some of the topics we will cover include:
* Managing and building very large (500K+ line) frontend application / test code bases.
* Surviving production traffic and errors on the frontend and handling spikes like Black Friday / Cyber Monday for one of the highest traffic e-commerce websites in existence.
* How, where, and why your frontend application is likely to fail.
* Monitoring, logging, and debugging frontend web applications out in the wild.
* Automating checks, tests, and code introspection to protect your code in production.
* Creating an effective, fast, and engineer-friendly development-test-deployment frontend pipeline.
Whether your frontend application already supports millions of transactions a day or you are about to launch your first single-page-application, our aim is to prepare teams of all sizes for the most critical challenges and solutions facing modern frontend web applications.
My Site is slow - Drupal Camp London 2013hernanibf
Drupal is a powerful and flexible tool to create web applications without building everything from scratch. This ability can drive developers to build complex websites without understanding what is Drupal doing behind the scenes.
The majority of Drupal performance talks mostly focus in aspects like infrastructure changes, caching strategies or comparisons between modules and architectures. Unfortunately when performance problems occur, development teams also follow strategies to replace different aspects of the platform looking only to standard aspects like slow queries without understanding and profiling the real problem.
The majority of times it is fundamental to measure and analyze what is the application is actually doing to understand te real problems. Drupal is a platform used by million of websites worlwide and its performance can in most cases be compared after measured.
In Acquia we do dozens of performance assessments per year, and even in most clients we find the same problems, often we find situations that only can be detected when measured and analized when looking to a profiler report.
In this session, I will explain how to detect performance problems looking to simple data, from logs to profiler data and providing some nice targets that can be analyzed to understand what is causing the uncommon bad performance of a site.
One Drupal to rule them all - Drupalcamp Londonhernanibf
Dries famous sentence (http://buytaert.net/one-drupal-to-rule-them-all) is becoming a reality for many organisations from small shops to the enterprise space. More and more stakeholders are following the idea of standardising their online presence in Drupal and leverage the same code and infrastructure amongst their different sites. What they are seeking is a drastic reduction in the time needed to create, launch and configure a Drupal site at the same time that they reduce the maintenance effort of the whole sites' network.
To achieve it, a drastic change needs to happen on the standardisation of development processes, more strict control of the overall architecture while supporting new changes and requirements, and repeatable and trustable deployment process to avoid the opposite pitfall of "one site to break them all".
In this session we will look to what needs to be thought when creating such an architecture from the development process to the infrastructure to host the different environments needed. We will look at different solutions that allow maintain these sites factories and walk you through several architectures explaining their advantages and differences.
Finally, we will look in detail to Acquia's Cloud Site Factory, a fully-hosted SaaS solution that allows organisations to quickly deploy and manage websites by the hundreds. Pre-define site templates, create new sites in a single click, manage roles and permissions across sites and connect to existing analytics and data systems.
We got to the point where the old Drupal mantra of creating content first to see it later is not enough to suceed with content editors. Drupal is competing and replacing other CMS and platforms where the lack of flexibility is the problem #1 for content editors. They are expecting full flexibity on how content is created, displayed, approved and published. However this introduce a common problem for web developers and site builders: how can you provide this full flexibility without having to be constantly on the hook for further development or configuration.
Modules like panels and panelizer, projects like Spark and distributions like panopoly and demo framework helped change the panorama in Drupal and the expectations that are set when sites are built.
In this session we will look to a set of common problems and real examples when creating content and layout for pages with demanding editorial teams. We will look and evaluate common options and recipes.
- How can complex content and rich pages be structured ? Free HTML format in different fields? Structured data in complex fields? Use paragraphs or field collection? Different content items in different items/entities? How to glue it all together?
- How can indivual page layout be managed providing flexibility but also control? Rely on templating system and view modes? Use contrib modules like panels and panelizer or display suite? Mix several approaches and modules?
- How can I add any content to any page and choose its display ? How can I have a list of curated widgets ready to use by the content team to deploy anywhere or in any section?
