1. In the era of mobile, OAuth 2.0 is the protocol of the choice. 2. However, RFC6749 is a framework and needs to be profiled appropriately for use cases.
3. FAPI WG @ OIDF is taking such task for Financial APIs and securing it using RFC7636, JWT Client Authentication/TLS Client Authentication, OpenID Connect, etc.
4. FAPI WG is collaborating with many stakeholders including financial institutions and fintech companies, etc.
5. Read only security profile going to OIDF votes.
6. Overview of the requirements for Read Only and Write Access security profiles are discussed.
Presentation used for my session on Facebook Developer Circle Chennai - React Native for beginners meetup.
Repository for code files can be found at https://github.com/DaniAkash/FBDevCChennai-ReactNative-for-beginners
Event website: https://fbdc-chennai-1.splashthat.com/
YouTube Link: https://youtu.be/xuH81XGWeGQ
** Microservices Architecture Training: https://www.edureka.co/microservices-architecture-training**
This Edureka's PPT on Microservices Design Patterns talks about the top design patterns you can use to build applications.
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
Presentation used for my session on Facebook Developer Circle Chennai - React Native for beginners meetup.
Repository for code files can be found at https://github.com/DaniAkash/FBDevCChennai-ReactNative-for-beginners
Event website: https://fbdc-chennai-1.splashthat.com/
YouTube Link: https://youtu.be/xuH81XGWeGQ
** Microservices Architecture Training: https://www.edureka.co/microservices-architecture-training**
This Edureka's PPT on Microservices Design Patterns talks about the top design patterns you can use to build applications.
Follow us to never miss an update in the future.
YouTube: https://www.youtube.com/user/edurekaIN
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Castbox: https://castbox.fm/networks/505?country=in
This PPT throws light on some of the essential elements of Accessibility testing which have become crucial to ensure quality in this day and age. To know more on accessibility testing, accessibility mandates, WCAG 2.0, paired testing approach, accessibility guidelines and standards go through this presentation as well as the ones coming soon.
In this session, we will introduce you to the concept of unit testing and how we can add new features to our application without breaking anything. We will see how we can add unit test cases for each of our components and the importance of it.
Spring Boot on Amazon Web Services with Spring Cloud AWSVMware Tanzu
SpringOne 2021
Session Title: Spring Boot on Amazon Web Services with Spring Cloud AWS
Speakers: Maciej Walkowiak, Software Consultant at Independent; Matej Nedic, Software engineer at Ingemark
This power point presentation provides details on syntax of Gherkin language and how it can be used to write accurate user acceptance criteria for user stories.
This presentation demonstrates general guidelines how to create good test cases using Robot Framework. Both good practices and anti-patterns are presented.
The presentation is hosted on GitHub where you can find the original in ODP format: https://github.com/robotframework/DosDontsSlides
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Angular 16 is the biggest release since the initial rollout of Angular, and it changes everything: Bye bye zones, change-detection, life-cycle, children-selectors, Rx and what not.
Recorded webinar based on these slides given by Yaron Biton, Misterbit Coding-Academy’s CTO, can be found at: https://www.youtube.com/watch?v=92K1fgPbku8
Coding-Academy offers advanced web-techs training and software development services: Top-rated Full-stack courses for Angular, React, Vue, Node, Modern architectures, etc. | Available top-notch on-demand-coders trough Misterbit technological solutions | Coding-Academy Bootcamp: Hundreds of employed full-stack developers every year | Anything web, end to end projects | Tech companies and startups | Consulting to management and dev teams | Workshops for managers and leaders.
An intro to React Native using react-native cli, styled components, react-navigation, and an an introduction to the react native ecosystem.
Example repo: https://github.com/ladyleet/fluentConf2
Have questions? Tweet me http://twitter.com/ladyleet
This PPT throws light on some of the essential elements of Accessibility testing which have become crucial to ensure quality in this day and age. To know more on accessibility testing, accessibility mandates, WCAG 2.0, paired testing approach, accessibility guidelines and standards go through this presentation as well as the ones coming soon.
In this session, we will introduce you to the concept of unit testing and how we can add new features to our application without breaking anything. We will see how we can add unit test cases for each of our components and the importance of it.
Spring Boot on Amazon Web Services with Spring Cloud AWSVMware Tanzu
SpringOne 2021
Session Title: Spring Boot on Amazon Web Services with Spring Cloud AWS
Speakers: Maciej Walkowiak, Software Consultant at Independent; Matej Nedic, Software engineer at Ingemark
This power point presentation provides details on syntax of Gherkin language and how it can be used to write accurate user acceptance criteria for user stories.
