The document discusses hardening a Drupal setup for security. It begins with backgrounds on the presenter and agenda. The presenter then discusses why security is important even for sites not processing money, as they could be targets for defacing, malware spreading, or spam delivery. The document outlines principles for security like keeping the server and Drupal setup simple, running only necessary services, and disabling dangerous functions. It provides tips for hardening the server like restricting information leakage in Apache and loading only needed modules. For PHP, it recommends using Suhosin, disabling functions like shell_exec and ini-functions, and not displaying errors. The goal is to outline approaches for hardening the server environment and Drupal setup against common vulnerabilities
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
A guide through where to look for errors when they happen in the various parts of Puppet Enterprise ( the console, Live Management, puppet master, Activemq, MCollective, agent), what some of those errors mean, and what warnings and errors are red herrings/normally occurring.
Celia Cottle
Support Engineer, Puppet Labs
Celia Cottle is a Support Engineer at Puppet Labs, where she troubleshoots and resolves issues for Puppet Enterprise customers. She comes from Portland State University, where she worked for the College of Engineering and Computer Science doing technical support, while getting her degree in Communication. She’s been working in IT for over five years and enjoys problem solving, working with a wide range of OSes and software, and the variety of challenges that supporting Puppet Enterprise brings. She currently resides in Portland, Oregon.
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
A guide through where to look for errors when they happen in the various parts of Puppet Enterprise ( the console, Live Management, puppet master, Activemq, MCollective, agent), what some of those errors mean, and what warnings and errors are red herrings/normally occurring.
Celia Cottle
Support Engineer, Puppet Labs
Celia Cottle is a Support Engineer at Puppet Labs, where she troubleshoots and resolves issues for Puppet Enterprise customers. She comes from Portland State University, where she worked for the College of Engineering and Computer Science doing technical support, while getting her degree in Communication. She’s been working in IT for over five years and enjoys problem solving, working with a wide range of OSes and software, and the variety of challenges that supporting Puppet Enterprise brings. She currently resides in Portland, Oregon.
SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...Continuent
In this training session, we'll provide a Tungsten Dashboard overview and discuss architecture, pre-requisites and security limitations. A simple GUI management tool for Tungsten Clustering for MySQL / MariaDB / Percona Server, the Dashboard is usually installed on a standalone web server with HAProxy installed. This training session uses an example of a 6-node composite cluster.
AGENDA
- Tungsten Dashboard Welcome
- Tungsten Dashboard Overview
- Tungsten Dashboard Prerequisites
- Tungsten Dashboard Security Limitations
- Configure the Tungsten Cluster Manager API
- Test Connectivity to the Tungsten Manager API Directly
- Install the Tungsten Dashboard
- Install and Configure the Apache 2.4 Web Server
- Configure the Tungsten Dashboard
- Install and Configure HAProxy
- Test Connectivity to the Tungsten Manager API via HAProxy
- Access the Tungsten Dashboard GUI via a Browser
Spraykatz is a credentials gathering tool automating remote procdump and parse of lsass process. Spraykatz is a tool able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
These are the slides of the code-centered presentation I did with Giorgio Cefaro at the Javascript UserGroup Roma and the PHP User Group Roma.
In this presentation we try to show many powerful features of symfony2 and its bundles to work as a backend system for single page applications.
On the client side we describe how we made a javascript editable grid using Backbone.js and its plugin for grids Backgrid.js.
SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
Training Slides: Basics 106: Tungsten Dashboard Overview, Installation and Ar...Continuent
In this training session, we'll provide a Tungsten Dashboard overview and discuss architecture, pre-requisites and security limitations. A simple GUI management tool for Tungsten Clustering for MySQL / MariaDB / Percona Server, the Dashboard is usually installed on a standalone web server with HAProxy installed. This training session uses an example of a 6-node composite cluster.
AGENDA
- Tungsten Dashboard Welcome
- Tungsten Dashboard Overview
- Tungsten Dashboard Prerequisites
- Tungsten Dashboard Security Limitations
- Configure the Tungsten Cluster Manager API
- Test Connectivity to the Tungsten Manager API Directly
- Install the Tungsten Dashboard
- Install and Configure the Apache 2.4 Web Server
- Configure the Tungsten Dashboard
- Install and Configure HAProxy
- Test Connectivity to the Tungsten Manager API via HAProxy
- Access the Tungsten Dashboard GUI via a Browser
Spraykatz is a credentials gathering tool automating remote procdump and parse of lsass process. Spraykatz is a tool able to retrieve credentials on Windows machines and large Active Directory environments. It simply tries to procdump machines and parse dumps remotely in order to avoid detections by antivirus softwares as much as possible.
Datagrids with Symfony 2, Backbone and Backgrideugenio pombi
These are the slides of the code-centered presentation I did with Giorgio Cefaro at the Javascript UserGroup Roma and the PHP User Group Roma.
In this presentation we try to show many powerful features of symfony2 and its bundles to work as a backend system for single page applications.
On the client side we describe how we made a javascript editable grid using Backbone.js and its plugin for grids Backgrid.js.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
Why I like PHPStorm
Advantages of Using Docker
Client, Docker Host, Registry
Docker Usage
Solr Docker File
Every Day Docker Commands
Docker Search
One Line Scripts
Portainer
Kinematic
Docker Compose
Grafana
Coding style guide
PHPCS/MD
Documentation Rules
Xdebug
Postman
We'll discuss our experiences with tooling aimed at finding and fixing performance problems in a production Rust application, as experienced through the eyes of somebody who's more familiar with the Go ecosystem but grew to love Rust. We'll cover CPU and Heap profiling, and also briefly touch causal profiling.