- How can pages and sections be managed before approved and published? Use prewiew systems and inline editors? Use workbench or workflow for layout? Rely on more complex content staging systems? Use separated environments?
These are daily problems that architects and developers face in every project. As a technical architect in Acquia it is uncommon a project where I am involved that does not need to solve one or more of these problems. In this session I will give some real examples and resume options and recipes that can be used to solve those problems today in Drupal 7 and look to Drupal 8 to explain how it can improve some of our possibilities and options and easy the life of one of our most important personas: the content editor.
Drupal architectures for flexible content - Drupalcon Barcelonahernanibf
We got to the point where the old Drupal mantra of creating content first to see it later is not enough to suceed with content editors. Drupal is competing and replacing other CMS and platforms where the lack of flexibility is the problem #1 for content editors. They are expecting full flexibity on how content is created, displayed, approved and published. However this introduce a common problem for web developers and site builders: how can you provide this full flexibility without having to be constantly on the hook for further development or configuration.
Modules like panels and panelizer, projects like Spark and distributions like panopoly and demo framework helped change the panorama in Drupal and the expectations that are set when sites are built.
In this session we will look to a set of common problems and real examples when creating content and layout for pages with demanding editorial teams. We will look and evaluate common options and recipes.
How can complex content and rich pages be structured ? Free HTML format in different fields? Structured data in complex fields? Use paragraphs or field collection? Different content items in different items/entities? How to glue it all together?
How can indivual page layout be managed providing flexibility but also control? Rely on templating system and view modes? Use contrib modules like panels and panelizer or display suite? Mix several approaches and modules?
How can I add any content to any page and choose its display ? How can I have a list of curated widgets ready to use by the content team to deploy anywhere or in any section?
How can pages and sections be managed before approved and published? Use preview systems and inline editors? Use workbench or workflow for layout? Rely on more complex content staging systems? Use separated environments?
These are daily problems that architects and developers face in every project. As a technical architect in Acquia it is uncommon a project where I am involved that does not need to solve one or more of these problems. In this session I will give some real examples and resume options and recipes that can be used to solve those problems today in Drupal 7 and look to Drupal 8 to explain how it can improve some of our possibilities and options and easy the life of one of our most important personas: the content editor.
Drupal is a powerful and flexible platform to build websites with rich funcionalities without building almost anything from scratch. This flexibility brought by the usage of a powerful framework and the work of a super active community can abstract people to understand what is Drupal doing behind the scenes.
Most of performance talks regarding Drupal focus on aspects like infrastructure changes, caching strategies, and comparison of performance between modules or platforms. Unfortunately when performance problems occur, development teams also follow several strategies to replace several aspects in their platforms, jump directly to look for slow queries before trying really to understand where is the bottleneck.
However, most of the times what really needs to be done is to look to what the application is doing and understanding why is it taking so long to do it. Drupal is a platform used by million of websites worldwide and its performance is easy to measure and compare.
At Acquia we have done dozens of performance assessments, and even if we usually face the same problems, sometimes we found weird situations that are only possible to be detected when measured. Measuring and profiling is the only way to understand performance problems in a site and provide valid fixes.
In this talk I will explain how to detect problems regarding performance in Drupal, using simple modules like devel, profilers like XhProf and looking to logs to understand the impact done on the application.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.
DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...DevOpsDays Riga
InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements.
Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines. This talk covers the basics of working with InSpec, writing tests to reflect your organization’s security guidelines, and managing InSpec as part of a high-velocity workflow.
AD113 Speed Up Your Applications w/ Nginx and PageSpeededm00se
My slide deck from my session, AD113: Speed Up Your Applications with Nginx + PageSpeed, at MWLUG 2015 in Atlanta, GA at the Ritz-Carlton.