This presentation demonstrates general guidelines how to create good test cases using Robot Framework. Both good practices and anti-patterns are presented.
The presentation is hosted on GitHub where you can find the original in ODP format: https://github.com/robotframework/DosDontsSlides
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Angular 16 is the biggest release since the initial rollout of Angular, and it changes everything: Bye bye zones, change-detection, life-cycle, children-selectors, Rx and what not.
Recorded webinar based on these slides given by Yaron Biton, Misterbit Coding-Academy’s CTO, can be found at: https://www.youtube.com/watch?v=92K1fgPbku8
Coding-Academy offers advanced web-techs training and software development services: Top-rated Full-stack courses for Angular, React, Vue, Node, Modern architectures, etc. | Available top-notch on-demand-coders trough Misterbit technological solutions | Coding-Academy Bootcamp: Hundreds of employed full-stack developers every year | Anything web, end to end projects | Tech companies and startups | Consulting to management and dev teams | Workshops for managers and leaders.
An intro to React Native using react-native cli, styled components, react-navigation, and an an introduction to the react native ecosystem.
Example repo: https://github.com/ladyleet/fluentConf2
Have questions? Tweet me http://twitter.com/ladyleet
API Days 2016 Day 1: OpenID Financial API WGNat Sakimura
The presentation introduces the Financial API Working Group at the OpenID Foundation. The presentation was made at the API Days 2016 on December 13, 2016 in Paris.
Introduction to the FAPI Read & Write OAuth ProfileNat Sakimura
It the presentation used in APIDays Berlin (2017-11-08) to explain the Financial API Read & Write Security profile's rationale and how it fulfilled the requirements.
OpenID Foundation Workshop at EIC 2018 - Introduction to the FAPI Read & Writ...MikeLeszcz
Introduction to the FAPI Read & Write OAuth Profile presentation given by Nat Sakimura, OpenID Foundation Chairman, at the OpenID Foundation Workshop at EIC 2018 on May 15, 2018 in Munich.
Introduction to the FAPI Read & Write OAuth Profile - Jan 2018 UpdatesNat Sakimura
APIDays Paris 2018 presentaion by Nat Sakimura.
Talking about Part 1, 2, and new Part 3 with examples.
My twitter: @_nat_en
Follow me on Youtube: https://www.youtube.com/NatSakimura
Blog: https://nat.sakimura.org/
Connected World in android - Local data sharing and service discoveryTalentica Software
With the boom of IOT, BLE (Bluetooth low energy) and other connected devices and protocols, android app development is no longer limited to basic client server interaction. Android app development now includes interaction with other devices (not necessarily android) in the vicinity, at its very core.
Transferring files with friends without internet, Bluetooth and WiFi; streaming media from your phone or tablet to dumb plain TV (without HDMI cables) and switching off bedroom light with phone have become part of our lives. Let's explore how it's done and where do we need to start to kick start such projects.
In this session we will explore:
• Communication between connected and non-connected android devices.
• BLE overview (Bluetooth Low Energy).
• BLE APIs you should know about.
• WiFi-Direct and P2P.
• WiFi-Direct service discovery.
• Network service discovery (NSD) and relevant demos
Examining the emergent open source IoT ecosystem - IoT World Europe 2016Benjamin Cabé
* Examining the Open Source opportunity across all layers of the IoT software stack
* From sensor connectivity, to edge processing, cloud analytics and presentation of the events
* How can Open Source provide a trusted space where device vendors and software companies can reliably share components essential to interconnect the currently splintered IoT ecosystem
* Vertically Integrating the OpenSource IoT stack
Open source: an introduction to IP and LegalBruno Lowagie
Open Source India (OSI) Days talk by Bruno Lowagie about intellectual property in the context of open source, about open source licenses, and about keeping track of the IP of your project.
Mobile Penetration Testing: Episode II - Attack of the CodeNowSecure
In this, the second, episode of our mobile penetration testing trilogy, NowSecure Solutions Engineer Michael Krueger takes you beyond the device. Michael will explain how to perform network and web services/API testing to capture data exposed in transit between apps and backend services -- some of the highest risk security flaws around.
This high intensity 30-minute crash course covers:
+ Man-in-the-middle (MITM) attacks
+ Taking advantage of improper certificate validation
+ Demonstration of a privilege escalation exploit of a web back-end vulnerability
Watch it here: https://youtu.be/bT1-7ZkSdNY
Placeholder for the kick-off and lightning talks for the AT&T Shape Hackathon in San Francisco.
This will be updated on July 15th with the presentations.