The Offensive Security Certified Professional (OSCP) is one of the most technical and most challenging certifications for information security professionals.
For More information please contact us : https://www.infosectrain.com/
Backdooring the web is the cheapest and most hidden way to achieve
persistence on a compromised network, both if you're looking at
privileges on the webapp itself or at executing command to underlying
system.
During the talk, we will discuss the context of a web backdoor: the
environment where she can born and grow up will be defined.
Each environmental aspect will be thoroughly analyzed: where is the best
point of injection, why we choose a specific function or trick, what
permissions are needed, how to trigger the backdoor in a safe, hidden
and reproducible way, and of course what to inject.
The talk will thus present several ways to inject obfuscated and hard to
spot vulnerabilities in PHP code. Shown examples will backdoor CMS
plugins as well as custom code, altering the code and polluting the
webapp ecosystem (read: DBMS and webservers).
Vagrant is a well-known tool for creating development environments in a simple and consistent way. Since we adopted in our organization we experienced several benefits: lower project setup times, better shared knowledge among team members, less wtf moments ;-)
In this session I'd like to share our experience, including but not limited to:
- advanced vagrantfile configuration
- vm configuration tips for dev environment: performance, debug, tuning
- our wtf moments
- puphet/phansilbe: hot or not?
- tips for sharing a box
Puppi is a Puppet modules that drives Puppet's knowledge of the Systems to a command line tool that you can use to check services availability, gather info on the system and deploy application with a single command.
How to Design a Great API (using flask) [ploneconf2017]Devon Bernard
How do you build an API that developers love building and consumers love using?
There's a lot that goes into creating a great API. This presentation shares some tips & tricks, architectural patterns, and best practices that go into building a great engineering environment around your API.
Talk presented on Oct 18, 2017 at PloneConf2017.
Topics covered by this talk:
Intuitive Practices:
standardization, configuration/environment files, ORMs, SQLAlchemy, database migrations, Alembic, database seeds, requirements.txt, package management, dependency management, setup scripts
Durable Practices:
Unit Tests, virtual environments, flush vs commit, error rollbacks, request lifecycle, session lifecycle
Flexible Practices:
Directory structures, application factories, blueprints, python debugger
Reliable Practices:
Logging, progressive rollouts, slack hooks, cron health checks, api versioning, api analytics
Use Friendly Practices:
Endpoint design, endpoint documentation, debugging tools, postman
Speed Practices:
Python profiling, Bulk SQL Inserts, caching
A General Purpose Docker Image for PHPRobert Lemke
There are many reasons to use Docker for development, but if you don't have a PHP image which is tailored to dev and production, your daily work can become a big hassle.
In this session we'll go through what it takes to create a flexible Docker image providing PHP which fits both, development and production environments. We'll look at various aspects, like the operating system, PHP extensions, configuration, debugging, speed, security and the image size.
Zeeland Content Strategy breakfast. What is the future of content? How social objects can help you to create a natural, flowing and less rigid content strategy.
Resistance is Futile: About the changes caused by digitalization @ eMBAForum ...Zeeland Family
Zeeland's Janne Saarikko at TSE exe eMBAForum in Turku. How the profound changes in the business environment will force companies to re-invent their organization and ways of working.
Social Media is Dead - the first wave of introducing the new Social Objects ...Zeeland Family
Janne Saarikko presented about how social media dynamics has become marketing dynamics. Brief introduction also to new Social Objects Based Marketing thinking. More to follow soon...
Kunta markkinointiviestintätoimiston kumppaninaZeeland Family
Janne Saarikko Kunnan Viestintä -koulutusohjelman osana , aiheena kunnan ja markkinointiviestintätoimiston yhteispeli ja markkinointiviestinnän palvelujen hankinta.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
2. Backgrounds
CTO at Zeeland Group which is 5th biggest marketing company in Finland
Focus on Symfony and Drupal
Zeeland Group has team of 10 developers who has backgrounds in IT
Used Drupal from version 4
3. Agenda
Why should I care?
Know your enemies
Principles of security
Hardening your server
Hardening you Drupal
4. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
5. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
6. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
7. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
8. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
9. Why should I care
We don’t process money so we are not interesting target for crackers
Some possible uses for random websites
Defacing
Spreading malware for your visitors
Using your box for spam delivery
10.
11. How they do it?
Common vulnerabilities: XSS, SQL injection, remote file inclusion, etc
See more from OWASP - Open Web Application Security Project
Include (malware) code to page via XSS or SQL injection
Upload PHP shell via remote file inclusion or insecure file upload
Upload spam script via remote file inclusion or insecure file upload
Lot of other ways which you have hard to even imagine
16. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple
17. Run only services which you really need
Enable only modules/extension you need (from Apache, PHP and Drupal)
Keep it simple
Every new application in stack is new possibility for exploitation
52. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
53. Allow web server user to write only sites/[default]/files
Disable PHP interpreter if you haven’t enable .htaccess (as reccomened for Apache hardening)
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
54. Some security modules
Secure Pages
redirect important pages to SSL version
Security Review
one kind of checklist
Login Security or Flood Control
login attempt limiter
Password Policy
password constraints
Salt (for Drupal 6)
salt password hashes
55. Some paranoia is good when selecting modules.
Use only well known modules.
56. Some further reading
National Security Agency Hardening Guides
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
OWASP - Open Web Application Security Project
https://www.owasp.org/index.php/Main_Page
Drupal Security Advisories
http://drupal.org/security
57. Thank you
Tero Alén
tero.alen@zeeland.fi
twitter.com/teroalen