For more, see:
- https://edm00se.io/self-promotion/mwlug-ad113-success
- https://github.com/edm00se/AD113-Speed-Up-Your-Apps-with-Nginx-and-PageSpeed
This is a presentation I prepared for a local meetup. The audience is a mix of web designers and developers who have a wide range of development experience.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
This presentation was prepared for a Webcast where John Yerhot, Engine Yard US Support Lead, and Chris Kelly, Technical Evangelist at New Relic discussed how you can scale and improve the performance of your Ruby web apps. They shared detailed guidance on issues like:
Caching strategies
Slow database queries
Background processing
Profiling Ruby applications
Picking the right Ruby web server
Sharding data
Attendees will learn how to:
Gain visibility on site performance
Improve scalability and uptime
Find and fix key bottlenecks
See the on-demand replay:
http://pages.engineyard.com/6TipsforImprovingRubyApplicationPerformance.html
Today’s cutting edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share best practices (including ones followed internally at Amazon) and how you can bring them to your company by using open source and AWS services.
Speaker: Raghuraman Balachandran, Solutions Architect, Amazon India
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
Learn more about the processes followed by Amazon engineers and discuss how you can bring them to your company by using AWS CodePipeline and AWS CodeDeploy, services inspired by Amazon's internal developer tools and DevOps culture.
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Drupal Europe 2018: Hackers automate but the drupal community still downloads...hernanibf
“Automatic Updates for Drupal” was, is and will be a matter of debate. In this open discussion, we want to welcome everyone who wants to learn more about the current state of update processes within the Drupal Community, and especially about possible future scenarios in Drupal.
We welcome everyone who’s interested in joining the discussion about auto update possibilities and bringing in critical reflections.
Aiming for automatic updates - Drupal Dev Days Lisbon 2018hernanibf
Drupal recents security updates resulted in many hours of work for different professionals involved in maintenance of Drupal websites from developers to operations teams.
New Drupal 8 release cycle is also requiring organisations to spend more time guaranteeing that their websites are following last minor core release so their sites are updated and ready to receive new features and security updates.
Nevertheless, even with the increasing required effort, we still don’t have an easy way to support automatic updates in Drupal core but options start to appear.
In this session I will talk about different possible alternatives that can minimize the effort to automatically update Drupal while still maintaining best practices in all the required phases.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
3. We prepared you a site to fix.
It has been broken in many, many places.
You will work in teams to fix it.
About the session
4. We are drupalists, consultants, working in the
Acquia Professional Services team
Alex Ku
Balázs Dianiska
Hernâni Borges de Freitas
Théodore Biadala
About us
9. LAMP stack
Varnish is installed and set up
We set up a site for each team
Each site is broken in many ways
What is in the box
10. 15:45 - 16:00 - Introduction and setup
16:00 - 16:25 - Site building
16:25 - 16:35 - Break
16:35 - 17:00 - Security
17:00 - 17:10 - Break
17:10 - 17:35 - Performance
17:35 - 18:00 - Wrap up and questions
Lab schedule
http://fixme.acquia-ps.com
11. What we prepared:
1 site per team
1 login per site
We can create 25 sites, so lets split into teams
Address: http://fixme.acquia-ps.com
Password will be on the site
Setup
http://fixme.acquia-ps.com
12. Site building
• Best practices
§ Drupal coding standards
§ Security
§ Performance
• Code architecture
• Content architecture
• Configuration
http://fixme.acquia-ps.com
13. Review process
1. Make the site run
2. Run automated tools
3. Triage the output
4. Read all the custom code*
5. Dig into messy areas
http://fixme.acquia-ps.com
15. Red flags
• PHP Filter module
• PHP in templates
• Many, many template files
• Many views/blocks/panels with a similar
name
• Many content types with one or two nodes
http://fixme.acquia-ps.com
16. Exercise 1- Code hacked
• Looking for hacked core / contrib
• Go to hacked report and run it
http://fixme.acquia-ps.com
17. Exercise 2- Missing updates
• Run Update module
• Explain how to keep it up to date
http://fixme.acquia-ps.com
28. Access Bypass Hands-on
First as anonymous user goto:
http://fixme.acquia-ps.com/[teamN]/admin/dashboard/users/all
What’s there:
VBO allows sending an email to any address and blocking
users
How can we fix this?