Data breaches are an inescapable reality for organizations of all sizes and industries. Our team discusses recommendations for threat management. Listen to the recorded webinar here: http://engage.vevent.com/index.jsp?eid=1823&seid=1104
OpenID in the Digital ID Landscape: A Perspective From the Past to the FutureNat Sakimura
Digital identity has been under a constant evolution for the last 30 years. It started from a simple access control via user account within a system to a shared credential among the systems, then to the federated identity and bring-your-own-identity (BYOI). Modern usages are not only for access control but include such purposes like digital on-boarding (account opening), employee and customer relationship management. Among the many technologies out there, OpenID seems to have gained popularity in the market that you are probably using it without knowing it. This session explains the positioning of OpenID in the digital ID landscape and explores the future potential for both corporations and individuals.
Future Proofing the OAuth 2.0 Authorization Code Grant Protocol by the applic...Nat Sakimura
OAuth 2.0 Authorization Framework, while achieved an extremely large adoption, has been exposed to various attacks and a num- ber of additional specifications to patch the problem has been created. It is expected that other attacks would come in the future requiring yet another patch specification. To avoid such future problems, a more systematic approach is needed.
This paper attempts to do it by applying BCM principles on OAuth (RFC6749). It demonstrates that additional parameters in all four messages are needed as well as the integrity protection of both authorization request and response.
As part of exercise to test the extensibility of OpenID Connect to other protocols than HTTP, we have created a custom scheme binding. This is still a rough sketch but should give you some ideas on what it is. It may seem to be a bit of stretch, but has a niche characteristics that it does not "leak" information to external OPs.
There will be a companion RP side as well, which would be a more normal case.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Financial Grade OAuth & OpenID Connect
1. Nomura Research Institute
Nat Sakimura (@_nat_en)
Chairman of the Board, OpenID Foundation
Research Fellow, Nomura Research Institute
#apidays
Financial Grade OAuth & OpenID Connect
• OpenID® is a registered trademark of OpenID Foundation.
• *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
14th December 2016
1. In the era of mobile, OAuth 2.0 is the protocol of the choice. 2. However, RFC6749 is a framework and needs to be profiled appropriately for use cases. 3. FAPI WG @ OIDF is taking such task for Financial APIs and securing it using RFC7636, JWT Client Authentication/TLS Client Authentication, OpenID Connect, etc. 4. FAPI WG is collaborating with many stakeholders including financial institutions and fintech companies, etc.
Hi, I am Nat Sakimura. It is an honor to be able to present in front of the distinguished audience, and I am very thankful to the APIDays committee for letting it happen.
I am a Research Fellow at Nomura Research Institute, Chairman of the Board of the OpenID Foundation, and Chair of the Financial API WG among other things.
If you are in API security field, you probably heard about me because I am an author of OpenID Connect, JSON Web Token, JSON Web Signature, OAuth PKCE, etc.
OK. Now, here is the first Proposition to be discussed today:
The answer is of course “NO”. Like Mark O’Neill of Gartner spoke yesterday, Building blocks needs to be combined correctly. Just saying #oauth does not do the job.
It is abundantly clear even from the title of RFC6749. It is “The OAuth 2.0 Authorization Framework”. It is a framework, not a concrete protocol specification,
So that it can span across various service environemnts. Here, I have depicted it in two dimentions. Horizontal axis is the degree of environment control and the vertical is the stake that the API is protecting. As a framework, it needed to cover all quadrants, and OAuth 2.0 Framework does so.
Which is all good, but it also means that you need to profile it to suit the specific situations.
For example, for the closed circuit factory application usecase, the security could be maintained by the close control of the environment so you may not need to do much on the application layer like OAuth. It probably is also ok to use a naïve implementation choice like bearer token in may social sharing scenarios as the stake is low though the environment is far from being controlled. But that does not apply for a higher stake scenario such as online banking. You got to be darn careful in such cases.
And, to create such profile for Financial APIs, there are multiple factors that you actually have to take care of, many of which are often ignored and results in awfully insecure OAuth 2.0 implementations.
One of the common mistake is not following the OAuth’s security assumptions. For example, OAuth’s primary security assumption is that there is only 1 Authz Server per client. But that assumption is violated in many cases. For example, a Personal Finance Client will necessarily have multiple Authz Svs. In that kind of cases, you have to make sure to have a proper virtual separation, that is, having different redirect endpoints for each authorization server to avoid Authz server mix-up attack etc.
It has to be like the picture on your left. Unfortunately, in many implementations, they get lazy and re-use the same redirection endpoint like the figure on your right, which is a big mistake.
And there are bunch of other issues to be resolved. Message Authn probl.