29. Access Bypass Hands-on
The problem is in:
● “Bypass views access control” permission
● “Actions permissions (VBO)” module
36. XSS Hands-on
First as admin user go to:
http://fixme.acquia-ps.com/[teamN]/user/1 and
notice value for Full Name
Then open this page:
http://fixme.acquia-ps.com/[teamN]/node/56
Now open the first page again and notice the Full
Name has changed
How can we fix this?
http://fixme.acquia-ps.com
37. XSS Hands-on
The problem is in:
● Filtered HTML text format allowing <script> tag
● Security Review module helps detecting issues like
this
http://fixme.acquia-ps.com
47. only if using Form API
generates form token
checks token when processing form
Drupal protects against
CSRF with Form API
48. fancy AJAX, GET callbacks
drupal_get_token()
drupal_valid_token()
Generate your own token
49. attacker identifies weak point
gets authorized account to take action
protect by confirming intent
Cross Site Request Forgery
50. As anonymous user add a comment with an image like
this:
<img src=”admin/content/unpublish/[nid]”>
Visit the page with the comment as admin
Check if the node is unpublished
How can we fix this?
CSRF Hands-on
51. A proper fix would require adding protection in callback
function for path: admin/content/unpublish/[nid]
A quick fix would filter img tags in Filtered HTML
CSRF Hands-on
52. SQL Injection
Mixing data received from the user with
database query allows an attacker to perform
custom actions against the database
53. As anonymous user go to:
http://fixme.acquia-ps.com/show/node?nid=[nid]
You should see a title and status of a single node
Now append this to the url:
“ union select uid, name, status from users”
You should see names of all users
How can we detect and fix this?
SQL Injection Hands-on
55. Fixing this would require rewriting custom code
The vulnerable lines are:
$nid = $_GET['nid'];
$r = db_query("SELECT nid, title, status FROM
{node} WHERE status = 1 AND nid = $nid");
The fix would look something like:
$nid = $_GET['nid'];
$r = db_query("SELECT nid, title, status FROM
{node} WHERE status = 1 AND nid = :nid",
array(“:nid” => $nid));
SQL Injection Hands-on
59. Slow? What you mean?
• Backend slowness
• Services that website use are slow
or unresponsive (dbs)
• Application too complex
• Server resources overload
• Frontend slowness
• Too many assets
• Slow connection between browser
and server.
• JS slowing the DOM (re)rendering
http://fixme.acquia-ps.com
60. Profile
Look for pages you suspect
• Start by easy ones
• 404 page (the fastest page you
can get).
• Node view page
• Homepage
• Continue with the ones your data
marked as slow.
Time for some research
http://fixme.acquia-ps.com
61. Benchmarks
Ideally your normal pages should
take
• 1 ~ 1.5 sec
• 40 ~ 60 mb of memory
• 100~300 queries per page
Simpler pages like 404 are good
indicators of what is the fastest all
other pages will run.
http://fixme.acquia-ps.com
62. Profiling tools
Chasing it
• Use Devel module (
http://drupal.org/project/devel ) to
have a fast indication of page load
times and memory consumption.
• Use XhProf Module to profile the
page and understand slower
components.
• Use timer_start(), timer_read()
functions in situations where you are
unsure.
http://fixme.acquia-ps.com
63. Typical #1 – Slow queries
• First look to profiling data shows something really slow.
Problem
• Related to the database (Wall time vs Total Time).
• Number of queries is low, so probably it’s a single query.
Solution
• Reduce query time in views ; Use Views Lite Pager
Devel XhPro
f
http://fixme.acquia-ps.com
64. Problem
• High number of queries
• High memory consumption
• High number of function calls
• All those little queries and memory consumption mean that
you are loading lots of information from the database.
Solution
• Look to XhProf and identify the root cause of all the excessive
function calls.
Devel XhPro
f
Typical #2 – Extra complexity
http://fixme.acquia-ps.com
65. Typical #3 – Edge cases
• Slow functions only detectable by XhProf
• Eg: When problem is in PHP execution
• Problematic if using popular hooks (hook_init,
hook_node_load).
• Infrastructure not being properly used
• Requests bypassing Varnish
• Not enough APC memory
• Blocks rendered in all pages and content hidden at template
level.
• Theme_rebuild and cache_clear_all in middle of code.
http://fixme.acquia-ps.com
66. Typical #4 – Special tasks
• Usually a task executed in special situations or in
certain pages that seriously slows down the platform.
• Synchronizations of thousand of nodes from web
services.
• Synchronization of all user base from LDAP.
• Sending thousand of mails via Cron.
• Even worst when those tasks are called by normal
page views.
http://fixme.acquia-ps.com
69. 1. Go to Drupalistas tab
2. Click on Demo user and Drupal commits
Exercise 2 - Slow Query
http://fixme.acquia-ps.com
70. 1. Go to Drupalistas tab
2. Click on Demo user and Drupal commits
3. Look to devel query log.
4. Go to user / uid 1 and see the difference
Exercise 2 - Slow Query
http://fixme.acquia-ps.com
71. 1. Go to a 404 page ( /prague)
2. Look to XhProf report
Exercise 3 - Missed blocks
http://fixme.acquia-ps.com
72. 1. Go to a 404 page ( /prague)
2. Look to XhProf report
3. Find the missing blocks (weather)
4. FIx it by giving the right path
Exercise 3 - Missed blocks
http://fixme.acquia-ps.com
73. 1. Go to a 404 page ( /prague)
2. Look to XhProf report
3. Find the missing blocks (weather)
4. Fix it by giving the right path
Exercise 3 - Missed blocks
http://fixme.acquia-ps.com
74. - Go to the sessions tab.
- Look to XhProf and Devel.
- Look to amount of memory and CPU.
Exercise 4 - Complexity
http://fixme.acquia-ps.com
75. - Go to the sessions page.
- Look to XhProf and Devel.
- Look to amount of memory and CPU.
- Look to code to understand the amount of node_loads.
- Disable custom block and enable views block.
- Enable block cache alter
- Check difference
Exercise 4 - Complexity
http://fixme.acquia-ps.com
76. - Go to a Drupalcon node
- Refresh a few times the page. Look to headers.
- Look to all requests done by the page.
Exercise 5 - Problems in
infrastructure
http://fixme.acquia-ps.com
77. - Go to a Drupalcon node
- Refresh a few times the page. Look to headers.
- Look to all requests done by the page.
- Identify missing header in the ajax Call done to get
attendance
- Look to code
Exercise 5 - Problems in
infrastructure
http://fixme.acquia-ps.com
78. 1. Reduce complexity. Make sure your site is as slim as possible.
2. Cache where you can. At all levels.
3. Maintain cache as long as possible as long it is acceptable.
4. Compute behind the scenes when you can.
5. Distribute the heavier tasks to larger intervals.
6. Grow infrastructure if you are reaching server limits.
After you identified the
problems
Caching after optimizing
http://fixme.acquia-ps.com
79. Performance
Can it be cached? Cache it!
• Page caching, block caching, panels caching, views
caching, caching API..
• Review caching strategy:
• https://www.acquia.com/blog/when-and-how-caching-
can-save-your-site-part-2-authenticated-users
• Guarantee that caching is effectively helping you.
• Don’t clear it too often.
• Not used only by a minority.
http://fixme.acquia-ps.com
80. Summary
● Make sure to look for others suffering from the same
problem.
● Never hesitate to ask the most basic questions.
● Go step by step, exclude possibilities if uncertain.
● Learn the tools we introduced you to.
● Always try to understand the whole system, not just the
part throwing the error.
http://fixme.acquia-ps.com
81. So, before your questions.
I do have a question.
Would you like to join Acquia?
We are hiring EVERYWHERE in Europe!
• Consultants
• Support
• Sales
• Engineering
http://fixme.acquia-ps.com
83. THANK YOU!
WHAT DID YOU THINK?
Locate this session at the
DrupalCon Prague website:
http://prague2013.drupal.org/schedule
Click the “Take the survey” link